Connected cars and cybersecurity: a perfect storm?

Version imprimableVersion imprimableEnvoyer à un amiEnvoyer à un ami

Type de publication:

Conference Paper

Source:

Gerpisa colloquium, Paris (2017)

Résumé:

Connected cars and cybersecurity: a perfect storm?
 
David Morris
Garikayi Madzudzo
Alexeis Garcia-Perez
 
Centre for Business in Society
Coventry Business School
Coventry University
 
March 2017
 
 
The automotive industry is built on a foundation of engineering and process rigour. However, this narrow professional focus is under pressure as vehicles enter the realm of connectivity and, consequently, cybersecurity threats. Vehicle development is evolving from familiar mechanical systems to electromechanical constructs with highly integrated hardware and software subsystems forming in-vehicle computer networks (Checkoway et al., 2011; Sagstetter et al., 2013;). OEMs are beginning to contemplate the strategic shift from being carmakers to becoming mobility service providers (“servisitization”). The constant addition of new connected services and features embodying unfamiliar technologies will require OEMs to become part of a complex ecosystem of traditional suppliers, ICT giants such as Apple and Google, telecoms providers, technology start-ups and aftermarket service providers. The days of the seatbelt as the symbol of automotive safety are long gone.
 
As cars increasingly incorporate in-vehicle computer systems to improve vehicle safety, security and comfort, the threat of cybersecurity vulnerabilities increases. The creation of a new product in the automobile industry is a complex task, characterised by uncertainty and variability. The rapid development of connected cars further emphasises these challenges.  Cooperation of OEMs and their suppliers in the form of cybersecurity knowledge sharing is an important aspect in developing cybersecurity vulnerability solutions.
 
Vehicular evolution ushered in by in computerised control has the paved way to an array of potential cybersecurity incidents. Increased V2I connectivity through infotainment and telematics systems dramatically increases the risk of security breaches (Checkoway et al., 2011, Koscher et al., 2010; Weimerskirch et al., 2012). In addition, the deployment of complex software increases the potential for coding errors and software defects (Onishi, 2012; Trim et al., 2014).  The very rapid advances in EV charging systems linked to the “smart grid” introduce another new array of cybersecurity attack opportunities and threats.
 
The development of vehicle-to-cloud-to-everything networks results in even greater potential vulnerabilities. These challenges not only affect auto designers, developers and producers, but also have major repercussions for other sectors, for example the insurance industry and regulatory bodies. Even though modern cars are pervasively computerized and open to remote compromise from many attack vectors (Checkoway et al., 2011), the protection of automotive control systems against manipulation has only very recently prompted major concern.
 
Cybersecurity knowledge sharing efforts between OEMs has been focused on providing security for communication systems and user data. This has led to several attempts in creating alliances between OEMs in a bid to swap cybersecurity data and to keep abreast of the latest hacking threats targeting connected vehicles. For example, the AAM (Alliance of Automobile Manufacturers) has created the ISAC (Information Sharing and Analysis Centre). ISAC data is available for automakers worldwide; however, the lack of economic incentives to participate and share effective and useful information has limited its success (Vanian, 2015). 
 
 
The automotive industry can learn from the computing domain where several standards and initiatives have developed to facilitate cybersecurity information and knowledge sharing, even though the computing domain is yet to fully come to grips with cybersecurity vulnerabilities (Kumar 2005).  One reason  why we still face cybersecurity vulnerabilities is because it is complicated to ward off attacks that are continually being adapted to exploit system weaknesses, especially given that such weaknesses are often caused by careless design and integration flaws. Dandurand et al. (2013) argue that there is a strong requirement for improved information sharing and automation in the cybersecurity domain. Brown (2015) argues that, in the field of cybersecurity information sharing, there are fundamental barriers, such as those raised by privacy and law, which require further research.
 
However, many of the major cybersecurity threats facing us today derive not from ICTs themselves but from human error. The most serious breaches are the product of multiple failings in people, processes, procedures and technology. As one prominent group of consultants has observed
 
Cyber security isn’t just about technology, it’s also about psychology and sociology. It’s easy for engineers to believe that the most important solution is the thing with the most flashing lights, but in the world of cyber security, it’s often the behaviour of people that actually determines the outcome (PWC, 2014).
 
Despite modern cars being pervasively computerized and open to remote compromise from many attack vectors (Checkoway et al., 2011), the protection of automotive control systems against manipulation has only very recently prompted major concern.  Cybersecurity issues should form a major and increasingly exposed part of the current automotive industry agenda.  The complexity of the issues, the range of levels (individual to global) impacted by cybersecurity failures, the very high costs (social, reputational, policing as well as financial) of cybercrime in the sector, the level of investment being made by auto manufacturers in smart technology innovations to their products, the global structure of the industry, and the highly pervasive and mobile nature of the product all underline the importance of the issues introduced in this paper. Connected cars might just be the site of the perfect cybersecurity storm.
 
Brown, Cameron S.D. (2025). Investigating and Prosecuting Cyber Crime: Forensic Dependencies and Barriers to Justice. International Journal of Cyber Criminology, 9.9: 55-199
 
Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., and Kohno, T. (eds.) (2011) USENIX Security Symposium. 'Comprehensive Experimental Analyses of Automotive Attack Surfaces.': San Francisco 
 
Dandurand, Luc and Serrano, Oscar Serrano (2013). Towards improved cyber security information sharing. Cyber Conflict (CyCon). 2013 5th. IEEE International Conference , June 4-7.
 
Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., and Shacham, H. (eds.) (2010) Security and Privacy (SP), 2010 IEEE Symposium on Experimental Security Analysis of a Modern Automobile: IEEE 
 
Onishi, H. (ed.) (2012) 2012 4th International Conference on Cyber Conflict, CYCON 2012. 'Paradigm Change of Vehicle Cyber Security'. 5-8 June 2012, Tallinn.
 
Sagstetter, F., Lukasiewycz, M., Steinhorst, S., Wolf, M., Bouard, A., Harris, W. R., Jha, S., Peyrin, T., Poschmann, A., and Chakraborty, S. (eds.) (2013) Proceedings of the Conference on Design, Automation and Test in Europe. Security Challenges in Automotive hardware/software Architecture Design: EDA Consortium 
 
Trim, P. and Lee, Y. (2014) Cyber Security Management: A Governance, Risk and Compliance Framework. Surrey, England: Gower Publishing Limited 
 
Vanian, Jonathan (2015). Automakers Unite to Prevent Cars From being Hacked. Fortune, July 15.
 

 

Weimerskirch, A. (ed.) (2012) SAE Government/Industry Meeting, Washington DC. 'Security Considerations for Connected Vehicles' 

<!--EndFragment-->

Copyright© Gerpisa
Concéption Tommaso Pardi
Administration Géry Deffontaines

Créé avec l'aide de Drupal, un système de gestion de contenu "opensource"