Reacting to the new reality that cars are now potentially vulnerable to cyber-attacks, the UK government has issued guidance intended to ensure engineers developing smart vehicles include cyber-security at the design stage that assumes hacking as a threat.
The guidelines are aimed at everyone involved in the manufacturing supply chain, from designers and engineers, to retailers and senior level executives. They include a series of key principles for use throughout the automotive sector, the CAV and ITS ecosystems and their supply chains – drawn up by The Department for Transport, in conjunction with Centre for the Protection of National Infrastructure (CPNI).
The guidlines comprise:
Principle 1 - organisational security is owned, governed and promoted at board level
Principle 2 - security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
Principle 3 - organisations need product aftercare and incident response to ensure systems are secure over their lifetime
Principle 4 - all organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system
Principle 5 - systems are designed using a defence-in-depth approach
Principle 6 - the security of all software is managed throughout its lifetime
Principle 7 - the storage and transmission of data is secure and can be controlled
Principle 8 - the system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail
Transport Minister Lord Callanan commented: “Our cars are becoming smarter and self-driving technology will revolutionise the way in which we travel. Risks of people hacking into the technology might be low, but we must make sure the public is protected. Whether we're turning vehicles into wifi connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks.”
Mike Hawes, Society of Motor Manufacturers and Traders chief executive, issued a statement saying: “We're pleased that government is taking action now to ensure a seamless transition to fully connected and autonomous cars in the future and, given this shift will take place globally, that it is championing cyber-security and shared best practice at an international level. ... A consistent set of guidelines is an important step towards ensuring the UK can be among the first – and safest – of international markets to grasp the benefits of this exciting new technology.
The government will continue to support and work collaboratively with industry to make sure vehicles are protected from cyber-attacks. The guidance principles published today will form a key part of these discussions .
Mark Noctor, VP EMEA at Arxan Technologies, emailed SC to comment: “A major cyber-attack on connected vehicles would take a terrible toll on human life, so the security guidelines published by the UK Government on Sunday are an important step in securing this emerging technology.
“The communications and entertainment systems are particularly vulnerable to attack, and can be reverse engineered to access the API libraries that facilitate data sharing between systems. From here attacks can even inject malicious code into the electronic control units (ECUs) and controller-area-network (CAN) bus, which control critical systems such as electric steering and braking.
“Preventing application code from being accessed and tampered is one of the biggest priorities in protecting a connected vehicle, and it is encouraging to see the government's guidelines specifically list the ability to protect code and ensure its integrity as key principles. Manufacturers must deploy code hardening measures to prevent attackers from accessing their source code and removing vital data such as cryptographic keys which can be used to access other systems. Anti-tampering measures should be hidden in the code to alert them if the code has been changed, and prevent systems from starting if alterations are detected.”
Russell Goodenough, client managing director: Transport Sector, Fujitsu also issued a statement supporting the move, saying, ““These cyber-security principles are an extremely positive development. .... The issues of security and data privacy are crucial: we have already seen numerous cases of road signage and connected cars being hacked, and as autonomous vehicles become more commonplace there could be a very real threat to the public. In addition, the entire connected cars supply chain must work with others in the transport sector to ensure that security is built in from the ground up, to deliver security, integrity and peace of mind.
“There are also other questions about how exactly we want autonomous vehicles to fit into our society and national transport architecture. .... all stakeholders in the transport sector must begin to have these conversations now but these cyber security principles are a welcome first step.”
Noctor agrees the move is just a first step, then goes further, to add, “We would like to see the government take a step beyond guidance and make security measures such as these enforceable by law.”
While the industry was supportive of the intent behind the moves, in an email to SC, David Barzilai, chairman and co-founder, automotive cyber-security firm, Karamba Security did add that, “...in one area, we don't feel these guidelines go far enough toward effectively preventing car hacking. Cars are not servers or mobile phones that can sustain the risk of hidden security bugs. The time it takes to remediate such bugs in production, while hackers exploit them and create damage, can compromise consumers' safety.
“Cars enter production with thousands of hidden security bugs. It is unavoidable, as all software has bugs, and cars have between 10 million to 100 million lines of code, in each car. As autonomous cars get more sophisticated and as more human navigation tasks, such as looking around and steering, move to the car, the danger increases. Hackers can hack into a car through its internet-connected features such as the vehicle-to-vehicle (V2V) communications system, and once in, they can work their way into the rest of the car's controls.
Barzilai concludes, “However, cars have a significant cyber-security enabler, which should not be overlooked. Cars should run as they operate in-factory. Any unauthorised change to factory settings must be malware. Hardening the car's externally-connected controllers according to their factory settings, prevents cyber-attacks, when hackers try to exploit security bugs, before hackers succeed to infiltrate the car, and without sending frequent security patches to the field. Hardening the car controllers according to their factory settings enables the industry to deterministically block hackers out of the car."