Don’t Hack and Drive
In an increasingly tech-heavy world, product connectivity is becoming ever so common. One sector in which connectivity has taken a massive leap forward is the automotive industry. Virtually without exception, car manufacturers are incorporating connectivity into the DNA of their products. The connectivity ranges from a navigation system showing live traffic data to the integration of advanced driver-assistance systems like adaptive cruise control. This connectivity brings not only the ease and comfort of being able to leave the driving work and decision-making to computers, it also poses unique (cyber) security risks. Both for the people behind the wheel at the manufacturing companies, and for those behind the wheel of their connected car.
These risks are constituted through the wireless connectivity these cars have with external networks, often realized via a cellular connection. Similarly, modern cars offer passengers the ability to connect wireless devices via tethering or via onboard WIFI systems. These connections form potential entry points for malicious actors and make the connected vehicle vulnerable for hacking. Gartner estimates there will be a quarter of a billion connected cars on the road in 2020 and Statista estimates that 98% of new sold cars in 2020 are expected to have some form of connectivity. In light of this, car manufacturers are buckling down to protect their connected cars against the consequential cyber security risks.
These efforts should all starts with the design of the vehicle, and with making todays cars compatible with future innovations. Striving for a secure connected car ‘by design’ should be a top priority for manufacturers. And the ‘by design’ principle here is simple: Adding crumple zones or brakes only after the car has been finished will drastically decrease the overall safety of the car and increases the overall complexity of the design. Similarly, adding cyber security measures to a vehicles Electronic Control Unit (ECU) only after its installation makes it easier for outsiders to circumvent such measures, increases the attack surface, and adds layers of complexity to the ECU’s architecture. Incorporating cyber security at the drawing board is the key to enhance the safety of connected vehicles.
An often-encountered design flaw is the integration of a vehicle’s ECU with its entertainment system. When the infotainment system offers remote access, hackers might be able to hack the ECU through the entertainment system. This is where things get awkward for manufacturers. Hackers showing of with gimmicky features on the navigation screen is not what keeps the manufactures up at night. Hackers having control over throttle, brakes, and steering functionality does.
A solution would be to air gap the two systems. Air gapping means to physically separates the two systems completely and is an architectural concept that allows for greater security, as a breach of one system does not affect the other. The main advantage being that people in the car needn’t worry as much about external hacking threats. One downside of air gapping however, is that it is complex and expensive to implement in existing builds and designs with interconnected ECU and entertainment systems. It’s therefore not always the best option for manufacturers.
One particularly interesting innovation that could form a solution to the emerging security risks is the use of Intrusion Detection Systems (IDS) in vehicles. An IDS will monitor a vehicle’s data streams with both internal and external systems for anomalies and malicious activity and report its findings to an administrator. Then, through big data analysis of the anomalies, the administrator can monitor the constantly changing threat landscape and attack patterns. When installed in a larger fleet of vehicles, this creates a form of ‘swarm intelligence’, ever increasing the cyber resilience of all the vehicles within the fleet. Using such an anomaly-based IDS will help secure connected vehicles and keep them secure over time. The big data analysis helps cyber security teams develop security countermeasures which can be updated wirelessly to all connected cars. This increases overall cyber security in connected vehicles and offers continued protection beyond the gates of the factory.
There are still many hurdles to be taken for modern-day car manufacturers and it will be interesting to see in which direction they are heading.