Hooking up to the IoT with a clear conscience

The United States Senate will consider the SELF-DRIVE Act that will, among other things, require car makers to develop plans or automotive cyber security, while also directing NHTSA to "consider process and procedure standards for software and cybersecurity as necessary".

Like a lot of legislative initiatives, it's too little and too late but the automotive industry isn't waiting. The past two years have seen tremendous expansion in the cyber security sector, as automakers, Tier 1s and start-ups collaborating to secure connected and autonomous vehicles.

Chris Thomas, a founder and partner in the venture investment firm Fontinalis Partners said: "Now, cyber security is not a choice. It's a must-have. There's been a huge paradigm change in how people think about it as an overall component of the system."

Autonomous cars will be even more vulnerable to attack due to their reliance on vehicle-to-vehicle and vehicle-to-infrastructure communications, according to David Barzilai, executive chairman of Karamba Security. While attacks against vehicles usually enter through the infotainment system, he says, an attack against the V2X communications system might compromise safety without being detected in network traffic.

A multi-layered problem

With the complex architectures and complicated supply chains of automotive, even when standards and requirements are delivered to suppliers, it's very difficult to ensure those requirements are being met at the chip level, according to Jonathan Allen, a director of Booz Allen Hamilton.

"Automakers have to assume each one in itself is insecure," he says. The keys are redundancy in design and monitoring to ensure if a part of that system is compromised, it's reported and fixed.

In connected and/or autonomous vehicles, these layers need to be secured:

·       Software development among carmakers and suppliers, reducing coding errors that could be exploited and the likelihood of malicious code being introduced

·       The factory floor where hardware and software are installed in individual cars

·       The transportation system, so that persistently connected cars are not attacked in transit

·       The dealership, where software may be installed or updated and connected cars are available for test drives

·       The car itself

·       Communications to and from the car after it's deployed, including WiFi, cellular, V2V and V2X, and over-the-air updates

·       Data produced by the car and stored by carmakers and partners

At the vehicle level, devices, software and communications within the car must be secure:

·       The operating system

·       Software for different modules and ECUs

·       Intra-car networks like the CAN

·       Individual control units such as the integrated drive system or telematics control unit

Finally, cyber security should be baked into the company itself, not only in enterprise networks but also into every facet of internal operations.

While awareness of security threats among carmakers is high, McKinsey says that less than half have operational security units. It also cites a recent survey finding that only 10% of suppliers said cyber security ranked high on top management’s agenda, while 45% considered the cyber security of external partners to be important. Having an operational security unit, as well as a chief information security officer (CISO), is necessary because it's not only the car that needs to be secured: cyber security must extend from enterprise systems through hardware and software design and development, and then include the factory.

Link by link

Automotive cyber security is so complex because of the multitude of suppliers involved in the supply chain. That makes it quite difficult for any entity along the chain to understand how secure a component is.

Says Andre Weimerskirch, vice-president of cyber security for E-Systems at Lear: "As a supplier, we face the same issue of evaluating vendor claims." When Lear develops a new unit and identifies a particular technology to use, it may have a choice of several vendors. "How do we figure out which is most secure? You can't really measure it. We dig extremely deep to understand what vendors are actually offering. It's a bit like a puzzle."

Lear performs risk assessments and tries to identify attack vectors for each new component, and then selects in-house or third-party solutions to counter each risk it's identified.

Software, open or closed

Software is another critical part of the supply chain. Sam Lauzon, an automotive cybersecurity software developer in UMTRI's Engineering Systems Group, points out that enterprise software vendors like Microsoft, Apple and Adobe are constantly delivering updates to patch vulnerabilities and fix bugs. If companies like these, which spend billions of dollars on research, can't ship software that's 100% he asks, "How can we be certain that a smaller, third-party company that only supplies the auto industry has a secure product?

The majority of software in vehicles is proprietary, making it difficult for customers and third parties to evaluate. Lauzon is a contributor to Uptane, an open-source project that's developed a software update security system for the automotive industry. Because it's open, advocates say, companies and the greater developer community can improve the code and remove vulnerabilities.

Choices vs. market confusion

One area of debate is whether it's better to address the multi-layered cyber security problem with an array of point solutions, the so-called "best of breed" approach, or to use one solution that aims to address every layer – in industry parlance a "holistic" solution.

On Yoni Heilbronn, chief marketing officer of Argus Cyber Security, insists: "There is no one silver bullet to solve the entire problem. Otherwise we wouldn’t have a multibillion dollar market for computer security. One should have different layers of solutions to complement each other and make it as hard as possible for perpetrators to attack a vehicle."

Karamba Security also proposes the best-of-breed solution, although it says its approach is unique. David Barzilai, executive chairman of Karamba, says, "Everybody should do what they are good at. Network-based security solutions are pretty good at reporting but in terms of prevention, they have a major issue of false positives. They are good at reporting what they see. We complement them in prevention and forensics data."

Carmakers are starting to move away from outsourcing every piece of the services puzzle, according to Thomas of Fontinalis, whose firm backs Karamba. "We've seen from OEMs a lot more curiosity and a willingness to look at the build-or-buy decision around innovation in new ways." He sees them being more open to contracting directly with young start-ups in order to obtain bespoke solutions that the OEM will then validate on its own.

"This doesn't mean they don't want an all-in-one solution," he adds. "It always comes back to ease of use." In some cases, the carmaker will identify a point solution and redirect it to its tier 1 or make it a requirement in its specifications. "It's not a binary decision," he insists, "but there's more creativity and openness about how OEMs best serve their products and their customers.”

Looming issues

Finally, our experts identified a couple of issues that aren't currently being addressed: forced over-the-air updates and aftermarket devices and alterations.

Elektrobit's vice-president of strategy and key partnerships, Martin Schleicher, believes that forced OTA to patch vulnerabilities are inevitable. In order to prevent hacking, a carmaker might need to provide a security update very quickly. But what happens if someone is driving? "Do you want to stop driving for an hour or two?" He thinks such updates must be done in such a way that it's convenient for the car owner, ideally even while the car is being operated. Moreover, the carmaker will need to find a way to communicate to the driver why a forced update is necessary.

Krish Inbarajan, global head of connected car at Cisco Jasper, says that aftermarket devices pose their own security challenges, ones that carmakers are in no position to address. While they put controls in place to secure communications within and exterior to the vehicle, he notes: "There are no rules that govern who can put a device in." While providers of aftermarket devices may be moved to secure their products in order to protect their brand equity, devices may not have been validated within the overall cyber security of the carmaker's product. Moreover, Inbarajan says, with hundreds or even thousands of aftermarket vendors in the United States alone: "Security has not necessarily been the focus of the aftermarket, where competition is intense."

While some automakers have expressed the desire to limit access to the OBD port, Inbarajan doesn't think this is feasible because the repair industry needs that access. "That means the OBD port cannot be closed out to reading and potentially writing some information," he says. "If that's the same pipe thru which aftermarket devices get access, how do you make sure you can't read and write to it?"

[Tele.Kuchinskas.2017.10.13]