Shift Magazine - Issue 1 2018 - 8

Building

cyber-safety

into our cars

SPONSORED CONTENT
Sponsored content

Within the next few years, virtually all new cars will be connected to the
internet. That will give drivers and passengers even greater access to the
kinds of digital services, such as streaming media and e-commerce, that
have helped make smartphones so indispensable. Yet, it will also likely
usher in a pressing new challenge for automakers: how to keep the
connected car safe from cyberattacks.
A smarter car thief? Car thieves tampering with remote keyless
entry systems account for most of today's automotive hacks.
Researchers have demonstrated, however, that it's possible to
wreak much more havoc by penetrating the connected car's
electronic brain. In 2015, a pair of cybersecurity experts grabbed
headlines by remotely disabling the engine of a car driving down
an interstate highway at 70 m.p.h.1 The following year, researchers
from a security company identified a weakness in a vehicle
entertainment system that could lead to a ransomware attack.2 And
last summer, the Department of Homeland Security warned several
automakers that their cars' telematic control units, which enable
tracking of--and communication with--the vehicle, could be
vulnerable to denial-of-service attacks. 3

This would all be easier if the automotive industry had clearer
cybersecurity standards. No such common playbook yet exists, although a
set of best practices for connected vehicles released by the Automotive
Information Sharing and Analysis Center (Auto-ISAC) is a step in the right
direction. The Auto-ISAC serves as a repository of intelligence on cyber
threats to help automakers and their suppliers prepare for, and respond to,
vehicle cybersecurity risks. Strengthening Auto-ISAC by being diligent in
sharing threat information and analysis should be a priority for every
automotive company.

The dangers posed by these kinds of digital intrusions will likely only
deepen as autonomous-driving technology advances. While cars are
far from becoming driverless living rooms on wheels--PwC estimates
fully autonomous vehicles won't enter the mainstream until 2027 at
the earliest--the onus is on automakers to not only address
vulnerabilities that have already surfaced, but also to safeguard
against future threats.
Cybersecurity needs to take a front seat To stay ahead,
automakers should start thinking about cybersecurity at the very
beginning of a new vehicle's development. Once a car leaves the
factory, it can become difficult to add new security features or bolster
existing ones. That means any potential weaknesses need to be dealt
with before vehicles enter production. Early testing may catch most
problems, but since most cars have a three- to five-year development
cycle, one or two rounds of tests won't be enough. Taking an iterative
approach to cybersecurity testing may slow down the process of
getting a new car to market, but it's cheaper and easier to prevent
problems then to fix them later. In the long run, secure design will
limit recalls, reduce liability risk, and help prevent embarrassing
intrusions by hackers.
Of course, cybersecurity isn't only the car manufacturer's
responsibility. It's important that third-party suppliers share
a focus on preventing attacks, since they provide the majority of
sophisticated components in the connected car. Nonetheless,
automakers, not their supply-chain vendors, will bear the
reputational risk if a vehicle's digital defenses are breached. That's
why the responsibility is on car makers to develop cybersecurity
requirements and make sure suppliers meet them. They also need to
be open about vulnerabilities discovered in testing, so they can be
addressed by the vendor that built the deficient part.

Digital threats extend beyond cars The impact of advanced
technologies isn't limited to the car itself. The factories that produce
them are more connected than ever, too. While robots have been a
mainstay of automotive production lines for decades, the advances in
artificial intelligence and other digital technologies have made it possible
to automate an ever-increasing share of the manufacturing process. And
advanced materials and improving 3D printing has revolutionized the way
prototypes and, increasingly, production components are made. But as
the factory becomes "smarter," it also becomes more vulnerable
to cyberattack.
Fortunately, there are a few steps automakers can take to protect
themselves. First and foremost, a successful defense against online threats
begins at the top. The CEO and board of directors should make
cybersecurity a priority and ensure that it's woven into company culture
at all levels. A phishing attack only needs to fool one employee to give
hackers access to sensitive data.

Andy Greenberg, Wired, "The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse," 8/1/2016; https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/

Christiaan Beek and Raj Samani, MacAfee LLC, "DEFCON - Connected Car Security," 8/2/2017; https://securingtomorrow.mcafee.com/mcafee-labs/defcon-connected-car-security/

Mark Rockwell, 1105 Media Inc., "DHS, vendor warn on automotive cyber flaws," 8/3/2017; https://fcw.com/articles/2017/08/03/auto-cyber-cert-rockwell.aspx

https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/ https://securingtomorrow.mcafee.com/mcafee-labs/defcon-connected-car-security/ https://www.fcw.com/articles/2017/08/03/auto-cyber-cert-rockwell.aspx

Table of Contents for the Digital Edition of Shift Magazine - Issue 1 2018