Automotive Cyber Security

I'm looking forward to hosting this event next week and the discussion here in the meantime.

Please do let us know how you see the industry responding to the challenges of security, and if you're not sure then why not propose a question for the panel?

As an outsider to the automotive industry, it's appeared to me that one of the big issues may be that the very high focus on commercial confidentiality could prevent effective independent review of, e.g., cyber security measures. This is not to suggest negligence or a lack of competence in the companies concerned, just that as the issues become more complex and the risks higher that a cross industry collaborative and open approach is needed - as all safety critical industries have found over the last 30-40 years. I'd be interested to know whether this is actually an issue, and if so whether the automotive industry accepts that it is an issue (two slightly but critically different points!) This equally relates to autonomous automotive systems.


Thanks,


Andy

It's a very good point to make, Andy. From my observations, it's not only independent review that is an issue, it's also a problem between companies working together. It's very difficult to build the big picture. There's an interesting paper by one of my fellow PhD students at Coventry "Cybersecurity threats in the auto industry: Tensions in the knowledge environment" https://www.researchgate.net/publication/341610540_Cybersecurity_threats_in_the_auto_industry_Tensions_in_the_knowledge_environment which has some revealing insights about the lack of a collaboration culture.

The UNECE WP.29 regs, supported by ISO/SAE 21434 will be a much needed focal point, as industry has been desperate for something to coalesce around on these issues. 21434 will specifically require that "A cybersecurity audit shall be performed to independently judge whether the organizational processes achieve the objectives of this document" and the DIS has been out since February, but I suspect this won't hit home until the standard is in force. It's going to be a steep learning curve for the manufacturers, the independent reviewers and the regulators. I'm involved in the development of ISO PAS 5112 currently, which is an auditing standard tied to 21434, but it's early days for that and it won't be a full standard. One of our speakers, Paul Wooderson, will be talking more about this at the webinar.

We had a wonderful response to this webinar, many thanks to our speakers and the 381 people who joined us live from 32 different countries. The recording will be available on demand soon and we'll post a link once available.


There were lots of questions from the audience that prompted a lively discussion. We didn't have time to answer everyone's questions live, but our speakers have kindly agreed to answer some more here. First up we have some answers from Paul Wooderson of HORIBA MIRA.

Q: What framework will UNECE WP.29 use (for compliance demonstration) before 21434 is issued?

Paul: ISO/SAE 21434 is widely seen as a key way of implementing the requirements of the regulation and demonstrate that they are met. However there is no formal reference to ISO/SAE 21434 or any other standard or framework in the regulation itself; rather it allows any appropriate means to demonstrate compliance. Therefore vehicle manufacturers can use evidence of following ISO/SAE 21434 or appropriate combinations of other standards to demonstrate that they meet the regulation's requirements.

Q: Should ResiCav software be installed in the car? Or does it run on a PC?

Paul: ResiCAV is not software specifically but the project looked holistically at the challenge of achieving cybersecurity resilience. This included examining the technical and economic feasibility of solutions and methods that involve both in-vehicle and off-board aspects, as well as the capabilities and facilities that are required for the UK to develop, validate and operate these solutions.

Q: I am "lucky" enough to own a top USA brand of car that is leading autonomous driving. I am not sure the frequent updates have appropriate quality control since they fix one thing and break another. As a driver Im not sure I would know my car was secure or indeed had been compromised? THe pace and drive for commercial advantage feels way in advance of regulation. Who is holding suppliers to account?

Paul: This is indeed a challenging area in which the pace of technological change is greater than the speed at which regulation can keep up. The introduction of the new UNECE regulations for cybersecurity and software updates mean that adequate cybersecurity and safe and secure software updates are now a condition for getting new vehicles type approved for use in regions that adopt the regulations. This is an important step, although the pace differential of course still remains. Within the constraints of current regulatory frameworks, the new regulations do require ongoing monitoring, detection and response to emerging threats, although in the future more dynamic forms of assurance and regulation are likely to be required.

ARE, it's an interesting question. I'm not sure who you're addressing the question to, so assuming that 'you' in "What advice, if any, have you sought" refers to the automotive industry. I'm not sure how well I can answer it, so hopefully others will chip in.


In the case of Automotive Cybersecurity, the issues we're discussing relate in large part to risks associated with increasing remote connectivity, for example over Wi-Fi, Bluetooth, cellular, Dedicated Short Range Communication (DSRC) and more. Physical connections to the vehicle are also considered, of course, but most attackers would prefer a remote exploit. My understanding of avionics is limited, but I'm not sure that these concerns are usually relevant in fly-by-wire. My understanding of fly-by-wire systems is that they are typically air-gapped on-board systems that cannot be remotely accessed. This would probably make a more established functional safety focus more relevant to fly-by-wire. There are many parallels between the industries' functional safety standards, which are DO-178C (aviation) and ISO 26262 (automotive).


There is certainly cross-pollination in the industries' respective cybersecurity standards. SAE International is a leading standardisation body which publishes SAE cybersecurity standards in both sectors. ISO and SAE are jointly developing the new automotive cybersecurity standard, ISO/SAE 21434. I'm not sure exactly how much interaction there is between automotive and aerospace committees though. In the UK the Safety Critical Systems Club has a Security-informed Safety working group, which aims to "capture cross-domain best practice to help engineers find the ‘wood through the trees’ with all the different security standards, their implication and integration with safety design principles..." If you wish to pursue the question further, I'm sure they would be a good group to approach (contact details at the link)


In 2018, the IET Rail, Aerospace and ARTS Technical Networks organised a cross-industry "Cybersecurity in Transport Seminar", so events are happening to share best practice. How much collaboration results from such meetings is very hard to gauge, but it would be interesting to know.


So there is certainly cross-industry discussion and learning, but I'm not sure exactly how much aerospace cybersecurity standards and practices have influenced those in automotive. It would be interesting if anyone can quantify how much influence there is.

Here are some further responses to questions we didn't get around to answering on the forum. This time Aileen Ryan from UltraSoc/Mentor has responded.

Q: Your growth figures appear to assume  personal vehicle ownership. What is the incentive of vehicle ownership where the 'pleasure' of driving the vehicle is removed.  Is there not a fundamental flaw in the reasoning behind use of autonomous vehicles?
Aileen: Growth figures come from the McKinsey report.

Q:To what extent do analytics increase the attack surface? How can this be mitigated?
Aileen: There are a number of layers to this answer. 1. The embedded analytics system comes with its own security capabilities using a combination of locks and gateways to validate and authorise access. The exact implementation mechanism is typically decided by the customer and typically they link it with other security mechanisms that they are using within their existing  architecture. 2. The embedded monitoring system is designed to be generally non-intrusive. It does not share messaging fabric with the functional part of the SoC. 3. Attacks on actual hardware are seldom seen today as usually they require a lab environment and specialist equipment (i.e. they are not practical to execute). Of course this could change in the future.  

Q: Any thoughts on early warning system for these technologies to minimise harms. 
Aileen: Yes, this is exactly the kind of capability that this technology enables - the ability to see problems faster than any other possible solution, and, at a minimum, raise an alarm (early warning) or better still, take steps to mitigate the risk "at hardware speeds" if possible.

We've now had responses from David Evans, IDIADA.to the remaining questions that we didn't get around to covering on the webinar. 

Q: Why does the communication technology have to be vehicle specific? Why not utilise the user's mobile phone for the connection method?
David: The mobile phone does not have the same level of access to the vehicle's internal network, you could argue that a phone could be connected (e.g. Bluetooth) and act as a 'gateway' but that doesn't really help with the benefits that peer to peer (ad hoc) communication with nearby vehicles can do... Possibly 5G will make this possible, but I think introducing a mobile phone into a potentially safety critical part of the vehicle could cause more problems.


Q: Do you consider the current Internet architecture to be reliable for V2X? Or do we have to create an "Internet of the Future" for that?
David: It's a complex challenge and an increasingly growing market, I would argue there' probably more IoT devices deployed than vehicles on the road. It's certainly a challenge for the supporting infrastructure, and there's a lot of work being done on projects like H2020 C-Mobile + C-ROADS on this type of activity.

Q: Are the CAM and DENM protocols free software? Where can I find to do some tests?
David: The latest specifications for CAM and DENM are available here and in this location as well..

Q: Will the V2X technology require bespoke legislation and how does / will that affect the design and development of the system? Has current legislation hampered what you would like to include within the system?
David:  Possibly, with the introduction of new regulations for automotive cybersecurity / Over the air updates it has to be considered. You get into an interesting point about sharing GPS data with nearby infrastructure (as needed by ETSI ITS G5 CAM message), you cross a line whether you share this information with the overarching road authority to help improve the traffic and (potentially) safety benefits.

Q: Why are you sending a false vehicle position?
David: The whole basis of CAM (and other V2X messages) was to share 'where you are' and 'where you are going' with other nearby vehicles + infrastructure to enable safety applications. GNSS has been demonstrated countless times to be susceptible to attacks and vulnerabilities and I wanted to show a simple example where this could be manipulated somewhere in between the vehicle's GNSS module and the V2X module within the vehicle. In the case of the SecureIoT project, a vehicle insurer may be interested in knowing what you were 'telling' other vehicles at the point of a crash, or otherwise, to better understand an accident.

Q: Given the existing vulnerabilities around GPS, 4G, WiFi etc. Has the automotive industry already seen cyber-attacks? When do we anticipate the tipping point? when will automotive cyber-attacks will become more prevalent.
David: I believe there has been several attacks publicised, the attack on the Jeep Cherokee by Miller and Valasek  is possibly the most well-known (www.wired.com/.../), We're seeing a lot more Linux based OS' in vehicles now, I've seen several lower end vehicles using open source  libraries (e.g. to display a picture from a memory card) of which vulnerabilities have been discovered several years into the vehicle's production run. It's a constant challenge for the automotive industry, and hopefully with the introduction of ISO/SAE 21434 + regulations from UN ECE, this will be a positive step towards accountability and clear responsibility to address these issues when discovered.

Q: I thought SATNAV uses GPS tracking which is classed in this case as personal data.
David: Yes, but you're using that service (and presumably provided consent for this). In the case of V2X, will this be mandated that a vehicle 'must' use this (and as a consequence) share information (anonymised or not) with nearby infrastructure and other vehicles?


It would be good to see your further comments on these posts. 


If you didn't manage to register for the webinar, you can still watch it OnDemand.

I'm looking forward to the second webinar in our series on Automotive Cybersecurity which is coming up on Thursday, 28 January at 11.00 GMT. Professor Shaikh, Coventry University & Peter Davies, Thales will  discuss how the industry must adapt, how it does security to align with what research says is needed + live Q&A.


We've also between the two webinars recorded this Hot Topic Video on Automotive Cybersecurity on the opportunities & risks of Connected Vehicles. The ARTS TN would like to record a vote of thanks to Horiba-MIRA Engineering for their support and IET.tv for helping to create this video during the pandemic.


I hope you enjoy watching the video and please feel free to share your comments on this below.


Also if you have any questions that you'd like to post here, we will also consider these for discussion by our expert panel in the live Q&A panel during the webinar.

Thats an interesting point Deborah , I can see all sorts of problems from the security point of view for electric vehicles , although I do think theft could be stopped , as we have seen these keyless cars arnt immune either , where scanning/capture devices are used. Given that black boxes are now being installed for lower insurance premiums , it strikes me that any stolen car can be tracked quickly , or even deactivated .However as ever , I am not keen on the over cyber controlling of vehicles , and driverless cars have got major problems , one scenario i could think of , is the hijacking of controls , by hacking the sensor controls. I dont know but car makers have got to think this through , and my guess is a physical security system , can only achieve this .

Hi Helios - thanks for your observation.  We had an excellent webinar this morning with lots of questions from delegates.  We'll be liaising with the speakers to try and get answers to the questions that we didn't have time to cover on the webinar.