Making it personal: why cyber security for connected cars is a matter of life and death
By Tyson Macaulay, chief security strategist and vice president of Security Services at Fortinet.
Many of today's new cars already have multiple forms of driver assistance: from adaptive cruise control to lane-change warnings, self-parking and sophisticated navigation systems that automatically re-route you in the event of traffic incidents.
As we slip into the next gear – full autonomous driving – we start getting very excited about the possibilities. And it all seems tantalisingly close, says Tyson Macaulay, chief security strategist and vice-president of Security Services at Fortinet.
Uber's pilot fleet of self-driving vehicles, for instance, has been operating successfully in Pittsburg for well over a year. Some Teslas are already driving in autonomous mode in certain areas, sending information back to the company's nerve centre, in a ‘hive mind' that allows other cars to effectively learn the roads.
Connected cars are quickly becoming the ultimate symbol of the Internet of things (IOT) era. However, it's critical to consider the serious cyber security implications. Unlike the other cyber security conversations we've had, this one is not just about the bits and bytes of the corporate network. It's about a very real threat to our personal safety.
Creating value for your network in the API economy
The controlled, white-hat attack on a Jeep Cherokee in 2015, where hackers took control of the car's digital systems, proved to be a pivotal moment in car cyber security. That incident led to the recall of 1.4 million Jeeps, so that a software patch could be installed.
But, as cars become more sophisticated and connected to the Internet, so the attack surfaces increase. Cars will become increasingly interwoven into other areas of our life – making payments at parking lots and fuel pumps, syncing with our calendars, booking restaurant tables or plane tickets, or simply communicating with our colleagues and friends to inform them if we're going to be five minutes late.
Complicating matters further, we may not even own the whole car. Many industry analysts are now envisaging a future where three major forces will collide: autonomous driving, ride-hailing (such as Uber, Lyft), and car-sharing ownership models. As our cars sit in parking bays and garages 95% of the time, for many it's an attractive idea to share their self-driving car with others, and then send it out to make some extra money as an Uber car whenever it's not needed!
Our cars will know more and more about us. Some auto manufacturers are designing connected cars with in-vehicle video capture capabilities, biometrics, and advanced data collection. While this may all be with enhanced customer experiences in mind, it raises the question: what if the manufacturer's systems fall prey to a malicious hack?
Securing the connected car
Addressing connected car security, and shoring up all of these potential attack vectors, will be an incredibly complex task. While there is no ‘silver bullet', connected cars can become well-protected, but it will require an orchestrated effort from a number of role-players:
* Auto manufacturers, security vendors and connected car platform providers need to work closely from the very earliest stage of a car's development, through the manufacturing process, and into the testing and roll-out phases.
* Security is always an ever-evolving discipline, always a moving target. So connected cars should cater for over-the-air software updates to provide the latest updates, patches and bug fixes.
* Car producers must set appropriate parameters for safety – such as defining what a vehicle should be allowed to do with its connectivity under different conditions, and enabling over-ride features that allow the driver to quickly regain manual control.
* The basics of information security still apply: hardening your access points, monitoring for malware and illegitimate traffic, subdividing the network into security zones, encrypting communications and more.
* Role-players should create standardised protocols for third-party connected car application providers – to give drivers the widest array of features, but in a fully-secure manner.
* Local lawmakers must formalise the regulations governing how manufacturers defend their vehicles from hackers, and how they protect personal driver information.
With every new generation of connected car, we'll see increased integration with cloud-based systems, artificial and predictive intelligence, vehicle-to-vehicle communication protocols, and on-board sensors and cameras. Security must be tightly knitted into the fabric of these services, if the dream of connected cars is to become a reality.