In early April 2017, the valuation of electronic and autonomous driving automaker Tesla exceeded that of Ford and GM respectively for the first time.
The metaphors and messages around this shifting paradigm are numerous and far-reaching. For DarkMatter as a cyber security specialist, the most pertinent aspect of this progress is what it signifies for the state of cyber security around these highly complex, real-time, and rapidly expanding digital systems.
Late last year, the UAE’s Roads and Transport Authority (RTA) announced the testing of a smart autonomous vehicle in Dubai, which has the capability to travel for up to eight hours before requiring a recharge. The trial forms part of RTA’s plan to test autonomous vehicle operations in the smart city’s climate and is in line with Dubai government’s target to have 25 per cent of all journeys by driverless transport by 2030.
This rapid technological advancement involves the processing of zettabytes of digital calculations and output, which need to be organised and actioned in real-time. Similar in many ways to the airline industry, the margin for error in this new operating environment has been reduced to near zero, and thus the necessity to secure and maintain the system’s integrity is at an all-time high.
Staying abreast, and ideally ahead, of the cyber threat landscape in the face of the rapid pace of digitisation is one of the greatest challenges today. New threats and vulnerabilities emerge on a daily basis, and, like many sectors, the auto industry has been relatively slow to develop the necessary security mechanisms for greater resilience and response.
At the Hack in The Box hackers’ conference in Amsterdam, a workshop was entitled, ‘Practical Car Hacking’. The key learnings from the session were: “understanding of vehicle electronic systems, how to communicate with these devices via wired and wireless protocols, and advanced understanding of methods for bypassing normal and secure operations of vehicle controllers.”
What these developments represent is our emerging reality – the fact that the pace of technological change is quickening. Auto companies are increasingly plugged into cyber threats and have shown early commitment to hardening cars against cyber sabotage, from data loss to safety-critical situations. However, more still needs to be done, as the industry works more closely with smart city planners and regulators to develop standards that help detect and prevent attacks.
Paying attention to hardware and software vulnerabilities and the security of telematics and safety systems is critical. Just as personally identifiable information should be compartmented and firewalled, so should the hardware and software in a car. We are seeing expanding and predictable growth in attempted attacks on vehicular systems, and it stands as only the latest mode of transportation demanding the highest levels of cyber security resilience in a rapidly digitising world.
In the aviation industry for example, late last year a cyber security professional claimed a security flaw in the Panasonic Avionics inflight system could place passenger information and safety at risk, and disrupt the flight experience.
The system is used by several airlines worldwide, and the cyber security specialist claimed he had managed to hijack inflight displays to change information such as altitude and location, control the cabin lighting and hack into the announcements system. He said he was also able to exploit the flaw to access the credit card details of frequent fliers stored in the automatic payment system, with ultimate concern being expressed as to whether such a vulnerability could potentially be used to access the aircraft’s secure operations and avionics controls.
There is definitely an awareness of the mounting risk to the airline industry posed by cyber security threats given the widening attack surface created by the increased collaboration and information sharing amongst airlines, airports and air traffic management companies.
The industry is trying to address this, and in September 2016 an industry task team presented its recommendations on a declaration on cyber security to the International Civil Aviation Organisation (ICAO), when the United Nations body met for its regular triennial gathering.
The recommendations helped develop a standard methodology to detecting, protecting, and mitigating the aviation industry from cyber threats. This approach does not completely solve the problem, though it has created an industry-wide basis from which cyber security in the sector can be more closely monitored and pro-actively approached and defended against.
The auto industry would do well to follow in the steps of aviation sector. While automakers are making positive strides, they risk applying to their cars the same fragmented approach to cyber security that we have previously seen in their IT and telematics systems. Many businesses protect their data sporadically, patching gaps with a firewall here or access control there.
The more hi-tech a car is, the increase in the number of possible endpoint vulnerabilities. To design true cyber security, it must be built into every device from the very beginning, ensuring that the hardware has been hardened against attack and guaranteeing that the software in the command centre of every car has been tested rigorously.
Also, because a car is made up of parts and hardware and software systems from many vendors, each auto manufacturer must take ultimate and singular responsibility for the security of the vehicle as a whole, and coordinating all the security across the vehicle as an ecosystem.
The time to strengthen these procedures and shore up the cyber defences is now. By 2020, 25 per cent of all cars shipped will support different levels of autonomy, and that proportion will climb to 44 per cent by 2025, according to Navigant Research. Automaker Ford hopes to have fully autonomous vehicles on the road by 2021. It is also time to reach out to global regulators and include their requirements as the auto business is an international one.
A shortage of the necessary cyber security skill-set within the auto manufacturer is no reason not to deliver on cyber security requirements. For companies without hacking expertise or the resources to perform constant, iterative testing, external contractors can deliver some of the world’s best cyber defence knowledge at appropriate levels of expense to the business.
Eddie Schwartz is DarkMatter’s executive vice president of cyber services