Technology trends, solutions and standards and future in automotive cybersecurity, with expert interviews, exclusive case studies, and latest developments
Advanced connectivity, electronics and software are hallmarks of modern vehicles. A typical connected car contains up to 70 ECUs, and about 100 million lines of code. As vehicles expand in terms of technological complexity, they become an attractive target for cyber-criminals.
Security demonstrations such as the famous Miller and Valasek Jeep Cherokee example have provided enough evidence that connected cars should be viewed as a potential attack target. But how does an industry built around making and selling cars pivot to delivering secure software and services?
“Cybersecurity in the connected car: technology, industry, and future” examines the security implications of increasing connectivity and software complexity in connected & autonomous vehicles. It discusses the following elements of automotive cybersecurity:
Key questions addressed
The report addresses the following strategic questions, the answers to which will determine future of vehicle cybersecurity in the near foreseeable future:
Who is the report for?
Methodology
Chapter 1: Introduction 4
Chapter 2: The problem 6
2.1 Research experiments and demonstrations 6
2.2 Early industry and media responses 8
2.3 Consumer concerns 8
2.4 Hackers’ motivation 10
2.4.1 Vehicle and property theft 11
2.4.2 Information and identity theft 12
2.4.3 Remotely taking control of a vehicle 13
Chapter 3: Connected car technology and its vulnerability 15
3.1 ECU proliferation 15
3.2 CAN and other bus systems 16
3.3 Code proliferation 19
3.4 Specific cyberattack surfaces 20
3.4.1 The on-board diagnostic (OBD-II) port 21
3.4.2 Infotainment head units 22
3.4.3 Bluetooth 22
3.4.4 USB/CD player/paired devices 23
3.4.5 In-car Wi-Fi hotspots 23
3.4.6 In-vehicle apps 24
3.4.7 Remote keyless entry systems 25
3.4.8 Tyre pressure monitoring systems (TPMS) 25
3.4.9 Dedicated short-range communication (DSRC) receivers 26
3.4.10 Electric vehicle charging port 27
3.4.11 Cyber-physical systems 27
3.5 Autonomous vehicles 28
3.6 Over-the-air (OTA) software updates 28
3.7 Supply chain security 29
Chapter 4: Industry responses 30
4.1 Justifying cybersecurity investments 30
4.2 Establishing cybersecurity departments 31
4.3 Collaboration with third-party security providers 31
4.3.1 Case study: Uber ‘bug bounty’ program 33
4.4 Software updating 34
Chapter 5: Legislation and standards 36
5.1 Government initiatives 37
5.1.1 The US NHTSA’s Vehicle Cybersecurity Research Program 37
5.1.2 The 2015 US SPY Car Act 39
5.1.3 The European Commission 39
5.1.4 Japan 40
5.1.5 China 41
5.2 Industry initiatives 41
5.2.1 SAE vehicle engineering and cybersecurity guidelines 42
5.2.2 Auto-ISAC 42
Chapter 6: Future directions 45
6.1 Security by design 46
6.2 Vehicle cybersecurity in layers 47
6.3 ECU consolidation 49
6.4 Increased specificity in requests for proposals from suppliers 50
6.5 Lessons from other industry sectors 51
6.6 Suggestions for the automotive industry 51
Appendix 1: High-quality automotive cybersecurity products and services 53
1 Harman 5+1 Cybersecurity Framework 53
2 Symantec Anomaly Detection for Automotive 54
3 NCC-SBD ‘V’ model: Automotive Secure Development Lifecycle (ASDL) 54
4 Argus Multi-layered Security Protocol 55
5 Security Innovation Aerolink 55
6 I AM THE CAVALRY Five Star Cybersecurity Ratings 56
7 Trillium SecureCAR 56
8 Karamba Autonomous Security 57
9 Rambus CryptoManager 58
10 Arxan Application Security 58
Figure 1: Miller and Valasek remotely hacking the Jeep Cherokee 7
Figure 2: KPMG 2016 Consumer Loss Barometer Study 9
Figure 3: Consumer safety concerns while driving 10
Figure 4: A mystery device ‘relay’ attack 12
Figure 5: The main ECUs in a modern vehicle 15
Figure 6: Reduced wiring connections enabled by CAN bus 16
Figure 7: Reverse engineering the CAN bus 17
Figure 8: Trillium’s SecureCAR cybersecurity components 18
Figure 9: Software complexity in modern vehicles 19
Figure 10: Remote attack surfaces on a connected vehicle 20
Figure 11: The Zubie in-car device connected to the OBD-II port 22
Figure 12: Apple Lightning digital connector for media devices 23
Figure 13: Nissan Leaf Smartphone app for remote vehicle access 24
Figure 14: Samy Kamkar’s Rolljam device 25
Figure 15: TPMS sensors 26
Figure 16: A V2X ECU connected to ADAS ECUs 26
Figure 17: Sensor constellation on an autonomous vehicle prototype 27
Figure 18: Participants at a June 2014 Bosch ‘hackathon’ in Berlin 32
Figure 19: Automotive industry software recalls during 2015 34
Figure 20: Data privacy principles: US GAO and EC 37
Figure 21: US NHTSA budget request for vehicle safety and security research, FY 2016/17 38
Figure 22: NXP 4+1 cybersecurity framework 41
Figure 23: The Auto-ISAC task framework 43
Figure 24: US NHTSA information sensitivity levels 43
Figure 25: Automotive cybersecurity investment components 45
Figure 26: The security maturity curve 47
Figure 27: Security by domain separation 49
Figure 28: ECU consolidation via software integration 50
Figure 29: A favourable ecosystem for Tier-1 suppliers 51
Figure 30: Harman 5+1 Cybersecurity Framework 53
Figure 31: NCC-SBD Automotive Secure Development Lifecycle 55
Figure 32: Karamba Autonomous Security 57
Figure 33: Components of Arxan’s Application Security 59
Table 1: Vehicle cyberattack types, motivations and attackers 11
Table 2: Common in-vehicle networking protocols 17
Table 3: Analysis of cyberattack surfaces 21
Table 4: Uber ‘bug bounty treasure map’ 33
Table 5: Auto-ISAC cybersecurity best practices overview 44
Table 6: Cybersecurity investment analysis 45
Table 7: A layered approach for securing connected vehicles 48
We welcome your call if you have any questions about the report or if you are interested in group or enterprise access.
Please phone +45 2334 0705 or use our contact form.
Author: | Shamik Ghosh |
Publisher: | Autelligence |
Published: | March 2017 |
Pages: | 63 |
“Carmakers have to be right every time while hackers only need to be right once, so making a hack-proof vehicle that is still affordable is next to impossible. But they can make a car that is difficult enough to hack with such low payback that most hackers will look for easier targets.” −Gene Carter, director of product management, Security Innovation
“Investing in cybersecurity should not be assessed based on an ROI equation. Vehicular safety systems are intrinsically dependent upon cybersecurity technologies. Those companies that overlook or delay implementation of cybersecurity measures will not be allowed to do business within the transportation industry of the future.” −David M Uze, Chief Executive Officer, Trillium Inc.
Chief Executive Officers, Marketing Directors, Business and Sales Development executives, Product and Project management, Purchasing and Technical Directors that need a powerful third party perspective and overview of the trends and issues in their sector and the potential ramifications for their business.
Autelligence is a leading provider of information to the automotive sector about the market and business implications of product, regulatory and technological developments. Over the last fifteen years Autelligence has supplied its insights to most of the leading vehicle makers and first and second tier suppliers. Autelligence staff based around the world conduct regular surveys and discussions with industry experts in Europe, Asia and North America on the key issues that will affect the industry in the coming decade.