Documente Academic
Documente Profesional
Documente Cultură
www.theiet.org/cyber-security
www.ktn-uk.co.uk
Contents
Executive summary
Introduction
Terminology
A known problem?
11
12
13
14
15
References
16
Images courtesy of iStock. The library images used in this Review appear as generic illustration only, and do not denote or refer to specific types of technology.
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
Safety first: one compelling reason to connect cars via wireless links is to reduce the risks of collision on the road
Executive summary
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
Introduction
It is confidently presumed that new cars travelling future
highways will be connected. Powerful communications
capabilities will be built-in to automotive systems
designed to facilitate a variety of driving functions and
other enhanced features. Internal control systems will
exchange data via complex internal networks; other
applications that interface with drivers through dashboard
displays and devices could share information with other
connected vehicles; they could also exchange data with
connected roadside entities, such as streetlights, that are
also linked-in to the Internet of Things (IoT).
The one- and two-way electronic communications
systems that road vehicles have increasingly been
equipped with over recent decades, such as radio
receivers and transmitters, have been augmented by
links to cellular voice/data devices and to satellite signals.
In-vehicle infotainment networks, and the notion of caras-hot-spot, have been introduced by automotive OEMs
The gaps between the computer technology built-in to vehicles, and computer
technology taken into vehicles, is narrowing
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
Terminology
When starting to consider the broad issues necessary
for an understanding of cyber security in the automotive
sector there can be a tendency to draw comparisons with
what might be termed the mainstream cyber security
market, where the protection of personal computing
devices, enterprise information and communications
technology (ICT) systems, and industrial control systems
(ICSs), most notably, has escalated into a matter for
national concern over the last 15+ years.3
A range of cyber security issues are regularly discussed
using technical terms whose meanings will not only be
unfamiliar to many within the automotive sector, but
also hold different meanings to those working within
the cyber security market itself. The very words cyber
and security may have very different connotations for
automotive engineers, for instance, where security is
also used in the context of a vehicles physical security
i.e., its locks and other anti-theft disabling mechanisms.
An example of potential for cross-purpose confusion
between audiences, is the falsely-applied, usually
pejorative, use of the term hack. In computer
programming the term describes an amendment to
Many car owners increasing rely on connected technology-based driving aids: they would be lost without them
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
There could be many possible reasons why somebody would want to hack in to a connected car: owners themselves might want to tweak their vehicles performance
* The Parkerian Hexad is a six-element checklist of standard information security attributes Confidentiality, Possession/Control, Integrity,
Autheticity, Availability, and Utility proposed by Donn B. Parker in 1998.
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
Connected carriageways: communications technology built into cars enables them to share data with eachother and the wider world
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
A known problem?
As well as opportunities, the advent of the connected
car brings several major challenges to the automotive
sector, and will affect the operating models of OEMs,
distributors, dealers and mechanics, road infrastructure
managers, law-makers, and of course drivers and
their passengers. In the public domain verifiable
information about automotive cyber security risk levels
is scattered, and can tend toward the sensationalist.
How far car makers have gone, and still have to go, in
terms of treating vehicular cyber security as seriously as
passenger safety, for instance, is not easily discoverable.
Some manufacturers, however, have acknowledged their
awareness of the issues, and say that they are on top of
the challenge.7
Even without their new connectivity, cars represent
much more than powered driving machines. Insurance
is a hugely influential governing factor in the automotive
market. Questions of liability with respect to driving
mishaps of any kind can turn unexpectedly contentious,
and could prove a factor in drawing attention to any
disquiet over whether more detailed information about
the provisions automotive OEMs are making in order
to counter any threats. But concern about how this
connected technological evolution may play-out is being
voiced from within the automotive sector itself, even if
not especially stridently from its OEMs.
Interviewed by The Times newspaper toward the end of
December 2014, Edmund King, President of motoring
organisation the AA (and Visiting Professor of Transport
at the University of Newcastle), acknowledged the
hacking threat to drivers of connected cars: If cybercriminals targeted automobiles like theyre targeting
other things, wed be in for a hard and fast ride, he
said.8 That a senior industry figure like Mr King has
gone on the record to express his forebodings indicates
that concerns over whether automotive cyber security is
receiving the full measure of attention that it warrants,
are both timely and legitimate.
Media interest in
automotive cyber security
Edmund Kings remarks at the end of 2014 followed a
marked increase in published expressions of concern
regarding automotive cyber security risks. These
appeared against a media background where computer
security in general was a hot topic. Here are some
specimen headlines:9
n Security
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
10
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
One way to access a vehicles data systems is via the connect ports intended for use by car mechanics when conducting diagnostic tests
11
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
12
Foreseeable motives:
n Data
n Extortion
/ denial-of-service threat
n Fraud and deception (altering or deleting schedule
logs and records)
n Freight and goods theft (activating false alarms that
cause goods to be left unattended)
n Automotive Hacktivism cyber-infiltration of a vehicles
systems that is politically- or ideologically-motivated
n Immobilisation
n Mischief and malevolence individual hackers testing
defences and their skills; or wanting to inflict damage
and/or disruption out of spite
n Premises security and burglary vehicle data that
reveals businesses and homes are unoccupied
Secondary motives:
n
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
13
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
Automotive Council
The Automotive Council was established in 2009 to
enhance dialogue and strengthen co-operation between
UK government and the automotive sector. The Council
is made up of senior figures from across industry and
government. http://www.automotivecouncil.co.uk.
14
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
15
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehicles
References
1 Alliance initiates new security forum AutoAlliance media alert,
July 2014
http://www.autoalliance.org/index.cfm?objectid=ACE2D720-0DD511E4-869F000C296BA163
2 Hacking the Internet: bringing down infrastructure Engineering &
Technology, September 2013
http://eandt.theiet.org/magazine/2013/09/hacking-the-internet.cfm
3 Industrial control systems and SCADA cyber security Engineering
& Technology, August 2014
http://eandt.theiet.org/magazine/2014/08/cyber-security-newbattlefront.cfm
Edward Snowden on Cyber Warfare PBS Online, January 2015
http://to.pbs.org/145VaH8
4 Car Hackers Handbook by OpenGarages
http://opengarages.org/handbook/
14 Want a safe car? Check its cyber safety rating - CNET, August
2014
http://www.cnet.com/uk/news/want-a-safe-car-check-its-cybersafety-rating/
http://www.gsma.com/connectedliving/wp-content/uploads/2013/06/
cl_ma_forecast_06_13.pdf
http://www.telegraph.co.uk/technology/internet-security/10980899/
Chinese-hackers-target-Tesla-Model-S-electric-car.html
http://www.theguardian.com/technology/2013/feb/13/gps-jammersuk-roads-risks
16 CarShark Software Lets You Hack Into, Control And Kill Any Car
Jalopnik, May 2010
New jamming devices block both GPS and Galileo Engineering &
Technology, February 2014
http://jalopnik.com/5539181/carshark-software-lets-you-hack-intocontrol-and-kill-any-car
http://eandt.theiet.org/news/2014/feb/gps-jamming.cfm
www.autosec.org/pubs/cars-usenixsec2011.pdf
http://www.ibtimes.com/gms-new-cybersecurity-chief-aims-thwartelectronic-car-hackers-1695148
www.autosec.org/pubs/cars-oakland2010.pdf
http://www.itpro.co.uk/security/22878/security-researchersraise-concerns-over-car-cyber-safety
n Hi-tech
1/9/14
http://www.bbc.co.uk/news/technology-28886463
n Is
http://www.theiet.org/sectors/built-environment/design/bim-cybersecurity.cfm
http://www.livescience.com/48310-car-hacking-security-threats.html
n Connected
http://www.ft.com/cms/s/0/e663c6fa-643b-11e4-bac800144feabdc0.html#axzz3PI64yfwE
http://www.autoindustrylawblog.com/2014/06/09/is-it-a-car-or-acomputer-on-wheels/
The Institution of Engineering and Technology (IET) is working to engineer a better world. We inspire, inform and influence the global engineering community, supporting
technology innovation to meet the needs of society. The Institution of Engineering and Technology is registered as a Charity in England and Wales
(No. 211014) and Scotland (No. SCO38698). Michael Faraday House, Six Hills Way, Stevenage, Hertfordshire, SG1 2AY, United Kingdom.
The Knowledge Transfer Network (KTN) is the UKs Innovation Network. We connect people to speed up innovation, solve problems and find markets for new ideas.
Knowledge Transfer Network Limited is a company limited by guarantee. Registered in England No 8705643. Registered Office: Bailey House, 4-10 Barttelot Road,
Horsham, West Sussex RH12 1DQ.
16