Protecting Connected Cars in the Era of New Regulation
The car is your private space, an area where you can behave as you like, do what you want, and listen to what you want to listen to, and nobody can tell you otherwise - just so long as your actual driving is safe and legal.
We all hook up our phones to the infotainment system, stream our music over Bluetooth, and download our contacts list to the car. It’s the most simple demonstration of living with a connected car, but there’s far more to it than that.
Up to date models on sale now include multiple connected systems, from simple navigation aids to Siri-like voice-activated assistants such as ‘Hey Mercedes’. With over-the-air updates, cars are becoming as reliant on software and its updates as a smartphone, and that brings with it a lot of issues.
Any connected device is at risk of data loss or, even worse, data hacking. Skilled hackers and black-hat intruders (so-called after classic western movies, where the bad guys wore black hats) are always working on new ways to access your information, as there’s value to that.
However, in the process of attempting to steal credentials, there’s a real risk to critical safety functions as well as obvious privacy concerns.
Today’s cars have around 150 electronic control units in them, and around 100 million lines of computer code to control it all. If that sounds a lot, it is - a Boeing 787 Dreamliner’s flight systems contain less than 15 million lines. A single error in that code can cause catastrophic effects, although multiple redundant systems mitigate that to a degree. However, it’s obvious that securing access to that data is critical.
As cars continue on the path towards autonomous driving, vehicle-to-infrastructure communications and intra-car connectivity, on top of the personal connection services offered, is set to triple the code carried on board, and as the code multiplies, so does the risk.
Legacy systems are continually modified, added to and revised, leading to the mushrooming of code, and the complexity that comes with that, including unintended consequences, and it’s this that presents an opportunity for a cyberattack.
Attacks are affordable, with little investment needed in equipment. White hat hackers (named after the white-hat-wearing goodies in western movies) have already proven that it’s relatively easy to take control of the infotainment system in an electric car, causing the vehicle maker to release a software update to mitigate the problem. A Chinese security company found 14 vulnerabilities in a premium European model, and another global automaker recalled 1.4 million cars in 2015 in one of the first cases involving automotive cybersecurity risks at a potential cost of as much as £500 million.
There’s no standardised response to cybersecurity issues, resulting in different OEMs taking different paths to achieve the same result, adding yet more complexity to proceedings. Furthermore, they’re relying on outside suppliers to provide plug-in systems that are self-certified, with little to no testing of end-to-end security.
Regulations are coming to fix this mess, with minimum standards for vehicle software and security that will affect the entire supply chain. California, unsurprisingly, leads the way with regulations, but the World Forum for Harmonization of Vehicle Regulations under the United Nations Economic Commission for Europe is expected to finalize its regulations by 2020. Industry experts expect these new regulations to be simply the first step to a more secure future.
Now is the time for manufacturers to make cybersecurity an integral part of its core design and development programs. Carmakers have a strong record of establishing a culture of safety - when pushed by suitable regulations and testing - so legislation and compliance assessments will soon bake data security into the industry’s culture.
That focus on security needs to continue throughout the vehicle’s lifetime, and not simply up to the point of sale, as new vulnerabilities emerge often years after the initial release of the software. Legal requirements affecting an OEMs ability to get type approval for a vehicle would ensure compliance.
Smartphone manufacturers might support a phone for two or three years, but cars last ten years or more, at which point they tend to visit dealerships less frequently, increasing the importance of a robust over-the-air update system.
It’s this area in particular that needs to see common standards to keep development and maintenance costs under control.
With the advent of the EU’s GDPR privacy regulations, manufacturers could be liable for data breaches, with fines of up to 2% of global turnover available as punishment in some circumstances. That’s enough to turn many manufacturers into loss-making businesses, so the need for security doesn’t just take on a moral significance, but creates huge financial implications. Money talks, and it’s that that will make OEMs stand up and take notice.