In-car security systems not yet ready for autonomous driving

Automotive industry running to catch up with cyber-security issues ahead of releasing first autonomous cars onto nation's highways.

Google driverless car (Steve Jurvetson/Wikimedia)
Google driverless car (Steve Jurvetson/Wikimedia)

With the first autonomous vehicles expected to be on the market in 2017/18, the rush is on to harden in-car control systems against cyber-attacks.

That was the message at yesterday's Cambridge Wireless event at the Transport Systems Catapult in Milton Keynes which featured several speakers from the automotive and cyber-security industries.

Recent proof-of-concept attacks on connected cars has demonstrated the real-world vulnerability of these systems and how unprepared the automotive industry appears to be for the realities of cyber-crime.

In the US, the car industry has responded to the cyber-security threat by launching a new Information Sharing and Analysis Centre (ISAC).

Andrew Miller, chief technical officer at the Thatcham Research Centre, the not-for-profit  research facility funded by the insurance industry, told the conference that the first “Supercruise” or “Highway Autopilot” cars could appear on UK  highways in 2017 or 2018. But he warned that there are still “major concerns that the current architectures are not yet fit for purpose to provide the levels of security required”.

Miller said: “Our New Vehicle Security Assessment (NVSA) provides an international benchmark for the security of vehicles in any market, but insurers now require significantly improved on-board diagnostics security to extend physical security assessment into wireless connectivity security. This is a very complex area which requires the close cooperation of many stakeholders such as telecom and infrastructure providers.”

Mike Parris, head of the secure car division at SBD, specialist consultants in connected vehicle security, said there were enough scare stories about automotive security to focus the minds of the industry.

“With an absence of relevant cyber-security standards, the Automotive Secure Development Lifecycle (ASDL) is a seven-step inclusive framework that is agnostic of specific methodologies and is therefore globally applicable and applies across the whole connected vehicle ecosystem to manage cyber-threats in terms of safety, security and privacy. In addition, the trend towards integrating smartphones and related technologies into the car is presenting some very significant challenges for OEMs due to the differences in product lifecycles between the automotive industry and consumer electronics,” Parris said.

Peter Davies, technical director at Thales e-Security, told the delegates: “In the face of cyber-attacks it must be possible to understand how remediation may be rapidly applied. It is impossible to control the global attack surface and many of the techniques being discussed will in fact worsen the ability of distributed systems to defend themselves. Understanding what is reasonable, or semantically sensible, for a component of a certain type to be doing offers most promise in defending automotive security systems in a quantifiable way.”

Nick Cook, chief innovations officer at Intercede, a software company that specialises in identity and credential management, said the automotive industry would have to get to grips with the whole issue of digital trust before it would be able to realise the environmental, commercial and safety benefits of autonomous vehicles.

“It is critical that digital trust can be established and maintained via properly managed digital identities between components, systems and people. Without it the industry cannot hope to move from concept and trial to commercial implementation,” he said.

Automated vehicles is a huge opportunity for the UK automotive industry, said  Transport Systems Catapult programme director Neil Fulton. “But if the general public are going to embrace this new form of transport they need to be reassured that it is efficient, accessible and, above all, safe,” he said.

“Cyber-security is clearly one of the challenges that people currently have understandable concerns over, so we were really happy to host this event, which brought together so much expertise in this crucial area.”