Last updated: 05 July 2017
The professional hackers that stopped a Jeep on a highway for an article in Wired certainly touched a nerve. People shared the story over 200,000 times, thousands of follow-up articles were written, and a hasty product recall programme launched. A US senator even proposed legislation to establish new federal standards for digital security.
For many who work in the field of digital security, this type of attack had always been coming. We saw what the same guys did back in 2013, what others demonstrated with a Tesla last week, and even a Corvette a few days ago. Were people so shocked because the journalist was put in peril on a highway? Or perhaps they were wondering why anyone would want to connect a car to a network in the first place—considering it just another innovation in a long line of tech for tech’s sake. And wasn’t it equally obvious that a connected car would be the target of hackers?
But the benefits of adding wireless connectivity to devices are enormous—expanded productivity, time and cost savings, and enriched services are simplifying our lives as we speak. Yet in the race to add IP connectivity to cars, homes and cities, digital security has often been overlooked. A survey by VDC Research showed that almost 70% of OEMs said security is important to design, but only 30% indicated that they made the required changes in personnel, processes or tools to improve security. Fortunately, this trend is changing, and after the Wired Jeep hack, changing pretty quickly, we hope.
No one would ever consider building a home on a beach without a foundation. This fact isn’t lost on carmakers, developers and OEMs. They are beginning to use intelligent security architecture as the foundation on which to build consumer trust. This architecture focuses on the device, the data, the network and the ecosystem.
The auto industry and industrial Internet of Things (IoT) developers need to approach connectivity with the same intelligence as IT system integrators. We must all recognize that the software running cars and devices is a source of potential threat, just like hardware components. In many industries, such as banking and healthcare, security threats like these have existed for decades. We should draw on their experience to deploy proven best practices. These include:
- Security by design
Security must be considered at the start of the development phase, and never be treated as an afterthought. - Risk Evaluation
Developers need to know and understand all potential system vulnerabilities. An early comprehensive risk evaluation is critical to implement security architecture across the entire connected device ecosystem. - End-to-End Trust Points and Countermeasures
Developers should protect, encrypt, and authenticate all devices and infrastructure with tamper-proof hardware and software. Encryption keys which manage access to connected systems must also be securely managed to protect data. - Lifecycle Management
Car makers and IoT developers need to design on an interoperable, dedicated platform that can deploy security updates over the lifetime of the car—which could be as long as 15 years or more. They should also be able to launch new applications over the air without impacting other embedded software. We’re all used to software security updates on our computers and smartphones. With cars increasingly becoming smartphones on wheels, it should be logical to apply this kind of evolutionary security approach in this domain as well.
As more of our world goes online and cyber-attacks become more common, trust has never been so important. Some car makers are already in the position to respond to these well-publicized threats quickly (some even over the air), and hopefully this will reassure consumers that they don’t need to be wary of connected cars.
Would you trust a connected car now? If not, what changes would you make? Let us know in the comments section or online @Gemalto.
