Even if a vehicle is designed with state-of-the art security and maintained with over-the-air software updates during its operational life, a cyberattack on that vehicle can still happen at any time.
“How can a car fleet be monitored and by whom, to detect those attacks and mitigate their harmful effects?”
This was just one of the questions that moderator Michael L. Sena, Consulting AB, addressed to a group of intelligent transport experts during a discussion on automotive cybersecurity at the recent ITU-UNECE Symposium on the Future Networked Car.
The ingredient for security in any industry lies in applying “prevent, detect and react,” according to Pierre Gerard, Senior Security Expert for Thales, and it all starts with the data sources.
“Basically you can start with the data sources you already have,” says Gerard, “from your telematics, from services that you provide to your customers – you can tap into them to detect what is going wrong.”
“It can come from the mobile app,” he adds. “Lastly, you can install an intrusion detection system inside the car to detect an attack. Anything suspicious can then be reported.”
“The car is becoming a software on wheels and it is unclear as to who is at fault or liable.” — Rossen Naydenov, ENISA.
The security operations centre, explains Gerard, figures out if there is an attack, and a procedure involving AI and Big Data learns the normal behaviour of a vehicle fleet, to then be able to detect any abnormal behaviour.
Participants were surprised to hear that the security process involves a huge monitoring task run by teams of security experts. They would be monitoring 24/7, with the ability to detect an attack, react and prevent further attacks, attacks with the potential to lead to stolen vehicles.
Johannes Springer of Deutsche Telekom said that in fact the whole production process needs monitoring, considering the maintenance centre, the supplier network, as well as the whole research and development phase.
“But it’s not just the car manufacturers who face this security challenge – other service providers in a similar position also need high reliability,” says Springer.
Since driver-assisted functions are software-based, there needs to be a chain of trust at both the product and process levels. How can this chain of trust be achieved?
Thomas Thurner, Head of Cybersecurity for DEKRA Digital, pointed out that software and embedded software is developed, integrated and maintained within a complex supply chain. “Without proof of the quality, you cannot assume that the safety and cybersecurity is of a high quality,” he says.
Thurner explained to participants that on a process level there should be certified and efficient management systems for software quality and safety, and for cybersecurity.
On the product level there is a need to assess product development, particularly on the testing procedures, the testing strategies and whether they are in accordance with standards, he said.
Thurner also pointed out that across the complete supply chain there is a need for thorough checks and audits, throughout the development, production and operation processes. Process and product supervision is of particular importance at the product’s creation, but also throughout its lifetime, again highlighting the necessity of 24/7 monitoring.
Another question centred around insurance companies and liability in the event of a hacked car causing an accident.
As Rossen Naydenov of ENISA pointed out: “The car is becoming a software on wheels and it is unclear as to who is at fault or liable.”
Would it be the one that produced the software who would be liable – or the one using it? Who would carry the burden of proof?
The experts present, coming from different disciplines, expressed their views on this complex issue.
Many countries are still at the transition phase from IPv4 to IPv6, and according to Latif Hadid, Founder & President of the IPv6 Forum, 3GPP Board Member and Research Fellow at the University of Luxembourg, this continued use of IPv4 has implications for cybersecurity.
Hadid warned that car manufacturers still using IPv4 are more at risk of being hacked, warning that top-level car manufacturers are unaware of the dangers of this and that “capacity building at a top level on IPv6 is important.”
The U.S. Government recently announced its intention to migrate gradually to IPv6-only systems, and by 2025 at least 80% of the U.S. Government will be using IPv6 only.
According to Hadid, Finland is by far the best-equipped country to address hacking and cyberattacks, saying that in Finland the ICT regulator itself is the country’s cybersecurity head office (employing around 60 people), and that cybersecurity laws are written into the Finnish constitution.
Is the automotive industry sharing threat intelligence in a way that improves cybersecurity, and if not, how can this information sharing be improved?
“Information sharing needs to be led by the industry,” according to Rossen Naydenov, Network and Information Security Expert at ENISA. “This is not something that regulation can impose.”
Naydenov believes that the current automotive stakeholders have trust in each other, but perhaps not the level of trust required for information sharing on cybersecurity (referring specifically to Europe). “We have seen that in the U.S. the Auto-ISAC [Automotive Information Sharing and Analysis Center] helps the industry to stand more firmly against the attackers and prevent new attacks being developed,” he said.
Naydenov recommends that if the automotive industry were to create its own ISAC in Europe, it should be in close cooperation with initiatives focused on threat intelligence sharing in the ICT sector.
It was suggested that knowledge about automotive cybersecurity can and should be brought out on a global scale. By international cooperation, experts can learn from each other, and therefore help to support global road safety, together.
The 2020 ITU-UNECE Symposium on the Future Networked Car was kindly supported by Gold sponsor DEKRA, Silver sponsor Qualcomm and Bronze sponsor RoadDB.