More connectivity means more attack-surfaces for cyber criminals.
So, as vehicles continue their rapid evolution toward rolling, four-wheeled connected devices, there is a growing call for automakers, their Tier 1 and Tier 2 suppliers and other stakeholders to more seriously consider deep integration of security measures to ensure over-the-air (OTA) software updates remain secure from malicious actors.
Beyond the exact security specifications and approaches to securing vehicles, the industry is being urged to adopt a more cohesive strategy towards cyber-security in self-updating vehicles. That’s the perspective of Jeff Davis, Blackberry’s senior director of government affairs and public policy, who said the auto industry is still lagging behind other sectors in understanding that the security threat to connected vehicles is not a looming issue but one that needs to be addressed here and now.
“There is no perfect engineering solution for cyber-security because it changes faster than the updates can change,” he noted. “In automotive, it seems, we have a tough time accepting that reality.” Davis said some automakers appear to be tackling the subject of security vulnerabilities more seriously than others, which can be shown by their willingness to partner with software security specialists, for example.
“Those who are doing well are making it a part of their product development, as an issue that begins with the supply chain, and into where the user interface is,” he said. “Those automakers are looking at everything from the chip level through the software level all the way up to where it gets to the consumer and their ability to control whether or not they take an update, ensuring there’s an authentication process going into the update, so you’re not just getting an update from a man in the middle source.”
Davis explained it’s possible to tell “very quickly” tell from the effort they’re put in, because it’s evident in the way they’re developing the car. “As you start to see more electronics put in there, when we get our first real incident of people stealing info from an automobile, or people in injecting viruses into a car, you will see consumers get nervous and OEMs respond in kind,” he said.
Davis said the biggest change the industry needs to make is a move towards broader partnerships to foster a culture where zero-trust architecture is the standard. What that means is everyone in the network is constantly being authenticated and every time a signal is sent between vehicles, or from a roadside point to a vehicle, all those things must be authenticated.
“The other issue is protection on the endpoint – utilizing the tools that are available out there, including machine learning, or artificial intelligence engines to create a malware checkpoint on the endpoint itself,” he said. “Work those security partnerships into the development of the vehicle, so that security is part of the development and OEMS are testing software vulnerabilities as the vehicle is being developed.”
Niranjan Manohar, research director of connectivity and automotive IOT, mobility for Frost & Sullivan, also noted most vehicles are still built in terms of functionality of component, instead of it being a cohesive system, and this creates security risks and difficulty to execute an OTA. “OEMs are still ramping up the infrastructure to update millions of vehicle at a time, this will require partnership with various cloud infrastructure companies to set up data bases as well as MNO’s to provide the associated support,” he said.
Among the key threat vectors are in-vehicle weak points like ports, the ECU, Ethernet connections, physical interfaces, wireless interfaces and DSRC, the telematics system, and cloud services and apps ranging from V2V and V2I to GPS and infotainment, as well as keyless entry and built-in sensors. “By 2025, cloud connectivity, wireless update services, operating system, and external communication channels like V2X and V2I will be the most vulnerable points with increasing connectivity features in connected vehicles,” Manohar said.
He noted that, on average, carmakers only allot 2%-3% of their overall research and development budget for security innovations and said they are largely dependent on Tier 1 partnerships for cyber-security and delivering OTA, taking risk by placing trust primarily in collaborators and third parties. However, this cyber-security investment is expected to grow to 8%-10% of overall budgets by 2025 as automakers develop their own security platforms.
“Not only do software developers need to ensure their technology is automotive grade, but they also need to fit into the automotive clock-speed,” Manohar said. “That means the systems developed today must work seamlessly with the vehicles that roll off the production line six or seven years down the line.”
He believes a managed services model bundled with end-to-end cyber-security services will become increasingly popular, with one-stop solution packages, reduced costs and decreased implementation overhead among be key benefits. “In addition, with increasing Ethernet adoption by OEMs, Ethernet security will emerge as a key service differentiator for Tier-1 suppliers in the coming years,” Manohar said.
Hardware defense in and around ECUs, OS-based protection, cloud security, anti-sensor spoofing and message encryption will also become the key layers for smart-car cyber-security, as carmakers’ focus shifts from traditional methods to multi-layered security approach.