Skip to main content

Guidelines on cyber security for connected and automated vehicles ‘doesn’t go far enough’

David Barzilai, chairman and co-founder of automotive cyber-security firm, Karamba Security, has applauded the UK government for taking pre-emptive action and zeroing in on preventing cyber-attacks as critical for the adoption of self-driving cars on a mass scale. However, he says the guidelines don’t go far enough toward effectively preventing car hacking, saying cars are not servers or mobile phones that can sustain the risk of hidden security bugs. The time it takes to remediate such bugs in production,
August 8, 2017 Read time: 3 mins
David Barzilai, chairman and co-founder of automotive cyber-security firm, 8519 Karamba Security, has applauded the UK government for taking pre-emptive action and zeroing in on preventing cyber-attacks as critical for the adoption of self-driving cars on a mass scale.
 
However, he says the guidelines don’t go far enough toward effectively preventing car hacking, saying cars are not servers or mobile phones that can sustain the risk of hidden security bugs. The time it takes to remediate such bugs in production, while hackers exploit them and create damage, can compromise consumers’ safety.

Smart vehicles are increasingly becoming the norm on British roads, allowing drivers to access maps, travel information and new digital radio services from the driving seat. But while smart cars and vans offer new services for drivers, it is feared would-be hackers could target them to access personal data, steal cars that use keyless entry, or even take control of technology for malicious reasons.

Tough new %$Linker: 2 External <?xml version="1.0" encoding="utf-16"?><dictionary /> 0 0 0 oLinkExternal government guidance false http://www.gov.uk/government/publications/principles-of-cyber-security-for-connected-and-automated-vehicles false false%> aims to ensure engineers developing smart vehicles will have to toughen up cyber protections and help design out hacking. The government is also looking at a broader programme of work announced in this year’s Queen’s speech under the landmark Autonomous and Electric Vehicles Bill that aims to create a new framework for self-driving vehicle insurance.

The guidance contains eight principles, setting out how the automotive sector can make sure cyber security is properly considered at every level, from designers and engineers, through to suppliers and senior level executives. These include:

  • Organisational security is owned, governed and promoted at board level:
  • Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain:
  • Organisations need product aftercare and incident response to ensure systems are secure over their lifetime;
  • All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system;
  • Systems are designed using a defence-in-depth approach;
  • The security of all software is managed throughout its lifetime;
  • The storage and transmission of data is secure and can be controlled;
  • The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.

Barzilai says cars enter production with thousands of hidden security bugs. It is unavoidable, as all software has bugs and cars have between 10m to 100m lines of code, in each car. As autonomous cars get more sophisticated and as more human navigation tasks, such as looking around and steering, move to the car, the danger increases. Hackers can hack into a car through its internet-connected features such as the vehicle-to-vehicle (V2V) communications system, and once in, they can work their way into the rest of the car’s controls.
 
However, he says, cars have a significant cyber-security enabler, which should not be overlooked. Cars should run as they operate in-factory. Any unauthorised change to factory settings must be malware. Hardening the car’s externally-connected controllers according to their factory settings prevents cyber-attacks, when hackers try to exploit security bugs, before hackers succeed to infiltrate the car and without sending frequent security patches to the field.

UTC

Related Content

  • November 5, 2014
    Evolis launches Core solution for single-pass printing
    Evolis is using CARTES SECURE CONNEXIONS 2014 to launch Core, the companyís first printer to offer laser engraving using new technology. Developed in partnership with Italian firm Ixla, Core is a solution for encoding, printing, laser engraving and secured lamination in a single pass.
  • May 3, 2019
    Gig launches electric car-share service in Sacramento
    Gig has launched its an electric car-share service in Sacramento, California, and will award one member of its programme a year of free driving. Gig says members can participate in the competition by taking a trip with the service until 31 May. The company says the app allows users to see available cars and book up to 30 minutes in advance or instantly choose any of its vehicles which are display a green windshield light. The car can be unlocked via a smartphone and be driven from using a power butt
  • September 10, 2013
    NNG launches PND for the Indian market
    Global navigation and mapping specialist NNG continues its development automotive and personal navigation devices (PNDs) with the launch of a new PND especially designed for Indian roads. Launched in partnership with Ayana Navigation Solutions (ANS), the five-inch ANS Navigator A-501 runs on the NNG iGO primo software. The device is pre-loaded with the latest India maps and a total of over seven million points of interest (POIs). To guarantee continued reliable guidance, the unit comes with a one-year map
  • February 7, 2019
    Go-Ahead uses Dovu’s blockchain tech to augment customer data
    UK train and bus company Go-Ahead is to use Dovu’s blockchain-driven reward platform to gain more data on its passengers. The scheme will be rolled out initially on Go-Ahead’s Thameslink and Southern Rail train services and offers passengers using the Dovu platform the chance to earn cryptocurrency when they share their travel information. This will be used to help them make changes to their travel behaviour, the companies say. Among other things, Dovu aims to encourage the use and sharing of tran