Making certain that autonomous and connected vehicles are protected from cyberattacks could in turn create the platforms required for new mobility business models
Digital connectivity now touches upon almost every area of our daily lives. It has become an important part of automotive technology and wider transportation systems and it looks set to be an integral part of the automated vehicles of the future.
High-profile companies such as Waymo (Google’s self-driving car company) and Uber have made clear moves toward making autonomous vehicles a reality as quickly as possible. In addition, in the hope of not being out-done, some manufacturers (OEMs) are moving in the same direction. For example, General Motors president Jon Lauckner recently revealed that the organization would launch an autonomous vehiclein 2019.
Meanwhile, many consumers are looking forward to fully autonomous cars becoming a reality. So much so that they are treating current driver-assist functions as such – with fatal consequences. To date, two deaths and one serious accident have been recorded involving drivers using Tesla’s Autopilot function. In all three cases over-reliance on the system has been blamed. Nevertheless it illustrates that consumers are eager to use such technology, and given the potential benefits of it, this is perhaps unsurprising. What is more surprising however, is that regulators seem to share this enthusiasm.
In 2018, the California Department of Motor Vehicles announced that self-driving cars overseen by a remote human operator could be tested on public roads. In the UK, the government announced it wants driverless cars in operation on the country’s roads by 2021. The EU announced in May 2018 that it plans to develop rules for autonomous vehicle operation.
However, it is important to look at the state of current connected transportation security before potential business models are explored. This technology cannot safely become a reality without robust cybersecurity in place.
Securing the environment
The simple fact is that there are always vulnerabilities present in connected systems – and connected and autonomous cars are no different. Hackers continuously evolve
their attack strategies and have exploited vulnerabilities to access vehicle electronic control units (ECUs), controller area network (CAN) bus systems, intelligent transportation systems (ITS) and even automotive apps through the cloud. Potential attacks include man-in-the-middle and man-at-the-end attacks, remote and in-vehicle tampering, and reverse engineering.
These security concerns must be addressed by the industry and this is made even more important by the fact that an awareness and level of concern does indeed exist among consumers about the security risks associated with connected and autonomous vehicles (CAVs). Irdeto’s recent Global Connected Car Survey of 8,354 consumers across six countries (Canada, China, Germany, Japan, the UK and the USA) found that 85% of consumers believe connected cars could be targeted by a cyberattack and nearly half do not plan to buy one in the future.
A starting point for OEMs therefore, is to conduct a threat assessment of the cars, which could help to establish what position they are in within the vehicle-to-everything (V2X) ecosystem in terms of security, as well as what the weaknesses and risks are, and if action should be taken. This process would be educational for OEMs because security factors are likely to vary from product to product.
Organizations should then adopt an in-depth defensive approach to cybersecurity. This approach would involve many layers of security being implemented throughout the transportation network, rather than simply protecting systems from the outside-in, which
is also known as perimeter security. An in-depth security strategy would incorporate run-time integrity verification – which is crucial in mitigating threats like ransomware in the automotive field. With this strategy, even if the hacker found a way to penetrate the perimeter, they wouldn’t be able to hold the car hostage.
As the number of CAVs increases, the ways in which automobiles and infrastructure communicate is also increasing. This means that protection of only the vehicle is not enough. OEMs must also consider the entire connected vehicle ecosystem, including the security of the roadside units in V2X networks. OEMs will not be able to rely solely on the security of the communication itself, as the attack may be on the receiver of the communication – the end point.
Regulations and defense
It’s no surprise then that governments globally have realized the critical importance of security when it comes to CAVs and as a result, they are now taking action. In the second half of 2017, the US government set out to develop cybersecurity standards for CAVs with draft legislation in the form of the AV Start Act and the Self Drive Act.
In addition, toward the end of 2017, the UK government issued guidelines for the security of connected cars. These guidelines mirror those set out by the USA’s National Highway Traffic Safety Administration (NHTSA) and look to be based on the industry best practices outlined in the J3061 Standard (Cybersecurity Guidebook for Cyber-Physical Vehicle Systems) from the Society of Automotive Engineers (SAE) International. These guidelines bring together security knowledge from other industries as a starting point to help the automotive industry.
Guidelines however are just the beginning. There is no doubt that governments will have to expand these legal frameworks in the future to include V2X security requirements, otherwise the adoption of such technologies will be slowed down, which means achieving autonomous driving will be delayed as well.
In the meantime, to complement legislation, a strategy is needed where OEMs, Tier 1 suppliers and IT service providers work together to define cybersecurity solutions, and more importantly, to understand vulnerabilities seen from hackers’ perspectives. Such understanding will then have to be put into practices in the form of new regulations and laws.
The business model shift
Beyond legislation, safety and cybersecurity will begin to merge as part of a guarantee for consumers. In the longer term, cybersecurity will be considered an insurance included as part of a service – rather than the consumer simply being promised that a vehicle is secure. This shift will make cybersecurity an important differentiator for OEMs, as service providers and fleet managers will only use vehicles that can fulfill certain cybersecurity standards required by insurance companies and that can ensure the safety and security of subscribers. With this in mind, it must be remembered that CAVs have the potential to influence the development of new business models.
Research by Frost & Sullivan has foundthat the automotive industry will invest US$82.01bn in the year 2020 on digitization (up from US$19.7bn in 2015). This is because consumers demand simplicity, convenienceand customization from most digital services – with vehicles quickly becoming a part of this expectation. In addition, despite security concerns, the potential benefits provided by autonomous vehicles are understood and their development is expected to push ahead quickly. This rapid progression has the potential to change the way cars are used and this should be a consideration for OEMs.
As vehicles become increasingly connected and autonomous, OEM business models have the potential to change, meaning there could be a shift away from personally owned vehicles toward fleets. A number of new services from startups and OEMs would offer vehicles or Mobility as a Service (MaaS) where customers pay a subscription fee with everything included or for the use of a service or specific vehicle.
New business models can only be successful if they are secure, so OEMs must have the ability to manage and control services offered in their vehicles. Implementing secure MaaS is essential for vehicles and services to maintain a competitive edge. Therefore, protecting business data and securely enforcing policies assigned to vehicles is crucial for allowing business owners to deliver tailored experiences to their customers. Through robust security, OEMs can construct the foundation that drives us toward fully connected, automated vehicles.
Words: Stacy Janes, Xhief security architect – – connected transport, Irdeto. This article was originally published in the 2019 edition of Intertraffic World.