Stacy Janes, chief security architect – automotive at Irdeto, discusses how vehicle security and convenience can be balanced.
Increased connectivity in vehicles brings additional vulnerabilities that hackers will exploit. However, rather than being seen as a burden, security can be an enabler for new connected and autonomous business models.
There is a clear drive from inside and outside of the transport industry to advance connected technology in vehicles and achieve a fully autonomous vehicle future. Whether this is consumer vehicles or commercial vehicles and fleets, the appetite seems the same. Yet the clamor isn’t only coming from the companies developing the technology, transportation businesses and even regulators are similarly motivated.
For example, in the USA, the State Department of Motor Vehicles (DMV) in California announced earlier this year that self-driving cars backed up by a remote human operator could be tested on roads in the first half of this year. While in the UK, the chancellor announced in the November 2017 budget that there would be regulation changes, with a view to having driverless cars in operation in the UK by 2021. The EU has also now got in on the act, announcing in May that it would develop rules for autonomous vehicles.
This focus on an autonomous future is perhaps not surprising when you consider the benefits of connected and autonomous vehicles to businesses and consumers, not to mention the potential wealth of valuable data that could be harnessed.
However, before considering these benefits, it is important to look at the state of connected transportation security today – where the underlying understanding must be that this technology cannot become a reality safely, without robust security in place.
Addressing security challenges
In the world of connectivity, security exists to allow businesses to bring connectivity to their customers without also exposing them to the associated risks that are inherent with being connected. In the case of connected and autonomous vehicles, security is therefore a fundamental element of the overall safety of the vehicle.
However, protection of only the vehicle itself is not enough, particularly in the case of autonomous vehicles. OEMs must also consider the entire connected vehicle ecosystem, including the security of the roadside units in V2X. This is because they will not be able to rely solely on the security of the communication itself as the attack may come from the end-point.
The main challenge in connected and autonomous vehicle security lies in the fact that hackers continuously evolve their attack strategies. This makes security almost a cat and mouse game and, in the past, hackers have exploited vulnerabilities to access vehicle ECUs, CANbus systems, intelligent transportation systems (ITS) or even automotive apps through the cloud.
Potential attacks also include man-in-the-middle and man-at-the-end attacks, remote and in-vehicle tampering, and reverse engineering.
Achieving an overall security balance is therefore about knowledge – about the threats against the business and the vehicle as it operates in a connected ecosystem, and how those threats can be mitigated through an efficient security-in-depth strategy.
Enabling business opportunities
While security is crucial from a safety perspective, it can also act as a platform to enable new services and potential revenue streams. This will become an increasingly important consideration as we see the industry evolve and vehicle usage and behavior change from both a consumer and business perspective.
For example, as cars become autonomous at different levels, the OEM’s business model has the potential to shift from personally owned vehicles to a fleet model.
In this eventuality, implementing secure Mobility as a Service and transportation-as-a-service business models will not be a ‘nice to have’, it will become essential to maintain a competitive edge. As a result, protecting business data and securely enforcing policies assigned to the vehicle is crucial to allow business owners to deliver customizable experiences to their customers.
The business itself can also be put at risk if loss of personal data or other security failures drive customers away. OEMs must therefore also have the ability to securely manage and control services offered in the vehicle, as these new business models can only be enabled if they are built on security as a foundation.
The bottom line is that connected and autonomous vehicles as digital assets are creating more opportunities for OEMs and Tier 1 suppliers, from new business models to improved safety. However, it is imperative that vehicle manufacturers balance safety while implementing a convenient, flexible and customizable driving experience for consumers, commercial vehicle and fleet users. It is strong security that will provide the basis to create these profitable new business models for the connected vehicles of today and the autonomous vehicle future that the industry is rapidly moving toward.