Is Your Vehicle Secure - Cyber Security of Vehicles
Introduction
"On 24th July 2015, Chrysler
announced that they will be recalling 1.4 million vehicles which they suspect
of software vulnerability in the Uconnect dashboard computed[1]
and is a potential threat for hacking. Two Security researchers Charlie Miller and
Chris Valasek hacked the car's entertainment system which was connected to the
mobile data network and controlled the car remotely. They showed that Cyber
security is a real treat to vehicles.
These days it is often talked and
written about connected cars and how it is going to disrupt the industry. The demand
for connected cars globally is growing at a fast pace. Customers wants to be
connected always and the experts predict that digital disruption in automobiles
have already begun. Projection shows up to 15 percent of new cars sold in 2030
could be fully autonomous[2].
Traditionally automobile
manufactured have focused on passenger safety and quality of the product as
their top priorities. During manufacturing process, the plant operators have
always identified component and process which will directly impact the safety
of the passengers. However, increasing use of advanced technologies like
telematics, autonomous vehicles, IoT have increased the risk of cyber-attacks.
Automobiles are as vulnerable as one's laptop or mobile as it is increasingly
getting connected to other IT devices.
When someone hacks a vehicle of
perform a cyber-attack, the hackers get into the vehicles' networks and controls
the electronic control units (ECU). This not only puts the drivers' personal
data on risk but also risks the passengers' life and safety.
In comparison to other
industries, automobile industries are way behind on the maturity curve in terms
of its preparation towards cyber defense capabilities[3].
According to Professor Andry Rakotonirainy from Queensland University of Technology's
Centre for Accident Research & Road Safety[4]
; the security protection on cars is virtually non-existent and one can compare
its level of protection to that of a computer way back in 1980s.
But they have started understanding
the importance of cyber security. In 2014 Jeff Massimilla was named chief
product cybersecurity officer of General Motors; a position never heard of in
an automobile industry.[5]
With increasing threat and risk, other OEMs will follow suit and recognize the
importance of cyber security as their vehicles become more connected and more
vulnerable.
Sources of Vulnerability
Vehicle engineering
More complex the product, more is the vulnerability. In some
of the high end models, it has become a combination of laptop and mobile with
multiple microprocessors[6]
and each will have its own software's with millions of lines of code. Each node
will be a point of vulnerability and a path for the hackers to get in and take
control of the vehicle.
Suppliers
As per a McKinsey report only 10 percent of the automotive
suppliers say cyber security ranks high on top management's agenda compared to
35 percent of OEMs. This data clearly shows the low importance and that the
suppliers are least prepared to adopt security measures in the product. Each
supplier has to adopt cyber security measure to protect the vehicle as whole.
Even if a single electronic component is vulnerable, the vehicle will get
affected since all are interconnected.
Users
Finally, just like any other electronic device, ignorance of
users is also an easy path for hackers to get into the network. As vehicles
become more compatible and get connected to other devices, more entry points
are created. The kind of care that users take for online banking, similar
protections are required for vehicles in future.
Actions to Prevent Cyber Attach on Vehicles
Reduce points of entry for a hacker
As the OEM designs & engineers the vehicle, the should
take care of reducing the points by which a hacker can enter the network. This
can be done by securing the critical safety and control systems. This is called
Air gapping. Here, to ensure network security the computers will be physically
isolated from un secured networks like public Internet or an unsecured local
area network[7].
So in automobiles one could separate the passenger infotainment system from
other critical control system like brakes, steering etc.
Intruder detection
The vehicle network system should have detection and alert
mechanism to inform the driver about a potential intruder into the system early
on so that the driver can take necessary action to stop the entry of a hacker.
Authentication and Authorization
Authentication and authorization is another area that needs
to be addressed in increasing the security. Online banking applications has
been widely using it, however adoption in automotive industry is still at a
very nascent stage. Using encryption and cryptography is the way forward to
address the risk arising due to access breach. Blockchain is an upcoming
technology in encryption and cryptography and several use cases will evolve in
cyber security area and automotive industry should keep a watch on its evolution.
Alternate mechanical fall back option
While OEM designs electronic system, a manual override
system should also be designed for critical systems like Steering, Brakes etc.
In case of any hacking, there should be an alternate mechanical system which
can come into play during such scenario. The passenger or driver can switch to
a mechanical system whenever any suspicious activities is detected in the network.
Conclusion
Connectivity is a necessity for any device an individual
owns in this era of technology revoution and convergence. Automobiles is no different as it gets connected to multiple other devices and networks. This technological
disruption is inevitable and it is every OEM's responsibility to ensure safety of
the drivers and passengers who are using their product. Here, we are not just talking about
data theft, but a threat on the life
of an individual. We see that every company is investing heavily in latest technologies like telematics, autonomous vehicles etc. However, its adoption will depend on the
customer's confidence in its safety and security features. OEMs have to collaboratively
find ways to set up security standards which can be adopted across the supply
chain. OEMs and suppliers have to establish partnership with software
vendors and experts in cyber security to ensure security of their products and
keep the product up to date with respect to its security.
[1] http://www.bbc.com/news/technology-33650491
[2]
Automotive revolution -perspective towards 2030 by McKinsey -Jan 2016
[3]
Shifting gears in cyber security for connected cars by McKinsey - Feb 2017
[4] https://www.sciencedaily.com/releases/2014/09/140917120705.htm
[5] http://www.automotiveit.com/my-role-is-to-protect-the-cars-ecosystem/news/id-0051475
[6] http://www.newelectronics.co.uk/electronics-technology/growing-number-of-ecus-forces-new-approach-to-car-electrical-architecture/45039/
[7] https://en.wikipedia.org/wiki/Air_gap_(networking)