This article is based, in part, on inputs from a private discussion in a special interest session at the 11th ITS European Congress in Glasgow (June 2016) on the cyber security challenges of connecting vehicles to infrastructure where 54 experts from a range of engineering and technical disciplines got together to share current knowledge and best practice in cyber security when connecting vehicles to infrastructure.
Connected vehicles are becoming a mainstream of our modern world. From GNSS system to satellite radio to wireless locks, today vehicles are more connected to networks than ever, and hence they are more hackable than ever. According to an IET Transport Sector Insight entitled, “Automotive Cyber Security: An IET/KTN Thought Leadership Review of Risk Perspectives for Connected Vehicles”, connectivity is set to become a compelling feature of the global car market over the coming years, leading to a market worth €39 billion by 2018. Automotive cyber security is frequently in the press with recent news stories such as: “Mitsubishi Outlander Car's Theft Alarm Hacked through Wi-Fi” and “Keyless systems of many VW Group cars can be hacked”. Ecotive Metrocab claim to be Britain’s first “hack-proof” car, developed to protect motorists from digital attacks by cybercriminals using internet banking-style security systems. But is it only a matter of time before its claim that it is “almost impossible” to electronically hijack from the outside is disproved?
With this in mind, the experts in the discussion shared their experience and challenges around cyber security and vehicle connectivity. They stressed that with the benefits of greater connectivity comes a risk of cyber threats and crimes. Remote access of vehicle management systems could have severe consequences, as hackers could potentially infiltrate these systems and alter the commands. Consequently, the security challenges that surround the future automotive industry must be addressed with urgency.
The vehicle should be designed with cyber security in mind, with software designers thinking about potential weaknesses at the very first stages of the design phase, not waiting until the vehicle has been designed and trying to retro fit solutions. Ethical hackers are increasingly being incorporated into the development lifecycle to test the system at the earliest possible stage. This can be advantageous since detected flaws can fixed before the vehicle reaches public ownership.
As it stands, the UK has a limited supply of qualified cyber security skilled personnel, and the actively growing market means that the size and growth of the talent pool is a constraint on market growth. There are well known concerns regarding the number of school and university aged students studying STEM subjects. But what was evidently clear, is that employers are also concerned that STEM syllabuses alone don't prepare young people for entering the employment market. Small business employers state that training employees in cyber security is expensive, and exposes them to the risk of training young professionals only for them to leave for higher salaries at larger firms. Some professionals highlighted that if they are looking for an ethical hacker/penetration tester one suggestion would be to approach candidates who are Certified Ethical Hackers from organisations such as the EC-Council who are a global leader in InfoSec Cyber Security certification programs. Another suggestion was to host hacking competitions to attract candidates and source future cyber defence talent through a competition where the participants find the vulnerabilities within the systems of a fictional threatened company and their products. Another recruitment strategy is to recruit the ethical hackers that are contacting companies to advise them of security breaches in their systems.
It was evident that most of the security weakness are due to human-caused errors and poorly designed systems. Some systems are deliberately left open for ‘accessibility’ reasons, not considering the hacking opportunity that this exposes. Most of these flaws can be easily avoided if the cyber security challenges were better understood at the point of design. Therefore, good users’ manuals, educational information and best practice guidance needs to be readily available.
Another challenge that needs to be addressed is the legal framework within national government and European institutions that regulates and controls this industry. Despite the measures taken to halt cyber infiltrations, the hackers will always be one step ahead. It is almost impossible to eliminate that threat. Stricter laws should be enacted to punish malicious hackers. Cases of cyber criminals getting lenient sentences and fines is a huge setback in the fight against cyber-crime.
A multi-layered approach is needed to address cyber-crime in vehicle connectivity as no single solution can sufficiently address this challenge. The representatives expressed a desire to identify cooperative solutions and work together. They stressed the importance of working across different sectors to share information on how to tackle the challenge of cyber security.
The session speakers included: