Recent estimates suggest 150 million connected cars will be on our roads by 2020, prompting interest across sectors far beyond the automotive industry.
Many people are taking notice of this new wave of innovation – and the impact it could have at both a consumer and corporate level.
Even Her Royal Highness has addressed the matter, introducing changes which enable driverless cars to be insured under ordinary policies in the Queen’s speech earlier this year.
The UK government has also demonstrated the country’s commitment to furthering the development of the driverless car economy. This summer, a major consultation was launched to support automated vehicle technologies and smooth the path towards automated cars being used successfully on British roads.
The government and automotive industry must not risk neglecting the security essentials in their push for innovation. Doing so could risk not only the success of these new technologies, but also user safety.
Intel Security has reported that connected cars are the third fastest-growing technological device after tablets and phones. While the regulatory changes and consultations implemented thus far demonstrate a level of forward thinking that could deliver a huge boost to the UK economy, security must also be considered.
As new technology is adopted, cybercriminals constantly attempt to identify new methods to exploit any potential vulnerabilities for financial gain. With the world’s connectivity continuing to grow, the threat landscape continues to expand.
Through live demos, Intel Security has proven that it is possible for ransomware attackers to reach their victims through vulnerabilities in auto-entertainment systems in modern vehicles, leaving the driver unable to operate their car unless they pay a ransom.
Late last year, Intel began developing the Automotive Security Review Board (ASRB) in conjunction with founding members Aeris and Uber.
Forming a collaboration of the top security and automotive industry talent worldwide, the board aims to keep one step ahead of cybercriminals and secure potential vulnerabilities before they can be exploited.
While innovation around internet connectivity in vehicles has enabled the addition of exciting new features, including real-time telematics, smart intersections and autonomous driving, it does open up a new avenue to lucrative hacks for cybercriminals.
Built-in security solutions must be factored in from the start to ensure that next-generation cars can operate safely at their full potential, even within a potentially malicious operating environment.
Security by design
The consolidation and interconnection of vehicle systems requires an intentional, proactive security design. As a result, vehicle security needs to begin at the very start – in the design phase.
Foundational principles taken from related industries, such as defence and aerospace, can be utilised. These include designing secure systems from hardware to the cloud with identified best practices and technologies for each particular building block and defence-in-depth, a process similar to the layers of protection analysis (LOPA) methodology used for safety and risk reduction.
Security by design should also consider areas such as secure boot, trusted execution environments, message authentication, tamper protection, isolation of safety critical systems, network encryption, data privacy, behavioural monitoring, anomaly detection, and shared threat intelligence.
Automotive security must not just start with design, but should move through to the production and operation stages. By implementing best practices throughout production processes, design components can be correctly incorporated and linked back to the properties outlined in the secure design. This can offer customers confidence in the security of the platform.
Key best practices here include code reviews, continuous validation of security assumptions, component and system-level penetration tests, inbound and outbound materials processes, maintenance and upgrade plans, and a feedback loop for continuous learning and improvement.
Threat analysis and risk assessment must continue once cars are on the road. Old vulnerabilities can be patched and new ones can appear – the risk of an attack can even increase over time.
Both consumers and manufacturers can feel confident if detailed incident response plans are in place in case a newly discovered vulnerability or security breach arises.
Using techniques such as over-the-air software or firmware patches and upgrades enables manufacturers to quickly remove vulnerabilities and significantly reduce recall costs.
In addition, threat intelligence aids the identification and understanding of potential criminal business models, enabling businesses to prioritise threats and their associated risks while implementing an appropriate incident response.
The success of these operational measures requires secure chains of trust to be built into the vehicle, designed to last throughout its lifetime.
Automotive security best practices today are a combination of product safety and computer security. The security of vehicles and transportation systems must be improved before connected cars become part of our daily routines.
In addition to ensuring cyber attacks are difficult to execute, preventive and mitigation techniques must be in place to detect and correct vulnerabilities quickly before too much damage is done.
Ultimately, the Automotive Security Review Board aims to help create an environment in which cars can self-heal – detecting malicious intent, withstanding attacks and performing self-repair where necessary.
With increased collaboration between the automotive industry, standards organisations and security experts, this vision can become a reality.
Sourced from Raj Samani, CTO EMEA, Intel Security