As automakers continue to innovate and incorporate new technologies into cars for the ultimate driving experience, new safety and cybersecurity challenges are emerging.
Connected and autonomous vehicles will be dictated by software, so it is critical that this software is safe and secure over the lifetime of the car. Consumer safety, costly recalls and brand reputation are at stake when a vehicle is compromised. For fleets, security is essential to ensuring that uptime and efficiency levels are as high as possible, and drivers must be confident that they are safe – in every sense – behind the wheel.
Alex Manea is chief of security at BlackBerry, one company that has been focused on developing strategies to strengthen security. As a founding member of BlackBerry Security, Manea has protected mobile, desktop and IoT [Internet of Things] devices, networks and infrastructure for over a decade. He believes that the IoT is fundamentally changing the way business is done and, in turn, how the entire world operates.
“We’re taking pretty much everything there is in the world and connecting it to the Internet,” he observes. “These days, we’ve got not just connected cars, computers and phones, but also connected fridges, thermostats, kettles and coffee makers. What’s happening is that the IoT is overwhelming our traditional IT [Internet Technology] environment and also the number of laptops and desktops and even the number of mobile devices we have in the world.”
He notes that in 2017, while there were 2.4 billion smartphones in the world, there were already 6.4 billion connected “things”. But by 2020, he says there will be 5.5 billion smartphones and 46 billion connected things. “So, when we start thinking about the future of security and hacking – such as what hackers are going to target – we need to think about the automotive sector.”
The computer on wheels
Almost every car made today is, in some way, connected to the Internet. Cars boast more technology than smartphones and computers: on a typical high-end car there are up to 100 million lines of code. “If you compare the amount of code in a car with the Android operating system, which has about 10 million lines of code, we are talking about an order of magnitude greater in terms of the amount of software on these cars,” says Manea.
“From a consumer standpoint, it’s fantastic because there are a lot more features, and this kind of software is going to make the autonomous vehicle possible,” he adds. “But it’s also good for hackers because having so many lines of code means that there are potentially more ways to get into the car, a lot of software vulnerabilities.”
Manea says that while there’s been an upturn recently in the hacking of computers and mobile devices, “we’re starting to see hackers get into cars. One example was in 2015, when two security researchers took a Jeep Cherokee and were able to hack into the infotainment system, jump into the driver’s seat and take control of the accelerator and braking systems.
“At this point, I’m less worried about someone getting my personal data – I’m more worried about personal safety and the safety of the people around me.”
Fleet supply chain concerns
One of the challenges Manea sees in securing automotive computer applications is the industry’s “very complicated” supply chain.
“In many other industries, you have a supply chain where there is a single manufacturer and an ecosystem of third-party suppliers. In the automotive space you have so many different OEMs and also Tier 1 and Tier 2 suppliers and more. But security is only as strong as its weakest link, and with that many links in the automotive world, all you need is a single one to be insecure and it takes down the entire ecosystem.”
In response to this, BlackBerry has set out a seven-pillar recommendation for OEMs and the fleet industry to follow to try to ensure that cars can be made as safe and secure as possible.
BlackBerry’s seven steps for cybersecurity.
1) Secure the supply chain. Ensure that every chip and ECU (Electronic Control Unit) in the automobile can be authenticated and is loaded with trusted software, irrespective of vendor tier or country of manufacture. Use sophisticated binary static code scanning tools during software development to provide a broad assessment that includes open-source code content.
2) Use trusted components. A recommended set of parts that have proper security and safety features and that have been hardened against security threats is essential. The operating system must be safety-certified and must have multi-level security features, such as access control policies, encrypted file systems and thread-level anomaly protection.
3) Conduct in-field checks. Ensure that all ECU software has integrated analytics and diagnostic software that can capture events, and log into and report to a cloud-based tool for further analysis. Also ensure that a defined set of metrics can be scanned regularly when the vehicle is in the field.
4) Isolate critical units. Use an electronic architecture for the automobile that isolates safety critical from non-safety critical ECUs, and that can also “run-safe” when anomalies are detected.
5) Create a rapid response network. Create an enterprise network to share common vulnerabilities and exposures among users. By doing so, teams can learn from each other and provide bulletins and fixes against those threats.
6) Re-flash and install all updates. When an issue is detected in field checks, proactively re-flash vehicles with secure over-the-air updates to mitigate the issue.
7) Create a cyber safety culture. Ensure that every organization involved in supplying auto electronics is trained in safety and security best practices to instill a cybersecurity safety culture. This training should include design and development as well as IT system security.