Nothing simple about cyber security on a speeding car

Keeping computer hackers away from a PC or laptop may be hard enough but protecting a fully connected car as it hurtles along a high speed motorway or interstate poses a much harder problem.

That’s the simple admission of Yoni Heilbronn, vice-president at Argus Cyber Security who believes the complexity of the modern motor vehicle is also its worst Achilles Heel.

Speaking to TU-Automotive, Heilbronn said: “With the car you are dealing with a beast that is far more complex than a normal PC or mobile device. For example, you can have about 10 ECUs on a network and then, on top of that, not every vehicle will have the same electrical architecture and then you will have a different protocol with the most widespread at the moment being the CANbus protocol.”

And with ever more technological advances, problems will continue to mount. He added: “In the near future with Flexray and the internet connectivity and then the problem itself is far more complex.”

The physical moving nature of a vehicle also increases the dangers from a system being attacked by malicious third parties.

Heilbronn said: “First of all you are dealing with something that is moving and has a potential impact on people’s lives. Another issue is that the requirements by the auto industry are far more strict than those you will have with your laptop or PC because the implications are far more severe if the vehicles are compromised.

“Add on to this the fact that, currently, there exists no real regulations and the emergence of standardisation is still in its infancy. That said, we are dealing with computer systems that are made up of code and I don’t know of any such system that is 100% fool proof where if you want to find a flaw and put enough effort in, you will find it.

“In the end the industry needs to change its way of thinking around the potential vulnerability of their systems and to embrace them and not fall into a knee-jerk reaction of fear.”

It’s clear the chance of reaching a standardised approach to the problem is still some way off and Heilbronn is worried that if carmakers don’t accelerate this process, the world’s governments may weigh in wielding onerous regulations to quash technological innovation.

He explained: “Automakers need to take a proactive stance and not wait for regulation to come along.”

He pointed to the warning delivered to the auto industry by Senator Gary Peters, US Senator for Michigan, at TU-Automotive Detroit 2015 stressing that the industry must start a process of self-regulation.

“He said ‘act quickly because you don’t want us to regulate’,” said Heilbronn. “This is a very clear message to the auto industry that it should adopt its own standards and not wait for anyone to come along and force the industry to act.

“In this we have seen the latest initiative in the shape of the Auto ISAC [an Information Sharing and Analysis Centre launched by the Alliance of Automobile Manufacturers and Global Automakers last year]. This allows the sharing of vulnerabilities between OEMs

“At the moment this may be seen as a closed club for OEMs but in the next few months this could be opened to Tier 1 suppliers and, later on, to Tier 2s.

“The Auto ISAC has also bigger plans to go beyond information sharing and actually to initiate development activities. I think the more the industry collaborates the better.”

But Heilbronn admitted that there is no one simple solution to protecting the connected car from malicious cyber-attack.

He said: “From my perspective, there is no silver bullet for cyber security whether in the IT or auto industry worlds. It can only be accomplished with a multi-layered approach giving different layers of protection with different solutions for the attack surfaces, for the in-vehicle networks or for the communications systems themselves.

“Only with a multi-layered approach can you make sure you are protected at the maximum level.”

Leave a comment

Your email address will not be published. Required fields are marked *