Estimated reading time: 5 minutes
Car makers and their suppliers already work hard to secure their vehicles. Now, the UN has given the industry a shared standard to guide what action they should take.
In 1982 New York became the first US state to force drivers and passengers to wear seatbelts. There was a lot of resistance from freedom-loving motorists. But the seat belt lobby held firm. They dismissed the libertarian argument as “the right to go through the windshield.”
But what was really remarkable about the decision was how long it had taken.
Car safety legislation moved slowly in those days. Although the benefits of using seatbelts were widely known from the 1950s, it took until 1968 for the US government to force car makers to fit them.
Today, the seatbelt question is settled. But there's a new safety issue for regulators to address: automotive cyber security standards. The good news is that the public is universally supportive this time. And the regulators are acting much faster.
They need to.
New vehicles have become data centres on wheels. Today’s cars support up to 150 Electronic Control Units (ECUs) and up to 100 million lines of code. As a result, data flows in and out of the vehicle from multiple sources.
There are already 107 million connected cars on the road.
Why are automotive cyber security standards important?
Every point of connection is a potential ‘in’ for hackers. At the most extreme end automotive cyber security risks can be terrifying – namely, hackers taking remote control of a vehicle. This is not just theory.
In November 2020, university researchers critical hacked into and stole a Tesla Model X in about two minutes. All they needed was a key fob, a Raspberry Pi and a replacement engine control unit. This kit cost around $200.
But the more likely threat is that bad actors will intercept car data for financial reasons. For example, installing malware into a vehicle’s operating system, and then demanding payment for removing it.
Regrettably, these attacks are already happening. Upstream Security reported a 605 percent rise in incidents since 2016. It says six in ten were carried out by criminals intending to disrupt businesses, steal property and demand ransoms.
Clearly, the automotive industry does take automotive cyber security standards seriously. Manufacturers are working hard to defend against threats, and bodies such as the Car Connectivity Consortium (CCC) provide a forum for sharing standards and insights.
However, what is really needed is a shared framework for measurable action by all participants in the value chain.
Experts have been saying this for years. In 2014, digital security specialist Craig Smith published The Car Hacker’s Handbook. In an interview with TechCrunch, Smith said: “The expectation is that the manufacturer has done proper security tests. But you need some method for third party review.”
UNECE WP.29 – the same automotive cyber security standard for everyone?
Which brings us back to those car safety laws. Since the 1950s, the United Nations has been involved in improving the safety of vehicles, passing regulations on seat belts, steering wheels, headlights and more.
The United Nations Economic Commission for Europe (UNECE) drew up new WP.29 regulations to do pretty much what Smith said – ensure all car makers meet clear performance and audit requirements before their vehicles hit the road. It says an ‘Approval Authority’ will vet participating manufacturers.
Observers believe this is a breakthrough moment.
In its 2020 report Cybersecurity In Automotive, McKinsey wrote in response:
The WP.29 Cybersecurity regulations were approved in June 2020. They give the automotive sector a framework to put in place processes to:
• Identify and manage cybersecurity risks in vehicle design
• Verify that risks are managed
• Make sure risk assessments are kept current
• Monitor attacks and respond to them
• Analyse successful or attempted attacks
• Review cybersecurity measures in the light of new threats
• Ensure security lifecycle management (across the development, production and post-production phases)
Heated car seats, air con, digital radio… automotive cyber security?
WP.29 regulations have already been adopted by European Union. They will be mandatory for all new vehicle types in the EU from July 2022. South Korea and Japan have also committed.
It's a good start, given that the three regions produced 32 million vehicles in 2018.
With this directive, the UN is making automotive cyber security standards non-negotiable. The hope is that motorists will factor cyber security into their buying decisions – like air con or heated seats.
This shift is already happening.
In a consumer study by IBM, 62 percent of consumers said they would consider one brand over another if it had better security and privacy.
However, it’s also important to remember that good cybersecurity is not just a defensive measure. By reducing crime and boosting trust, car makers will accelerate the development of the new features and business models such as:
Systems that let drivers easily rent a nearby car or grant car access of their owned vehicle to a friend.
In-car detection systems
Systems for altering lighting and temperature to improve driver alertness
Systems that broadcast car position and speed to other connected vehicles to avoid accidents
Automatic payments (without driver participation) for parking, battery charging, fuel and more
Live journey planning to avoid traffic and find parking spaces
Smartphone and voice integration
Giving the driver control of in-car entertainment, links to smart home etc.
Marketing alerts sent by local businesses to the in-car display
In fact, stakeholders are already testing some of these scenarios.
A good example is the NordicWay collaboration between public and private partners in Finland, Norway, Sweden and Denmark.
It is investigating ideas such as how to create ‘dynamic environmental zones’. This sends a signal to hybrid cars to switch to electric when specific limits are exceeded on pollution, noise, presence of vulnerable people etc.
What is automotive cyber security? It starts with 3 key vulnerabilities…
Clearly, the WP.29 regulations provide important benchmarks for stakeholders on automotive cyber security standards.
They give the ‘what’, not the ‘how.
In other words, they don’t prescribe specific actions.
So how should the connected vehicle industry approach the challenge?
First, let’s establish where the vulnerabilities are. They can be grouped into three areas.
#1. The vehicle
To repeat, there are around 150 (and rising) Electronic Control Units in a connected car. The ECUs send data over the air or even via physical media (such as fobs and USB sticks). Any vulnerabilities here can be exploited by attackers.
#2. The communications layer
Vehicle data in transit provides another opportunity for hackers – leading to distributed denial of service (DDoS) attacks, spoofing and other data breaches.
#3. The application layer
Obviously, all this vehicle data has a final destination – from city authorities to entertainment providers to fleet owners and more. Strong cybersecurity is needed to ensure that only authorised entities can access the data, and that these stakeholders protect their own systems.
Security by design from car factory floor to the scrapyard
The above points show automotive cyber security does not stop when the car leaves the factory. It is needed throughout the entire vehicle lifecycle (up to 15 years).
And it extends to all participants in the value chain – not just the manufacturer.
For this reason, experts believe the best way to ensure car safety is with a security-by-design approach.
This means that every OEM and supplier must bake in security features, not retrofit them later. They should also have the ability to detect and react to attacks over time.
This process starts with a risk analysis, which lists all threats and vulnerabilities and the impact of any attack.
The next stage is to give every device a trusted digital ID. When there are trusted credentials, the system can recognise legitimate partners and spot attackers. For even stronger protection, these IDs can be held in a (physical) tamper-resistant Secure Element.
Finally, to protect the data, there should be end-to-end encryption of all communication at rest and in motion. This will render any stolen data useless.
So let’s look at how these principles should be applied in a connected car context.
• Give every ECU a secure identity
As we have established, the connected vehicle hosts multiple ECUs from multiple vendors.
To make sure the car is safe, manufacturers should give every ECU a diversified, random ID related to its serial number.
This secure ID can then authenticate the ECU throughout the vehicle’s lifecycle, granting access only to authorised users using Public Key Infrastructure (PKI).
The manufacturer must make sure that it selects only ECUs manufactured in a secure environment.
• Integrate the secure ECUs
OK, so the vendors have created secure ECU IDs. Now, it’s up to the vehicle manufacturer to integrate them all – and take ownership of who can access them.
Best practice at this stage is to change the ECU credentials so that only the car maker knows them.
• Maintenance and updates
As anyone with a smartphone knows, software needs to be regularly updated.
Cars are no different.
Let’s say an ECU needs a firmware upgrade. A good security-by-design process will enable temporary access credentials to maintenance personnel doing the work.
It can also schedule regular over the air software updates – and enable new ones when fresh risks emerge or legislation changes (which will save money on factory recalls).
Finally, it will permanently deactivate all credentials at the car’s end of life.
Responding to threats: the Security Operations Centre
Needless to say, good security-by-design will provide protection, but it will never completely deter attackers. For this reason, the connected car ecosystem needs to monitor and respond to threats as they occur.
To do this, stakeholders can set up a Security Operations Centre (SOC).
The SOC is a well-established concept in enterprise IT, but is relatively new in automotive.
SOC security operatives can analyse data from every part of the connected car ecosystem – from the R&D lab to assembly – in order to produce meaningful alerts. They can look for indicators of compromise – clues that show an attack may be imminent. They can then respond with countermeasures such as over-the-air updates.
2021 looks set to be an important year in the evolution of automotive cyber security standards – not least because of the UNECE WP.29 regulation.
As it is adopted across the industry, it should provide an important framework for all stakeholders.
And it might even provide a springboard for the exciting next stage of connected car innovation.
*McKinsey & Company ‘Cybersecurity In Automotive’ report 2020