Although previously a strategic choice by those who were ahead of the game, building security into the connected car to protect it against cyber attacks is now becoming a necessity for all OEMs.
In the current automotive landscape, software is beginning to take over many automotive applications, making the car ever more vulnerable to outside threats. But car companies are not software companies, and without a background in security, how can they possibly design adequate security into their vehicles?
With a little help from my friends
John Ellis, Principal at Ellis & Associates and formerly Ford’s Global Technologist and Head of the Ford Developer Programme, explained to Megatrends that the automotive industry needs to look to other industry verticals and experts if it is to make the connected car secure. “The vehicle isn’t just a car any more, it is the car plus the smartphone plus the Cloud. Suddenly the manner in which the data was stored or protected is not simple. So how can the industry cope?”
Someone else who believes in the importance of industry collaboration to protect and secure the connected car is James Moar, Research Analyst at Juniper Research. Moar believes that companies are putting work into fixing vulnerabilities in their systems before they get to the consumer but that in an ideal world, they should work together to increase their chances of protecting the car from cyber attacks. Speaking to Megatrends, Moar noted, “Collaboration is an ideal situation, but it is difficult to engineer. While cyber security is now an omnipresent issue, trying to achieve collaboration where company-level security is sufficient would be wasted energy.” However, Moar also believes that information sharing via specialist third parties such as cyber security firms is key. “That way information can be spread to where it is needed, rather than requiring broad standards.”
Previously Chief Technical Officer at Ford, Paul Mascarenas was appointed in June as FISITA President for a two-year term, alongside his recently acquired role as a member of the Board of Directors at ON Semiconductor, an automotive semiconductor supplier. Megatrends spoke to Mascarenas about his views on how the industry can secure the connected car. He explained, “Ensuring the highest levels of automotive security does require collaboration between auto manufacturers, network providers, content providers and other interested parties. Several relationships already exist, facilitated by organisations such as SAE International, USCAR and the Alliance of Automobile Manufacturers. Although no common solution exists across the industry – that complexity may in itself provide additional robustness – there is much to be gained from sharing information in a non-competitive environment around potential threats, including the likelihood of such attacks, the vulnerability or risk level involved and the possible consequences.”
A secure ecosystem
As intelligent transportation systems (ITS) are increasingly developed, where vehicles are in communication with each other and the infrastructure, Mascarenas believes “that this is where collaboration becomes even more important as the threat to a particular vehicle could come from elsewhere on the network.”
Ellis agrees, explaining that even if one other OEM is vulnerable, this could still cause problems and vulnerabilities for the ecosystem. “Even if one company is absolutely perfect and makes sure that its cars are never in any way shape or form vulnerable, the fact that infrastructure systems might be vulnerable can still potentially cause problems for them. The industry is vulnerable until all the industry is not vulnerable. And the only way to ensure the industry – that is, the vehicles and the infrastructure – is not vulnerable is through collaboration.”
Building it in from the ground up
The challenge within the industry in securing the connected car could boil down the ‘us versus them’ mentality that divides the open source community and the automotive community currently. However, industry analysts believe that in future, this traditional attitude must change moving forward to the car being equipped with more software.
Nexor is a UK-based cyber security company with expertise in the defence and intelligence sectors. The company is passing its cyber security know-how on to the automotive industry through a recent collaboration with an automotive Tier 1 to support the company’s infotainment systems and make sure it is offering a secure system to its automotive customers. “Collaboration is vital to build security frameworks and security models,” explained Nexor’s Innovation Director, Colin Robbins. “The last ten years has shown us that security needs to be designed and built by experts and the way experts do it is by using things that they know work and are tried and tested.”
Vulnerabilities are brewing
Robbins relates the current direction of the connected car to the connected kettle. “The kettle connects to your iPhone so that when alarm clock goes off in the morning, your kettle boils. It’s a great idea in principle, but the kettle now has complete wireless access to your Internet at home. They may be great kettles, but they were not made by made by security engineers, and so open up the home Internet to potential malicious attacks,” he explained. Robbins therefore notes that security needs to be designed by security engineers: “It’s important that this message is translated across to the automotive industry.”
Standards, frameworks, methodologies
Not every company can become a security expert, explained Robbins, who also suggested that security engineers such as Nexor need to lay out a framework by which the industry needs to abide. “Standards are critical here, rather than everyone starting afresh on something completely proprietary. As this technology moves forward, there’s going to be a greater demand. Building in security is becoming critical, and this is going to come through standards,” he said.
At the GENIVI Alliance’s Open Automotive ‘15 event in Stuttgart, the topic of the connected car was high on the agenda – but how to protect it was even more so.
Working together requires a change of thinking, and at the event, Georg Doll, Vice President of Automotive at Wind River said he believes that tackling cyber security problems will not happen overnight. “To stay one step ahead of security threats to the connected car, OEMs need to work together with different players. With this collaboration, an ecosystem can be established.”
Also speaking at the event was Dr. Michael Müller from Argus Cyber Security, who believes that cyber security needs to be an on-going consideration throughout the lifecycle of the car; Müller, who is also the founder and Chief Executive of Magility, a management consultancy, noted that the industry may struggle to adjust to this change. “Many partners have to play together to develop a secure ecosystem,” he said. “They all have to be qualified in cyber security – not just the OEM.”
Ultimately, the future of the connected car is dependent on whether cyber security is acted upon in the correct way, and whether the industry will learn to collaborate to ensure this security. If the industry gets it right, the connected car will be a success; if not, the industry could potentially lose everything that connected car technology has to offer.
Rachel Boagey
