‘Smart vehicles’, internet-connected cars will have to be better protected from hackers, says the UK Government which has issued new guidance.
Smart vehicles let drivers access maps, travel information and new digital radio services from the driving seat. But, says the Department for Transport, it is feared hackers could target them to access personal data, steal cars that use keyless entry, or even take control of a car for malicious reasons. Hence the guidance, with the CPNI (Centre for the Protection of National Infrastructure). Its principles cover organisations having accountability at board level; risks (including to the supply chain); product after-care, such as identifying vulnerabilities, and response, data forensics; a ‘defence in depth’ approach; transmission and storage of data; and resilience against corrupt, invalid or malicious data or demands. All this includes contractors and suppliers.
The Government says that it’s looking at broader work as announced in this year’s Queen’s speech under the Autonomous and Electric Vehicles Bill that aims to create a new framework for self-driving vehicle insurance. Measures to be put before Parliament mean that insuring modern vehicles will provide protection for consumers if technologies fail. This comes alongside new guidance that means manufacturers will need to design out cyber security threats as part of their development work.
Transport Minister Lord Callanan said: “Our cars are becoming smarter and self-driving technology will revolutionise the way in which we travel. Risks of people hacking into the technology might be low, but we must make sure the public is protected. Whether we’re turning vehicles into wifi connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks. That’s why it’s essential all parties involved in the manufacturing and supply chain are provided with a consistent set of guidelines that support this global industry. Our key principles give advice on what organisations should do, from the board level down, as well as technical design and development considerations.”
Comments
Mike Hawes, Society of Motor Manufacturers and Traders Chief Executive, described it as an important step. Likewise Russell Goodenough, Client Managing Director: Transport Sector, Fujitsu, said: “These cyber security principles are an extremely positive development. We know that driverless cars are coming to our roads, and faster than many people anticipate. However, there remain fundamental challenges to be addressed, which are continuing to fuel doubt and even resistance amongst the public regardless of evidence from long term studies. The issues of security and data privacy are crucial: we have already seen numerous cases of road signage and connected cars being hacked, and as autonomous vehicles become more commonplace there could be a very real threat to the public. In addition, the entire connected cars supply chain must work with others in the transport sector to ensure that security is built in from the ground up, to deliver security, integrity and peace of mind.
“There are also other questions about how exactly we want autonomous vehicles to fit into our society and national transport architecture. For example, driverless cars could revolutionise intercity and rural transport by picking up passengers on an ‘on demand’ basis, if considered in isolation it could diminish the role of buses and local rail services but if thought through could alleviate some of the pressures on what are often expensive and subsidised services. In cities, fleets of driverless cars could significantly reduce the need for parking spaces, opening up space and fundamentally changing the urban landscape, but the impact of congestion is hotly debated. To reap the full benefits of driverless cars, all stakeholders in the transport sector must begin to have these conversations now but these cyber security principles are a welcome first step.”
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, said: “The proposed key principles sound reasonable, but we doubt it’s enough to provide security when it goes to real tech.
“The most doubtful principle is the last one, saying the system should “respond appropriately when its defence or sensors fail”. If the sensors have not failed but are compromised, they can provide wrong data and endanger human lives. The possible solution is to use more sources of data, not just from this car but from other cars, from the road infrastructure including traffic cameras and interactive maps. Smart vehicles security cannot be considered in isolation, it’s part of a bigger, more complex system of the whole city.
“Another principle that would be hard to put in practice is the one saying “all organisations, including sub-contractors, suppliers and potential third parties, work together to enhance the security of the system”. Although we agree with this guideline, some of the recent IoT incidents prove this concept to be hardly possible. Telecom providers don’t know about the vulnerabilities in their routers made somewhere in China. Security guards don’t know about the back doors in the surveillance cameras they use. If you want to get the whole coordination of all the supply chains and controls of a smart car production you need something like NASA mission control center.”
And Raj Samani, Chief Scientist and Fellow at IT security product firm McAfee, said: “With the county’s strong manufacturing heritage, it’s unsurprising that the government has high hopes for the UK to be a global leader in driverless car technology. The new cybersecurity guidelines will be a key step in achieving this goal, with the security of the car’s network paramount to the safety of the driver and those in the car’s vicinity. Driverless vehicles must be secure by design, and the government’s new guidelines will undoubtedly play a key role in ensuring that UK car manufacturers make that happen.”
For the guidance visit https://www.gov.uk/government/publications/principles-of-cyber-security-for-connected-and-automated-vehicles.
