Even if a vehicle is designed with state-of-the art security and maintained with over-theair software updates during its operational life, a cyberattack on that vehicle can still happen at any time.
“How can a car fleet be monitored and by whom, to detect those attacks and mitigate their harmful effects?”
This was just one of the questions that moderator Michael L. Sena of Consulting AB, addressed to a group of intelligent transport experts during a discussion on automotive cybersecurity at the ITU/UNECE Symposium on the Future Networked car (FNC‑2020).
Start with the data sources
The ingredient for security in any industry lies in applying “prevent, detect and react”, according to Pierre Gerard, Senior Security Expert for Thales, and it all starts with the data sources.
“Basically you can start with the data sources you already have,” says Gerard, “from your telematics, from services that you provide to your customers — you can tap into them to detect what is going wrong.”
“It can come from the mobile app,” he adds. “Lastly, you can install an intrusion detection system inside the car to detect an attack. Anything suspicious can then be reported.”
The security operation centre, explains Gerard, figures out if there is an attack, and a procedure involving AI and Big Data learns the normal behaviour of a vehicle fleet, to then be able to detect any abnormal behaviour.
Participants were surprised to hear that the security process involves a huge monitoring task run by teams of security experts. They would be monitoring 24/7, with the ability to detect an attack, react and prevent further attacks with the potential to lead to stolen vehicles.
Johannes Springer, of Deutsche Telekom said that in fact the whole production process needs monitoring, considering the maintenance centre, the supplier network, as well as the whole
research and development phase.
“But it’s not just the car manufacturers who face this security challenge — other service providers in a similar position also need high reliability”, says Springer.
Since driver assisted functions are software-based, three needs to be a chain of trust at both the product and process levels. How can this chain of trust be achieved?
Thomas Thurner, Head of Cybersecurity for DEKRA Digital, pointed out that software and embedded software is developed, integrated and maintained within a complex supply chain. “Without proof of the quality, you cannot assume that the safety and cybersecurity is of a high quality,” he says.
Thurner explained to participants that on a process level there should be certified and efficient management systems for software quality and safety, and for cybersecurity.
On the product level there is a need to assess product development, particularly on the testing procedures, the testing strategies and whether they are in accordance with standards, he said.
Thurner also pointed out that across the complete supply chain there is a need for thorough checks and audits, throughout the development, production and operation processes. Process and product supervision is of particular importance at the product’s creation, but also throughout its lifetime, again highlighting the necessity of 24/7 monitoring.
Insurance — who is liable?
Another question centred around insurance companies and liability in the event of a hacked car causing an accident.
As Rossen Naydenov of ENISA pointed out: “The car is becoming a software on wheels and it is unclear as to who is at fault or liable.”
Would it be the one that produced the software that would be liable — or the one using it? Who would carry the burden of proof?
The experts present, coming from different disciplines, expressed their views on this complex issue.
IPv6 — crucial for security
Many countries are still at the transition phase from IPv4 to IPv6, and according to Latif Ladid, Founder & President of the IPv6 Forum, 3GPP Board Member and Research Fellow at the University of Luxembourg, this continued use of IPv4 has implications for cybersecurity.
Ladid warned that car manufacturers still using IPv4 are more at risk of being hacked, saying that top-level car manufacturers are unaware of the dangers of this and that “capacity building at a top level on IPv6 is important.”
The United States Government recently announced its intention to gradually migrate to IPv6‑only systems, and by 2025 at least 80% of the US Government will be using IPv6 only.
The Finnish model — a good way to start?
According to Ladid, Finland is by far the best-equipped country to address hacking and cyberattacks, saying that in Finland the ICT regulator itself is the country’s cybersecurity head office (employing around 60 people), and that cybersecurity laws are written into the Finnish constitution.
Information sharing — key to cybersecurity
Is the automotive industry sharing threat intelligence in a way that improves cybersecurity, and if not, how can information sharing be improved?
“Information sharing needs to be led by the industry,” according to Rossen Naydenov, Network and Information Security Expert at ENISA. “This is not something that regulation can impose.”
Naydenov believes that the current automotive stakeholders have trust in each other, but perhaps not the level of trust required for information sharing on cybersecurity (referring specifically to Europe).
“We have seen that in the US the Auto ISAC [Automotive Information Sharing and Analysis Center] helps the industry to stand more firmly against the attackers and prevent new attacks being developed,” he said.
Naydenov recommends that if the automotive industry were to create its own ISAC in Europe, then it should be in close cooperation with initiatives focused on threat intelligence sharing in the ICT sector.
Bringing knowledge on a global scale
It was suggested that knowledge about automotive cybersecurity can and should be brought out on a global scale. By international cooperation, experts can learn from each other, and therefore help to support global road safety, together.
Ref: No.1 2020 ITU News Magazine