Driver preferences and desires are changing dramatically. Consumers want customized experiences, so vehicles, and in turn the industry, are changing to answer those needs. Increased personalization and connectivity mean more software, but that does not need to translate into greater vulnerability. Secure by design vehicles enable OEMs to provide an advanced driver experience without compromising on automotive cybersecurity.
The way we drive our cars is changing. Today’s drivers want personalized experiences when they travel, and this is pushing suppliers and OEMs to shift from a vehicle-centric approach to a driver-centric one. Today, 381 million cars and trucks are connected, and the number will only continue growing as consumers crave more personalization at their fingertips. Connected vehicles are now able to act like smartphones and smart appliances, sharing internet and wireless network access with other cars and external devices. They can upload data and receive information. New software is already providing more features and capabilities fulfilling drivers’ desires and expectations. Cyberspace has met the road, and automotive cybersecurity is paramount, and must be an integral part of the design.
The automobile used to be an isolated mechanical device that could only be tampered with or stolen by direct physical contact. Even then, only one vehicle at a time could be targeted. We are now in an era where technology enables hackers to target millions of vehicles simultaneously and remotely with both malicious hacking and ransomware attacks. The connected car, with its huge processing power, tremendous data storage and numerous communication channels greatly increases the risk of attack. For robust protection of data, and by extension the safe operations of the vehicle, a layered cyber secure approach must be taken. First, security-by-design as an engineering effort to mitigate and/or reduce the risk of an attack in progress. Second, fleetwide visibility and vehicle lifecycle risk management is required and can be made by using OTA software updates. Third, the connectivity and software packages must be treated in a manner that prevents them from becoming a cybersecurity risk.
The connected vehicle is fast becoming a mega computer on wheels with enormous processing power, vast data storage and numerous communication channels. Virtually all of the vehicle’s functional subsystems participate in the network. The connected vehicle ecosystem can be decomposed into five interlinked types of systems:
Connected vehicles consume and store vast volumes of data. At the bottom of the diagram, incidents such as false positives and methodologies such as post-attack investigation are acceptable just as they are in the open-system IT world. In such open systems, possible behaviors (legitimate ones) are too complex and numerous to model, so we have to depend on heuristics, machine learning and other reactive methods to identify and deal with attacks. But as we move up towards Safety-Critical operations, connected cars must be maintained as closed systems with a deterministic capability that is preventative as opposed to reactive. Deterministic security demands that the universe of all potential operating permutations must be modeled comprehensively and that any communication or process execution is unable to take the subsystem out of the realm of acceptable behavior. The security mechanism’s threat-agnosticism means that attacks of any type (foreseen or not) and from any source cannot compromise any safety-critical ECU or communication. This explains why automotive cybersecurity best practices must differ from other forms of data protection.
There is no silver bullet for automotive cybersecurity. Solutions must be determined and implemented in a continuous process that takes into account changes in the automotive market, technologies and the nature of cyber threats. But the foundation for these solutions cannot be patched in as an afterthought. They must be incorporated in a secure by design architecture from the beginning and throughout all phases of production. This is why we are seeing an increase in automotive cybersecurity certifications from the UN, SAE and Automotive SPICE among others. OEMs must develop a comprehensive assessment of cybersecurity risk that may affect any system’s normal operation. A proactive process that consistently and carefully analyses the cyber ecosystem, the system architecture and the implementation of its components so as to discover weak points and exploits that can evolve into potential risks in the future
Pictorially, the RISK ASSESSMENT should map the Risk Severity (RS) in the range of 1 – 5 (1= lowest severity, 5= highest) against the Probability of Materialization (PM) in the range of 1 – 3 (1= low, 2= medium, 3= high probability).
Then, for each risk, determine:
This will yield a Risk Factor between 0 – 15. Next, determine MITIGATION MEASURES for each risk. Assign mitigation of the risk to a person or team along with a target for a measurable risk reduction by a certain date. Both the RISK ASSESSMENT and MITIGATION PLAN should be an ongoing practice; they must be reviewed and updated regularly.
Risk | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Description | Risk Status | Migration Measures | Milestones | Start Time | Target Resolution | Budget ($) | Team Leader | Team Members | |||
Date | Severity | Probability | RF=Risk Factor | ||||||||
Malware Gaining Control Over the Safety Critical ECU | 01.15.21 | 5 | 3 | 15 | Action #1 | 01.2021 | 04.2021 | x | |||
02.15.21 | 5 | 2 | 10 | Action #2 | RF=10 | ||||||
03.15.21 | 4 | 1 | 4 | Action #3 | RF=4 | ||||||
04.15.21 | 4 | 0 | 0 | Action #4 | RF=0 |
The software-defined vehicle is here, and it will be the new standard for the future car. Secure by design, that is, incorporating cybersecurity into the design of the car, will allow OEMs to securely provide customized user experiences for diverse drivers and their changing preferences without downtime or visits to the dealership.