Even though connected cars should meet the highest level of security, safety, and performance, we know this is not always the case. In this interview, Moshe Shlisel, CEO at GuardKnox, discusses today’s most pressing issues related to automotive security.
What are the most significant challenges related to the creation of a detailed threat taxonomy for the connected vehicles ecosystem?
The trend in the automotive industry is to add solutions that entail more connectivity, such as IT-based solutions. But, to effectively thwart cyber threats, vehicles require cyber security solutions without the need for constant connectivity and which are suited for moving platforms unlike traditional IDS/IPS solutions and firewalls. While greater automotive connectivity promises to significantly enhance the driving experience, it also creates new attack vectors for hackers to exploit.
Vehicles should not need constant human interaction with the cybersecurity aspects of a vehicle in order to prevent cyber-attacks. To ensure that the foundation of a vehicle’s critical security system is safe, vehicles must be secure by design: security must be embedded within every aspect of the vehicle. There will always be new threats, but a car should be capable of stopping cyberattacks through standalone solutions that do not require any human intervention, and which are not learning mechanisms but rather deterministic.
What are the most pressing and actionable good practices manufacturers can do in order to improve the cybersecurity of connected cars?
Simply put, going forward, all vehicles must be secure by design. Cybersecurity should be embedded from the first stages of a car’s design, well before they’re manufactured. Treating cybersecurity as an afterthought is a surefire recipe for failure. As it is, there are millions of connected and semi-autonomous vehicles on the road with no cybersecurity that will require after-market cyber protection. Drop-in, hardware-based aftermarket solutions will be needed to adequately secure vehicles on the road. Ultimately, automakers must ensure that critical-safety systems in vehicles are not vulnerable to hackers’ exploitation techniques.
The time is now for manufacturers to embrace these good practices, as potential threats grow more and more severe. Hackers, for instance, could remotely interfere with a connected vehicle and disrupt safety critical systems and functions including the engine, brakes, and steering wheel, causing the driver to lose control. On a larger scale, a hacker could enter a single vehicle and access an entire fleet, as a fleet is only secure as its least-secure vehicle.
As drivers crave more personalization and customization features, vehicles will be even more connected and will need the ability to host and process in-vehicle updates safely. Each connected car and each vehicle component – from telematics to infotainment to GPS and beyond – must therefore be cyber-secure.
What type of security controls and policy initiatives would you like to see when it comes to connected vehicles?
As cars have more connected and autonomous features (even partially autonomous), they are extremely susceptible to malicious cyberattacks and could potentially be weaponized. Federal lawmakers should enact legislation – with the input of cybersecurity experts – setting uniform safety standards across the board for these vehicles. We see the beginnings of this in the U.S., as several bills – such as the SPY Car Act and AV START Act – have been drafted surrounding connected and autonomous vehicles, but no bill has yet succeeded.
We offered comments for legislation, but federal standards still remain voluntary. Until governments authorize rigorous vehicle cyber standards, drivers, passengers, pedestrians, and cargo are in harm’s way. It took well over 20 years for seatbelts to be properly regulated – this should not be the case for cybersecurity.
In addition, ISO and SAE have joined forces to establish and standardize automotive cybersecurity from the concept phase to post-deployment when vehicles are in customer’s hands with the new ISO/SAE 21404 standard.
How do you see the cybersecurity of vehicle systems evolve in the near future? What should consumers look out for?
Cybersecurity is a cat and mouse game and hackers must continue to be fought with smarter technology. All new connected vehicles will need to be secured during manufacturing, and all connected vehicles already on the road will need to be retrofitted with robust aftermarket cyber secure solutions.
Consumers should be looking for full end-to-end solution that addresses all vulnerabilities including but not limited data transfer and OTA updates in and out of the vehicle. Cybersecurity solutions must empower automakers and consumers with the freedom to evolve to meet the changing needs of connected cars safely and securely.
It’s important to note, however, that it’s not only cybersecurity that manufacturers should be focused on. Drivers continue to demand a better in-vehicle experience; therefore, automakers must offer products that enable high-performance computing that is secure by design.
Yet, while consumers are demanding a safer, more innovative, in-vehicle experience, the current electronic architecture in vehicles does not enable the automotive services model to securely support vehicle applications, functions, and data usage. Technology must empower automakers to address increasing consumer demand for a personalized and secure driving experience while simultaneously opening up a new revenue stream for OEMs.
Consumers have the right to know, when they are buying a car, that the vehicle comes equipped with cybersecurity. A cybersecurity rating system might be in order so consumers understand that their vehicles are secure and feel protected.