The automotive industry is rapidly evolving to transform the car from a simple mode of transport to a personalized information hub: There will be an estimated 220 million connected cars on the road globally by 2020. Each of those cars will be equipped with more than 200 sensors, more than double the number of sensors in connected cars on the road today.
New features and capabilities get added every year, improving comfort, convenience, safety and efficiency — but also growing is the amount of data cars generate, process, exchange and store. Connected cars provide benefits such as better traffic flow, improved fuel economy and better infotainment consoles. But at the same time, the number of attack vectors increases, which potentially leaves personal, financial and vehicle information vulnerable, making the connected car attractive to hackers.
Already we’ve seen security researchers demonstrate attacks, and have seen hacks on Chryslers, Jeep Cherokees and Volkswagens. These demonstrations and hacks are leaving consumers and lawmakers, as well as cybersecurity and privacy experts, concerned.
As the market for connected cars is expected to grow at a five-year compound annual growth rate of 45 percent, standardized frameworks are necessary to provide customers assurance that a car’s security attributes can be trusted and that the customer’s security needs are protected.
Discussions have commenced, such as in July when Senators Ed Markey and Richard Blumenthal detailed plans to introduce new legislation called the Security and Privacy in Your Car Act of 2015 (SPY Car Act). The SPY Car Act should ensure that cars sold in the U.S. meet certain standards of protection against digital attacks and restrict what data is collected by vehicles. These standards should be developed by the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC). The legislation also recommends auto manufacturers be fined up to $100,000 in civil penalties for each violation of unauthorized access to data in connected cars.
Additionally, technology organizations are joining the fight. Intel, for example, created the Automotive Security Review Board to conduct security audits and tests of its automotive hardware platform and offer design recommendations. Lastly, the Fast Identity Online (FIDO) Alliance has made efforts to improve interoperability among strong authentication devices, which was originally created to help Google resolve enterprise security issues. But over time, there was value realized for the automotive industry. Efforts by FIDO anonymizes Internet users via physical possessions and protects their digital identities.
The connected car is a complex IT system on wheels.
System performance and reliability has had (and will always have) high attention from vehicle manufacturers, with a strong focus on safety hazards. Cybersecurity threats, however, represent a largely unexplored field for the automotive industry.
But like safety, security is a quality aspect — threats of either type can have a negative impact on the reliability and safety of the connected car. By adding wireless interfaces to their cars and connecting their vehicles to external networks, manufacturers are all of a sudden confronted with new threats that stem from an uncontrolled and evolving environment.
The fact that one can remotely access in-vehicle systems also implies that these systems face security threats coming from the outside world. And thus, there is a risk that these systems can be hacked and that data contained therein can be stolen. This poses a threat to the reliability and safety of the car — the hacker can potentially take control of the car — as well as to the privacy of the driver — vehicle data can be used to build a profile of car owners.
Law enforcement have used bait cars to draw out would-be thieves, then remotely lock and disable the car before arresting them. What if bad guys could take over cars and remotely initiate the brakes on a car traveling at high speeds on the freeway? This not only impacts data, but the safety of drivers and passengers. Beyond just cars for personal use, cars being operated by companies like Uber and other car services are impacted.
Today, the ISO 26262 standard addresses systematic failures and random hardware failures. Such safety hazards are quite predictable — systematic failures are deterministic and random hardware failure rates can be predicted with reasonable accuracy — and the nature of the hazards will not change over time. Furthermore, the likelihood that multiple failures occur simultaneously is considered to be rather unlikely in safety engineering.
Cybersecurity threats, on the other hand, are generally less predictable, and they also will change over time. Furthermore, hackers do not hesitate to manipulate various parts of a system simultaneously if that increases the chance of a successful attack. As a consequence, security threats are not necessarily covered within a safety framework such as ISO 26262.
Security must become part of the entire life cycle of the vehicle.
Cybersecurity frameworks are fairly new to the automotive industry and it will likely take some time, as was the case with functional safety, before they are widely embraced. To successfully protect connected cars from cyberattacks, a paradigm shift is needed in automotive vehicle design: Security must become part of the entire life cycle of the vehicle. It needs to become an integral part of the design process, as opposed to an afterthought, because security is only as strong as the weakest link.
It is good practice to apply a defense-in-depth strategy, using multiple security techniques to mitigate the risk of one component of the defense being compromised or circumvented. This calls for security-by-design and privacy-by-design, which may also have a significant impact on the architecture and the in-vehicle electronics. Furthermore, the security architecture requires regular maintenance.
In addition, standardization is needed. On the process side, one can think of standardized life-cycle management, from development to deployment to maintenance. Something based on or comparable to Common Criteria could form the basis for such a framework, but automotive-specific adaptations may be needed, as was also the case for ISO 26262 (which was derived from a generic safety standard, IEC 61508).
But technical specifications also are a must-have. It’s not uncommon for straightforward mistakes to be made in security architectures and implementations. A seamless integration of features like secure boot and secure communication into a well-reviewed specification like the AUTOSAR software stack is therefore highly beneficial.
The standardization bodies are currently taking initial steps to create such standards. For example, the SAE Vehicle Electrical System Security Committee is working on a cybersecurity guidebook (J3061) and requirements for hardware-protected security (J3101), and ISO’s TC22 plans to identify the need for communication channels between functional safety and cybersecurity in ISO 26262 Edition 2.
The connected car is a complex IT system on wheels, consisting of many electronic control units (ECU) that are linked together via the in-vehicle network. To secure all of this, an integral approach is needed, where countermeasures are applied at all levels. While standardization efforts have commenced, we’ve only scratched the surface — all the more reason there should be a sense of urgency to get security and privacy standardized and adopted.