By Mark Weir, Regional Director – UK & Ireland, Fortinet
The technology in today’s connected cars is amazing. They warn you if you stray out of your lane, and let you know if there is another vehicle in your blind spot. They have adaptive cruise control, alert you of cross traffic, have collision detection and automatic braking, and even turn on the windshield wipers automatically when it starts to rain. That’s just the start. Soon, cars will be able to automatically pay for fuel, negotiate online shopping services, check and read your email to you, and sync with your calendar to remind you of conference calls and events. These vehicles are incredibly connected – and increasingly vulnerable.
In response, several countries have developed regulation to protect connected cars. However, while legislation is a good start, the truth is that technology is advancing at a rate that the slow process of legislation will never be able to keep up with. So the big question is, what can we do to protect increasingly connected vehicles? Once you connect your car to a 4G or 5G network, how do you secure that connection? How do you incorporate security solutions throughout the car to ensure your passengers and their data are protected, especially from zero-day attacks? What are the security implications once automakers become their own carriers, providing personalised connectivity services to their cars?
The increased risk of automation
Over a year ago, hacking researchers demonstrated how they could remotely hijack control of a connected vehicle while it was cruising down a highway. Researchers found a vulnerability in its Internet-connected infotainment system, which they used as a point of entry to access other systems within the car, including its transmission and braking system. The demonstration was dramatic proof that our vehicles are now under serious threat of cyber-attack, and led to the recall of 1.4 million vehicles in the United States to install a software update to patch the vulnerability.
This incident brought to light the potential for a catastrophic result from a well-planned attack, especially now that driverless cars are on the horizon. These advanced modes of transportation, possibly without even a readily available steering wheel, have considerably more electronic components than “traditional” cars, and rely on sensors, radar, GPS mapping, and a variety of artificial intelligence to enable self-driving. What happens then, when cars on the road are dynamically sharing road conditions, negotiating traffic, and responding to intelligent traffic systems designed to move traffic more efficiently through urban environments? Securing complex systems like these is no easy task.
The legislative issue
In light of the rise of increasingly sophisticated cyberattacks and data breaches over the past several years, ensuring driver safety from cyber threats has become a major development focus and challenge for the automotive and security industries. As a result, several countries have developed regulation to protect connected vehicles. For example in the US, recent guidelines create new security and privacy standards for automakers, which apply to how companies defend their vehicles from hackers, as well as to how they safeguard any personal information the vehicles collect, such as driving records.
However, lawmakers are struggling to keep up with the rapid pace of technology, and run the risk of creating laws that will either be too specific to address the latest threats and challenges, or so vague as to allow too much wiggle room in terms of developing appropriate safeguards. Therefore, it is up to auto manufacturers to take the lead in securing connected cars.
Taking practical measures
While manufacturers have vast experience associated with automotive safety, it is reasonable to suspect they have less expertise in the cyber compromise and exploitation space, which is why a good first step would be for them to partner with security vendors to design safer vehicles. As manufacturers incorporate more and more technology into connected cars, whether for improving the customer’s driving experience or enhancing the vehicle’s performance or safety, they must ensure that appropriate and effective security technologies are implemented within these systems.
In practice, this means facing a growing problem with many IoT devices, many of which use common communications programmes that have no security built into them at all. As a direct result, an alarming number of IoT devices are highly insecure, and many have been compromised. Manufacturers need to go beyond current benchmarks and raise the standard for IoT security for their vehicles.
In addition, manufacturers must work with their different technology and communications suppliers, across all of the territories where their cars are sold, to ensure that any network connections to the vehicles are appropriately hardened.
Looking forward, manufacturers will also have to incorporate high-assurance identity and access control systems, so that cars can authenticate incoming connections to critical systems, and internet-based services can positively and irrefutably authenticate cars and the information they log to the cloud or transaction requests they may perform on behalf of their owners – such as service requests or transactions to buy fuel or pay tolls.
Cars are an essential part of our everyday life, and are crucial for transporting millions of commuters through towns and cities, and even from one country to another, on a daily basis. As they become increasingly integrated with our online lives, we are exposing ourselves to more risks than ever.
Manufacturers should approach the security of connected cars much in the same way as they would a modern network – hardening their access points, monitoring and inspecting traffic for malware and unauthorised commands, segmenting the network into security zones, securing communications, and sharing global and local threat intelligence. Once they do so, they will be able to ensure connected cars are as secure as they can possibly be, today and in the future.
