Connected cars and automated driving are fast moving onto public roads, holding great promise to improve road safety, reduce congestion and emissions, and increase the accessibility of personal mobility. Electronics have become central to vehicle control. We are seeing a major shift from hardware to software in the automotive industry, with modern vehicles now relying on 100 to 150 million lines of code. This shift from hardware to software, matched with increasing vehicle connectivity, creates a “perfect storm of cyber security vulnerabilities,” says Giuseppe Faranda, Cybersecurity Advisor at Karamba Security.
Faranda was speaking at the Symposium on the Future Networked Car last week, an annual event organized by ITU and UNECE within the Geneva International Motor Show.
The automotive industry is underestimating the gravity of the cybersecurity challenge, says Faranda.
Connectivity can provide malicious actors with access to electronics controlling engine ignition, acceleration, steering and braking. Cyber attacks have the potential to put lives in danger, erode confidence in emerging technologies and inflict major blows to carmakers’ brand reputation.
“We cannot secure every line of code,” primarily because the cost of this security is prohibitive, explains Chuck Brokish, Director of Automotive Business Development at Green Hills Software. “We should provide highly robust protection to critical components with the understanding that less critical components may be compromised.”
Over-the-air software updates will make a major contribution to the maintenance of connected, automated vehicles, and here Brokish adds the benefit that isolating critical components will assist more targeted updates to safety-critical software.
Security challenges aren’t insurmountable
Tom Lysemose, CTO of PROMON, drew a comparison between the automotive and financial services industries. “We have seen smartphones replacing car keys, much as smartphones are replacing credit cards and the need to visit a bank branch.”
The financial services industry – a prime target for cyber attacks – has been relatively successful in balancing innovation with strong end-user demand for security, says Lysemose. The industry has gained cybersecurity experience of great relevance to other industries developing new ICT-enabled products and services.
Innovation often outpaces the development of associated security measures. Security experts see this imbalance emerging in the automotive industry. ICTs are enabling carmakers to add new features to their products at a blistering pace, but security continues to lag behind.
“We must start to consider security as core functionality,” says Brokish. “We are adding features with reckless abandon. The imbalance is clear. Safety and security must be added faster.”
What will it take to balance innovation and security in the automotive industry?
For security experts participating in the symposium, the answer is “security by design” – security should be considered core functionality to be integrated in product design, operation and maintenance.
Regulation supported by standards
The ITU has delivered a new international standard for secure over-the-air software updates to connected vehicles. This field of work is expanding. The expert group for security, ITU-T Study Group 17, has established a new work stream to coordinate a growing volume of work on security aspects of intelligent transport systems.
The ITU has also built successful collaboration with UNECE, the body responsible for global vehicle regulations. ITU-T Study Group 17 is an active contributor to the UNECE task force on automotive cybersecurity and over-the-air updates, a task force developing a much-anticipated paper expected to be released in June 2018.
“The United Nations will use the paper to globalize an approach to cybersecurity for automotive,” says Darren Handley of the UK Department for Transport, Co-Chair of the UNECE Task Force.
Technical standards developed by bodies such as ITU, SAE, ISO and Auto-ISAC can offer valuable support to the regulations issued by UNECE.
“Standards have a key role to play,” says Handley. “Industry will be able to demonstrate that they are abiding by UNECE recommendations by highlighting their conformance with relevant technical standards.”