Autonomous vehicles are increasingly making headlines and not always for the right reasons. Here, Peter Lane, Information Security Consultant, Xcina Consulting, looks at how networks and systems can be protected from attacks or vulnerabilities
Advances in technology continue on a near daily basis. A strong example of this is Autonomous Vehicles (AVs) and the rate in which they are experiencing rapid growth and acceptance throughout the world. There are several levels of AVs, depending on their degree of autonomy. The levels shown in the table on page 17 have been created by the Society of Automotive Engineers (SAE) and adopted by the US Department of Transportation.
THREATS TO AVs As we commonly see in security, the threats may broadly be segregated by the CIA triad. Confidentiality of information in the vehicle or pertaining to the driver. Integrity of information that the vehicle or organisation rely on. This may be the vehicle sending false data or even receiving false data during what it believes is an 'over the air' software update. Availability, perhaps of the communication systems or worse, the vehicle controls themselves.
Modern vehicles contain tools to aid in the efficiency and overall experience of driving. Unfortunately, they also create a number of vulnerabilities by relying on Electronic Computing Units (ECUs) to conduct the complex processes required for your driver assist and infotainment functions.
This results in up to 100 million lines of code programmed into the ECUs, a significant number when compared to the approximately 25 million lines of code written into the ECUs of a passenger aeroplane. Vehicles contain a myriad of sensors, cameras, radars and Light Detection and Ranging (LIDAR) systems, all of which contain their own vulnerabilities. Common attack vectors are not unique to vehicles: they are shared throughout the wider cybersecurity industry with all connected systems. From unauthorised software modifications to Denial of Service (DoS) attacks, compromising user privacy and vehicle safety is achievable and has been proven on several occasions - see the graphic on page 16 of this issue.
Another target may be the occupants or owner's information. From a private owner's perspective, owning a vehicle and using its technology paints a map of your life and lifestyle. The information you rely on your vehicle for is growing with each new technological development. Owners and organisations need to consider the safety of people in the vehicle and around them, but also need to consider the private data that is at risk. The vehicle itself contains data such as the locations visited and as most drivers now use some level of mobile phone connectivity within the vehicle, their personal data is also vulnerable.
COMBAT THE THREAT Considering the modern vehicle as a form of computer is actually a good first step. How do we protect our networks and systems from attacks or vulnerabilities? The answer is 'Deter', 'Prevent' and 'Detect' the attacks. Unfortunately, the ability to prevent and deter are hampered somewhat by the logistical difficulties in vehicle manufacturing, but progress is being made. Due to the myriad of third parties involved in vehicle manufacture, a holistic approach to security is very difficult to achieve. Components found within a vehicle may come from different companies or even different countries, each with their own approach to security.
In June 2020 the World Forum for Harmonization of Vehicle Regulations under the United Nations Economic Commission for Europe (UNECE) announced the adoption of frameworks to address the increase and significance of software and connectivity in vehicles. This has provided a basis for new regulations that have enacted cybersecurity requirements for future vehicle in more than 60 countries. To help combat the threat, new companies and services are developed. Large automotive manufacturers are now seeking their guidance or use of the products during design and production stages. Porsche, for example, enlisted GuardKnox (an Israel-based cybersecurity and technology company) to improve the cybersecurity of vehicles produced.
This leaves 'Detect'. Fortunately, the reliance on computing plays to our favour here. The Controller Area Network (CAN) is a communication protocol found in most modern AVs and is responsible for relaying information between sensors in the vehicle.
Whilst this has been seen in the past as a vulnerability with weak security, many companies are now working to rely on the CAN to feed an interior Intrusion Detection System (IDS). Paired with network behavioural analysis or machine learning, the IDS will alert a driver or designated entity when malicious activity
is suspected. Unfortunately, this will not stop malicious actors finding new vulnerabilities in the system throughout the vehicle's lifespan, but it does address the previously mixed approach to security by design. Owners and organisations can implement small security procedures through their own practice to lower certain risks:
- Adopt strict password procedures (complex and changed regularly)
- Organisations may use network segmentation for connected vehicles in their fleets
- Limit the use of GPS services, use them only when needed
- Educate users on security implications and risks to personal or company data.
If all else fails, Ferrari announced in June 2022 that they will limit autonomy in their vehicles to Level 2. Whilst their intention is to preserve 'emotion' for the driver, less autonomy will aid in less security vulnerabilities that we have discussed in this article. However, one might argue that not everyone can afford that choice.
ADVICE & SUPPORT If your firm would benefit from our advice and support, visit us at www.xcinaconsulting.com. We provide our clients with pragmatic advice and guidance to ensure the protection of connected devices.
For more information, contact us at: info@xcinaconsulting.com
