Skip to main content

Guidelines on cyber security for connected and automated vehicles ‘doesn’t go far enough’

David Barzilai, chairman and co-founder of automotive cyber-security firm, Karamba Security, has applauded the UK government for taking pre-emptive action and zeroing in on preventing cyber-attacks as critical for the adoption of self-driving cars on a mass scale. However, he says the guidelines don’t go far enough toward effectively preventing car hacking, saying cars are not servers or mobile phones that can sustain the risk of hidden security bugs. The time it takes to remediate such bugs in production,
August 8, 2017 Read time: 3 mins
David Barzilai, chairman and co-founder of automotive cyber-security firm, 8519 Karamba Security, has applauded the UK government for taking pre-emptive action and zeroing in on preventing cyber-attacks as critical for the adoption of self-driving cars on a mass scale.
 
However, he says the guidelines don’t go far enough toward effectively preventing car hacking, saying cars are not servers or mobile phones that can sustain the risk of hidden security bugs. The time it takes to remediate such bugs in production, while hackers exploit them and create damage, can compromise consumers’ safety.

Smart vehicles are increasingly becoming the norm on British roads, allowing drivers to access maps, travel information and new digital radio services from the driving seat. But while smart cars and vans offer new services for drivers, it is feared would-be hackers could target them to access personal data, steal cars that use keyless entry, or even take control of technology for malicious reasons.

Tough new %$Linker: 2 External <?xml version="1.0" encoding="utf-16"?><dictionary /> 0 0 0 oLinkExternal government guidance false http://www.gov.uk/government/publications/principles-of-cyber-security-for-connected-and-automated-vehicles false false%> aims to ensure engineers developing smart vehicles will have to toughen up cyber protections and help design out hacking. The government is also looking at a broader programme of work announced in this year’s Queen’s speech under the landmark Autonomous and Electric Vehicles Bill that aims to create a new framework for self-driving vehicle insurance.

The guidance contains eight principles, setting out how the automotive sector can make sure cyber security is properly considered at every level, from designers and engineers, through to suppliers and senior level executives. These include:

  • Organisational security is owned, governed and promoted at board level:
  • Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain:
  • Organisations need product aftercare and incident response to ensure systems are secure over their lifetime;
  • All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system;
  • Systems are designed using a defence-in-depth approach;
  • The security of all software is managed throughout its lifetime;
  • The storage and transmission of data is secure and can be controlled;
  • The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.

Barzilai says cars enter production with thousands of hidden security bugs. It is unavoidable, as all software has bugs and cars have between 10m to 100m lines of code, in each car. As autonomous cars get more sophisticated and as more human navigation tasks, such as looking around and steering, move to the car, the danger increases. Hackers can hack into a car through its internet-connected features such as the vehicle-to-vehicle (V2V) communications system, and once in, they can work their way into the rest of the car’s controls.
 
However, he says, cars have a significant cyber-security enabler, which should not be overlooked. Cars should run as they operate in-factory. Any unauthorised change to factory settings must be malware. Hardening the car’s externally-connected controllers according to their factory settings prevents cyber-attacks, when hackers try to exploit security bugs, before hackers succeed to infiltrate the car and without sending frequent security patches to the field.

UTC

Related Content

  • March 21, 2018
    Hikvision showcases AI Check-Point cameras
    Hikvision is presenting a check-point camera that aims to brings artificial intelligence (AI) to critical infrastructure support at Intertraffic. The platform uses automatic number plate recognition, classification and automotive dead reckoning to detect and track criminals and identify unlicensed or uninsured drivers.
  • July 1, 2013
    Kuwait seeks web-based traffic demand management
    The United Nations Development Programme in Kuwait (UNDP) has issued a tender for the development of web-based traffic demand management, road safety and enforcement project for the State of Kuwait. Tender documents and more information are available here. UNDP will arrange site visits to the State of Kuwait traffic control centre, Planning and Research Directorates, training centre, and police patrol operations centre to enable potential suppliers to obtain more information on existing traffic management
  • October 17, 2019
    Waymo may operate AVs in Phoenix ‘without safety driver’
    Ride-hailing company Waymo may be about to start operating fully-autonomous vehicles (AVs) to pick people up - without a safety driver. An email sent to users, which appeared on Reddit, said people in Phoenix, Arizona, who were matched with an AV will see a notification in the app that confirms the car will not have a trained driver. Users can tap a ‘What to Expect’ button within the app to learn more about the AVs. They can also communicate with a rider support agent at any part of the trip via the app o
  • January 25, 2016
    USDOT sponsors new connected vehicle webinars
    The US Department of Transportation (USDOT) is sponsoring three webinars to assist the Connected Vehicle Pilot sites, early installers and other interested stakeholders, as part of the Connected Vehicle Pilot Deployment Program Technical Assistance Webinar series, which began last month. The Connected Vehicle Pilot Deployment Program seeks to combine connected vehicle and mobile device technologies in innovative and cost-effective ways. Ultimately, this program will improve traveller mobility and syste