Cyber threats go beyond the boundaries of vehicle control

Q: What are the top threats to cybersecurity in the automotive industry?

“One is an industry focus on quality control rather than quality assurance. In general, quality control means doing a repetitive task very well, such as building vehicles. The automotive industry is among the top in the world in this area but decades of experience from the software industry tells us that coding and requirements development are highly creative tasks. Where quality is improved less by the simple application of rigid procedures and checklists and more by the continuous guidance of key technologists and architects throughout the definition and implementation lifecycle, long before quality control can test and measure. Some industries have also learned to reduce software defects by the use of technical experts as part of their software quality assurance organisations, in order to understand best how to guide, measure, and correct the more creative activities. Quality and technology should not be separate disciplines, and latent software issues likely represent more than half of a product's security vulnerabilities, so quality assurance, focusing on the definition and development phases, will be key to minimising those software issues.

Another threat comes from nation states. Transportation is now being recognised as a critical element of the nation's infrastructure, like electrical power and water. The ability to affect a nation's economy by affecting significant portions of the nation's transportation infrastructure is a very real concern. In the past, Automotive was less affected by inter-nation politics but the increasing levels of vehicle connectivity and active systems means that transportation cybersecurity must be elevated to the same level of oversight and protection as are afforded other critical infrastructure elements.”

Q: What as an industry can/is being done?

“The good news is, much is being done but there is a huge amount of work yet to be done and any seasoned professional knows that security is a never-ending battle. Automotive has been coming together with a number government-industry projects to analyse the problem and formulate protections such as hardware security modules and secure elements, sharing cybersecurity lessons and knowledge through the formation of consortiums like the Automotive ISAC, cooperating on the creation and specification of security standards such as work in CAMP and SAE, and development of best practices such as through the new Automotive Security Review Board. A number of OEMs are also working with the security community, hiring white hat hackers to help find issues, and in cases like Tesla, even providing rewards when vulnerabilities are found.”

Q: Is the media attention given to recent hacks really worth paying attention to i.e. is it a threat right now? What are the actual priorities?

“The media can be a strong ally in helping to educate the consumer that security is important and worth an investment, such as the safety education for airbags, antilock braking and stability control, headrests, and seat belts. Cybersecurity is a risk today, and it is a high priority, but consumer sentiment can also help to keep this topic in the spotlight by demanding strong security for their vehicles.”

Q: Where is responsibility ultimately going to lie?

“It has been said that "safety is everyone's concern". Security, as it can affect safety and also the loss of PII (personally identifiable information), is therefore in the same vein as safety. The automotive industry is working to protect vehicles against cybersecurity attacks. Consortiums and agencies are working to identify risks and solutions. And consumers need to demand, and have a preference to buy, more secure products. The current media attention helps to serve as a wake-up call that automotive is not just about horsepower and infotainment but also about safety and security. That's why the goal of a vehicle is to get you from Point A to Point B – safely, quickly, and comfortably, in that priority order.

Leave a comment

Your email address will not be published. Required fields are marked *