Cybersecurity For Connected Cars

Imagine that sometime in the future, you get into your connected car to go to an urgent meeting. However, as soon as you turn on the ignition key, you suddenly receive a pop up on the car infotainment system, from a hacker that says that he has access to all your car controls as well as your private data, and will also disable your braking system during the drive if a ransom is not paid immediately. Understanding the gravity of the situation, you start cursing the car manufacturer and the security company, vowing never to buy a product from them ever again. Welcome to the future, and the challenges that await car users, OEMs and technology players…

Connected Car – Opportunities As Well As Risks

The advent of connected and autonomous cars opens up a host of benefits to the vehicle user, whether it is in terms of convenience, navigation or entertainment. This evolution is expected to, and is in fact, already disrupting the automotive value chain and creating a number of opportunities for a wide variety of players. According to Gartner, there are expected to be 250 million connected vehicles on the roads globally by 2020, representing a combined market value of $150 billion.

However, growing safety challenges are also expected, related to hacking of car systems and controls, as well as user private data.

What I really worry about in terms of car hacking is large-scale hacks either from criminal and terrorist organizations or from nation state type hacks. Those have the potential to really devastate us in the future, and the reality is if we want to prevent those types of long-term attacks we need to put into place the right foundation today.
- BlackBerry Chief Security Officer Alex Manea
— https://www.gearbrain.com/connected-car-cyber-security-threat-2544062809.html

(Blackberry has launched a cybersecurity software Jarvis aimed at protecting driverless cars.)

I think one of the biggest concern for autonomous vehicles is somebody achieving a fleet-wide hack.
- Tesla CEO Elon Musk
— https://stocknews.com/news/tsla-tesla-inc-tsla-avoiding-fleet-wide-hack-is-top-concern/

A Huge Cybersecurity Challenge

Currently, the automotive industry standards lack sufficient coverage for the breadth of cybersecurity risks faced by connected cars and autonomous vehicles (AVs) and scholars highlight the need for a solid foundation of security, privacy, and trust to fully take advantage of innovations in connected and self-driving vehicles, which would require the collaboration between a diverse group of stakeholders to ensure both the physical and cyber safety of AV users.
- Hazel Si Min Lim (Research Assistant) and Araz Taeihagh (Professor of Public Policy at Lee Kuan Yew School of Public Policy, NUS)
— http://www.mdpi.com/1996-1073/11/5/1062/htm

Connected cars offer a number of break-in opportunities for hackers, both through their in-car functional software and the network used for making the connection. This provides hackers the potential to steal user personal data from in-car apps, control the vital navigation and braking systems of the car, and even break-into OEM and supplier IT systems.

Compounding the security challenge are the following aspects:

  • Contemporary premium cars contain more than 100 million lines of software code, which is greater than those found even in high tech jets and space shuttles. This complexity will only increase in the future, providing hackers even more chances of finding loopholes which can be easily exploited.
  • The number of nodes/external entities that a car can connect to will also continue increasing with the passage of time, thus increasing the percentage of vulnerable nodes from where hackers can get in.
  • The fact that these cars are assembled from disparate systems offered by different suppliers, possibly with individual system securities, but no integrating security systems is another major challenge. Weaknesses at the point of interconnection between different systems will likely become the focal point of attack by hackers in the future.
  • The automotive industry is slow moving, and cannot be called technology-advanced by any stretch of imagination. Auto OEMs are themselves perceived as technology deficient, let alone their supply chain partners.

Likely Solutions

According to McKinsey, automotive industry players, particularly the OEMs, can meet these security challenges by taking care of lifecycle component and ecosystem level aspects.

  • Lifecycle Components i.e. design, development and maintenance and response architecture: This includes designing the product initially with security in mind, and with no resort to “quick fixes,” “penetration tests” etc. The car design needs to be “cyber security native,” and consistently implemented with a quality controlled process through a strong and managed development process with strict development guidelines. Also, proactive, predictive maintenance via over-the-air (OTA) updates are a “must have” for any connected system.
  • Ecosystem – i.e. OEM-supplier alliances, end users, and government agencies: This includes establishing cooperation with the regulatory bodies, and the end-users. OEMs need to establish alliances for open sharing of threat intelligence and vulnerabilities both internally among OEMs and suppliers and externally with relevant entities (e.g., regulatory bodies, media). They also need to increase user awareness, provide inputs and engage in a continued collaborative discussion with regulators.

Trend Micro believes that meeting this challenge requires creating layers of protection and multiple security checkpoints across aspects such as threat intelligence, hardware security, software security, network security and cloud security.

Another aspect to be kept in mind is not to focus only on cybersecurity, which only focuses on cyber-assets, but on digital security, which is a super-set of cybersecurity.

Digital security is the convergence of IT, IoT, operational technology (OT) and physical security management domains —the result of digital transformation in organizations where initiatives require cyber-physical security.
- Gartner’s Hype Cycle for Connected Vehicles and Smart Mobility, 2018
— https://www.gartner.com/doc/3883166/hype-cycle-connected-vehicles-smart

To counter this, organizations need to develop a direct digital risk management program and mindset, implement appropriate training and ownership and apply changes to its strategic cybersecurity planning, architecture and program management. Digital security is currently at the peak of ‘Gartner’s Hype Cycle for Connected Vehicles and Smart Mobility, 2018.’

 https://www.gartner.com/doc/3883166/hype-cycle-connected-vehicles-smart

https://www.gartner.com/doc/3883166/hype-cycle-connected-vehicles-smart

The potential adversaries that we see are hacktivists, criminals, the nation state, but they haven’t taken a focus on our ecosystem yet. But we all know it’s a matter of when, and not if.
- Jeff Massimilla, Vice President of global vehicle safety and product cybersecurity at General Motors
— https://www.securitynow.com/mobile/author.asp?section_id=654&doc_id=736709

Proactive Players

There are some industry companies and industry bodies who have been proactive, and already a step ahead of their peers when it comes to making efforts related to safety of connected cars. Some examples include:

  • Tesla has a dedicated 40+ team for finding cybersecurity issues in its cars. The company has made many security provisions in its cars including creating an “override authority” and specialized encryption so that no hacker can take control of its car’s power-train or braking systems. The company has been a pioneer in sending OTA security updates to its users –it uses a continuous deployment method, sending firmware updates for operational controls and safety-critical functions. The company has also created a cash rewards program for security researchers who can find bugs in the car’s software.
  • GM collaborates with various external experts and has a team of about 85 working on its connected car security ecosystem. This team includes a red team of ten people, who are certified ethical hackers. The company also has private bug bounty programs.
  • Fiat has also created a bug bounty program and offers between $150 to $1,500 for finding a bug in its car’s software. The company recently placed an advertisement for recruiting a “Global Lead for Connected Vehicle and Application Security” to enhance its car safety aspects further.
  • NHTSA or ‘The National Highway Traffic Safety Administration’ based in the US “collaborates with other government agencies, vehicle manufacturers, suppliers, and the public to further industry’s efforts in addressing vehicle cybersecurity challenges.” Some of the research projects that the agency is working on currently include finding cybersecurity considerations for heavy vehicles, and reference parser development for V2V communication interfaces.
  • The Auto ISAC (Information Sharing and Analysis Center) has been created by auto OEMs as a forum to share and analyze security intelligence globally. Its span of operation includes light- and heavy-duty vehicle OEMs, suppliers and the commercial vehicle sector.

Start-Ups

Some exciting start-ups in the sector include:

  • Argus Cyber Security, based in Israel, had received a funding of $25mn before it was acquired by Continental late last year. The company has won many awards and provides cyber security solutions for various automotive players including OEMs and their suppliers, connected fleet operators, and aftermarket providers of connectivity services. The company has R&D labs in Tel-Aviv, Israel, and offices in Michigan, Silicon Valley, Stuttgart and Tokyo.
  • Karamba Security is based in Israel and has received funding of $27mn till date. The company’s security products protect and harden the vehicle’s Electronic Controller Units (ECUs) against any type of foreign code or unauthorized change.
  • TowerSec's (which was acquired by Harman) product is a ready to embed software solution for OEMs, component manufacturers and telematics providers. The company was founded in 2012 and has offices at Ann Arbor, Michigan with an R&D center in Tel-Aviv, Israel.
  • Late last year, Upstream Security raised $9mn on top of a $2mn funding that the company had secured in June, 2017. The startup is taking a different approach by installing security in the cloud – i.e. in the data center between the car, the telematics server and server applications. The company now has plans of opening its sales offices in the east and west coast of the US.
  • Other notable companies include Arilou, C2A, Regulus and Enigmatos - all based in Israel.

Player Strategies

Player Strategies.png

The Final Word

The importance of adequate cybersecurity in connected vehicles cannot be overstated. Auto OEMs in particular need to understand that the cybersecurity development process, testing and regular updates will require expertise, flexibility, and a ‘DevOps’ approach which the industry still needs to assimilate. A cultural shift is required, and one way of expediting this cultural overhaul is to tie up closely with the technology players, as such players are already used to a specific working style and speed. Technology players on their part need to realize that in case of a breach, they will (apart from the auto OEMs) also find themselves in the headlines for all the wrong reasons. Tech players are the real brains behind the security measures, and will have enough monetary opportunities once the user’s trust is gained. Overall, both these players need to play as a team and not as competitors as a strong collaboration will be critical to ensure connected vehicle security.

References:

  • https://www.rsaconference.com/writable/presentations/file_upload/ht-t11-hacking-the-connected-car-thetfuturetof-vehicle-vulnerabilities.pdf
  • https://www.rsaconference.com/writable/presentations/file_upload/sbx3-r1-how_secure_is_the_hyper-connected_car.pdf
  • https://www.strategyand.pwc.com/reports/connected-car-2016-study
  • https://internetofbusiness.com/cloudera-connected-car-safety/
  • https://www.mckinsey.com/~/media/mckinsey/industries/automotive%20and%20assembly/our%20insights/shifting%20gears%20in%20cybersecurity%20for%20connected%20cars/shifting-gears-in-cyber-security-for-connected-cars.ashx
  • https://www.gearbrain.com/connected-car-cyber-security-threat-2544062809.html
  • https://www.nhtsa.gov/technology-innovation/vehicle-cybersecurity
  • https://www.trendmicro.com/us/iot-security/content/main/document/IoT%20Security%20for%20Auto%20Whitepaper.pdf
  • https://www.sogeti.com/globalassets/global/downloads/cybersecurity/cybersecurity_for_the_connected_vehicle_pov.pdf
  • https://www.businessinsider.in/Cybersecurity-expert-explains-why-Teslas-cars-are-some-of-the-toughest-to-hack/articleshow/53163830.cms
  • https://electrek.co/2017/07/17/tesla-fleet-hack-elon-musk/
  • https://stocknews.com/news/tsla-tesla-inc-tsla-avoiding-fleet-wide-hack-is-top-concern/
  • https://www.securitynow.com/author.asp?section_id=654&doc_id=736709
  • https://www.scmagazineuk.com/future-connected-cars-overcoming-cyber-security-threat/article/1474419
  • https://www.cio.com/article/3094869/security/fiat-chrysler-launches-bug-bounty-program-for-connected-vehicles.html
  • https://www.linkedin.com/jobs/view/global-lead-for-connected-vehicle-and-application-security-at-fca-fiat-chrysler-automobiles-729342165
  • https://techcrunch.com/2017/12/12/upstream-security-reels-in-9m-series-a-to-protect-connected-cars/
  • https://igniteoutsourcing.com/publications/top-connected-car-startups/
  • https://www.gartner.com/doc/3883166/hype-cycle-connected-vehicles-smart
  • http://www.mdpi.com/1996-1073/11/5/1062/htm
  • https://nathanielhoradam.com/2018/07/23/hype-cycle-blues-has-the-av-bubble-burst/