Interview
Automotive cyber-security not just an afterthought…
Paul Wooderson Senior Functional Safety/Cyber Security Engineer
HORIBA MIRA
Q
Is security a high enough priority matter for organizations working in connected & autonomous cars? the last few years we have A In seen automotive cyber security move from a relatively low key research topic to a high profile and high priority issue for the automotive industry. The rapid increase in electronic systems and connectivity in vehicles means that security is a new technical and business concern to many parts of the automotive industry that were not previously used to dealing with it. Many organisations have put in place internal structures and continue to develop processes for cyber security of their products. However, long vehicle development life cycles of several years mean that the results of increased prioritisation of security will not always be seen immediately. Should we pay attention to Q the media-hyped hack demos? demos certainly highlight A Media the potential impacts of cyberattacks, although it is important to look beyond any hype to establish the real risks at hand. The industry should concentrate on developing and applying rigorous engineering processes which allow cyber security to be built in from an early stage. A structured approach of identifying threats, assessing and prioritising risks, specifying PG.20 | Smart Automotive | May - June 2016
and managing requirements, and implementing and testing them with appropriate levels of rigour is necessary. This will allow manufacturers to build in the right level of security at the right cost. Security is a moving target and new attack techniques are continually being discovered. Therefore the engineering effort needs to be backed up by continuous R&D into new attack techniques and novel technical solutions to them. One way this can be achieved is through close research partnerships between industry and academia. your opinion, which connected Q In vehicle entry points are most vulnerable to breaches and why? connected vehicle presents A The many potential entry points to an attacker. For example, modern infotainment systems include multiple wireless external connections such as Wi-Fi,cellular and Bluetooth,which present the obvious risks of remote attacks from outside the vehicle. In addition today’s infotainment systems are increasingly built on platforms running feature rich operating systems. These platforms can be particularly susceptible to security vulnerabilities due to their complexity and the fact that they tend to be made up of a variety of hardware and software components from different vendors. Many of these technologies are already familiar from the IT world and as such suffer from similar known vulnerabilities to their IT counterparts. When these systems are also connected to in-vehicle networks, an attacker who gains access to the infotainment system may be able to “pivot” to other systems in order to compromise a safety-critical function such as steering or brakes. you agree that the Q Do automotive industry needs to take a proactive or “security by design” approach instead of “reactive” to fend off hackers?
A proactive security by design approach should of course be the ultimate aim for new developments. Due to long vehicle development life cycles and vehicle lifetimes, a tailored approach may be required to resolve issues for vehicles currently under development and those out on the roads. will the security scenario Q How change when new trends like car-to-home connectivity/car-toinfrastructure (V2X) will become ubiquitous? These new external connections A mean that the vehicle will become part of a much larger ecosystem together with other vehicles, transport infrastructure, mobile networks and more. It is therefore important to consider the threats posed by these other networks to the vehicle, and by the vehicle to the other networks. One may ask who is responsible for security in this scenario, but in reality the whole ecosystem must play its part, and different industries must work together to address the different threats. In the area of V2X, work has been ongoing for several years to address security through industry consortia and standardisation bodies such as IEEE and ETSI. However the picture is changing rapidly with new communications technologies and associated security issues coming into play, and these groups continue to improve security specifications and standards. People often correlate Q cybersecurity with data privacy issues. How should automakers be dealing with both the problems? and security are partially A Privacy overlapping domains. On the one hand, privacy should be considered a part of security, since compromise to privacy is often a consequence and indeed a target of a cyber-attack. There are some additional aspects to take into account with privacy, such as protection
A
www.telematicswire.net
