As car manufacturers ride along this new wave of automation, the need to secure these increasingly connected ‘devices’ becomes paramount and the UK government has been swift to take actions.
As vehicles are getting smarter by the day, cyber security in the automotive industry is becoming a grave concern. As a result, the UK government has stepped in to make this transition smoother by implementing new and relevant cyber security guidelines for connected and driverless cars. Despite all these guidelines at Level10 we feel that, digital automobile security experts will have to solve problems that the cyber security industry still has not quite figured out. This could be another gateway to more jobs in this field of expertise.
Cars are now becoming connected Wi-Fi hotspots. But, like it or not this leaves them vulnerable to hacking and data theft. To counter this menace that it already is, most automakers are now installing gateways between a driver’s systems and the car’s CAN network. But repeated hacks of Jeeps and Teslas in the past have shown that with enough skill and patience, hackers can bypass those gateways and gain access to the mainframe systems.
Mark Noctor, VP EMEA at Arxan Technologies, informs that “A major cyber-attack on connected vehicles would take a terrible toll on human life, so the security guidelines published by the UK Government on Sunday are an important step in securing this emerging technology.”
“The communications and entertainment systems are particularly vulnerable to attack, and can be reverse engineered to access the API libraries that facilitate data sharing between systems. From here attacks can even inject malicious code into the electronic control units (ECUs) and controller-area-network (CAN) bus, which control critical systems such as electric steering and braking.”
“Preventing application code from being accessed and tampered is one of the biggest priorities in protecting a connected vehicle, and it is encouraging to see the government’s guidelines specifically list the ability to protect code and ensure its integrity as key principles. Manufacturers must deploy code hardening measures to prevent attackers from accessing their source code and removing vital data such as cryptographic keys which can be used to access other systems. Anti-tampering measures should be hidden in the code to alert them if the code has been changed, and prevent systems from starting if alterations are detected.”
With the slamming of this massive threat at hand, the UK government has announced that, it is now essential for all parties- involved across the various departments are to be provided with a consistent set of guidelines that support this industry security-wise on a global scale.
The UK’s transport department in alliance with the Centre for the Protection of National Infrastructure (CPNI), have created a number of key principles for use throughout the automotive sector, the CAV and ITS ecosystems and their supply chains.
Here’s a look at the 8 major principle’s that have been laid out for the masses to follow:
Principle 1 – organisational security is owned, governed and promoted at board level.
Principle 2 – security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain.
Principle 3 – organisations need product aftercare and incident response to ensure systems are secure over their lifetime.
Principle 4 – all organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system.
Principle 5 – systems are designed using a defence-in-depth approach.
Principle 6 – the security of all software is managed throughout its lifetime.
Principle 7 – the storage and transmission of data is secure and can be controlled.
Principle 8 – the system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.
With autonomous systems and driverless tech still being something that’s under the hood (atleast for now), it would take a proportionate amount of time before security networks are tightened and all the loop holes are covered. Expect more changes in the coming days, with respect to protocols and principles.