Why OEMs need to pay attention to security in the connected car

Lars Thyroff discusses the importance of best practices for intelligent digital security in a connected car to enable trust in the device, data and network.

Lars Thyroff discusses the importance of best practices for intelligent digital security in a connected car to enable trust in the device, data and network.
Lars Thyroff discusses the importance of best practices for intelligent digital security in a connected car to enable trust in the device, data and network.

The automotive industry is fast becoming a hotbed of innovation, with much discussion and debate around the connected car. On one side, advocates espouse the benefits of adding IP connectivity to cars, citing advantages such as: reduced emissions, improved safety, enhanced driving pleasure through enriched services and convenience.

On the other are those who feel that in the race to add IP connectivity to cars, homes and cities, digital security is often overlooked. In fact, a recent survey by VDC Research showed that while almost 70 percent of OEMs said security is important to design, only 30 percent indicated that they made changes in people, processes or tools to improve it.

In today's cyber-climate, this is very worrying, especially when it comes to something as serious as a connected car. For example, imagine driving down the road when all of a sudden the car goes haywire – the radio blares, the windshield wipers hit full speed, the steering wheel is controlled by an unseen force and the car starts pumping its own brakes. Were connected cars to be introduced today, without the appropriate security infrastructures in place, this is a very possible scenario, demonstrated recently by the Jeep hack reported in WIRED.

Securing the connected car

Fortunately, these warnings are being heeded, with legislation already proposed that has been designed to curb the threat of car hacks and establish new standards for digital security.

Just as someone wouldn't build a home without a solid foundation, car-makers, developers and OEMs are realising the necessity to start connected device designs with intelligent security architecture as a foundation to enable trust - in the device, the data, the network and the ecosystem. This security by design approach enables trust in the connected world, which underpins a secure, sustainable and successful Internet of Things ecosystem.

The auto industry and industrial IoT developers need to approach connectivity with the same intelligence as IT system integrators and realise that the software running cars and devices is a source of potential threat just like hardware components. Fortunately, they can learn from sensitive industries such as banking and healthcare that have used digital security technologies successfully for decades.

Examples of proven best practice include:

Risk evaluation – Developers need to undertake early comprehensive risk evaluations to implement security architecture across the entire connected device ecosystem – from the hardware components that enable connectivity, to the software running the device, and out to the communication channels it uses.

Security by design – Security is a fundamental aspect that needs to be addressed at the start of the development phase. It has to be integrated into the hardware and software layers from the onset of design rather than as an afterthought.

End-to-End trust points and countermeasures – Developers should follow a few guiding principles for implementing end-to-end trust points and countermeasures to mitigate threats:

·     Protect the device with tamper-proof hardware and software. For example, embedded Secure Elements are implemented to add a layer of physical and digital protection against intrusion and to store credentials and data in a dedicated, secure platform.

·     Encrypt and sign the operating software to protect against attack. Encrypted software is useless without the keys and an electronic signature will ensure that only validated software is running on the IoT device!

·     Implement strong authentication and encryption solutions to ensure only authorised people and applications are granted access to the IoT solution infrastructure.

·     Securely manage encryption keys to protect data and manage access to connected systems.

It's essential to remember, that ultimately OEMs need to promote a feeling of trust in the connected car. When consumers make purchasing decisions, the three key considerations they base them on are: ecological, emotional and safety. To-date, the safety question has centred on the physical aspects such as: side impact protection systems, crumple zones and airbags. However, with cyber-attacks affecting everyone from the US government to dating websites, cyber-security is now an issue at the forefront of everyone's mind – and with connected car hacks now becoming commonplace – the connected car is no different.

Although consumers want to take advantage of the benefits offered by the connected car, they do not want them at the expense of their security or privacy. Only by taking these measures and ensuring security is at the heart of the connected car will OEMs appease consumer concerns, which are now not just around whether someone will break into their car, but the possibility of them interfering with it while they are driving, putting their safety at risk. Only by addressing these concerns will they gain consumers trust and persuade them to buy into the concept.

Contributed by Lars Thyroff, VP of Automotive, Gemalto