Telecom, auto industries need to collaborate on cybersecurity

Sept. 14, 2017
Tech companies and auto companies rarely collaborated on security issues, but that is changing. Vehicle manufacturers and information and telecommunications technology (ICT) companies are working together to proactively address these threats.

As the number of connected vehicles expands, auto-related cybersecurity has received more attention from both OEMs and the federal government.

In August, the Alliance for Telecommunications Industry Solutions (ATIS) released a new report, “Improving Vehicle Cybersecurity: ICT Industry Experience & Perspectives,” that outlines the top threats to connected car security, as well as recommendations on how to better protect those systems from hackers and malware.

Vehicles will be connected via a variety of wireless systems, including dedicated short-range communication (DSRC), Bluetooth, Wi-Fi and cellular networks. Within the vehicle, a number of different systems may communicate over these networks, including telematics, infotainment, navigation and other solutions. Some of these systems may be managed by the OEMs themselves (like GM’s OnStar), while others are provided by third-party tech companies like Apple or Google.

Vehicles will increasingly also receive firmware and software upgrades over the air (OTA), creating additional access points and vulnerabilities.

Tech companies and auto companies rarely collaborated on security issues in the past, but that is changing. According to ATIS, vehicle manufacturers and information and telecommunications technology (ICT) companies are working together to proactively address these threats.

"The network reaches into new frontiers as it provides vehicle connectivity for advanced applications and data collection," says ATIS President and CEO Susan Miller. "This new report positions both the ICT industry and vehicle OEMs to work collaboratively to secure the network and block cyber attacks or malware events. ATIS believes that the connected vehicle's potential will be maximized through this industry-to-industry collaboration."

According to the paper, there are a number of top cyber threats when it comes to vehicles including:

• Privacy/Security: Data about the vehicle, its performance, or the driver could be compromised by a hacker.

• Commercial Transactions: Hackers could conduct unwanted or unauthorized transactions by accessing toll pass systems, VIN or other identification data, or mobile payment technology that is linked between the driver’s phone and vehicle.

• Operational Interference (Non-Safety): Remotely accessing and controlling vehicle systems such as electric seat controls or temperature controls.

• Operational Interference (Safety): Control or compromising of critical vehicle systems, including brakes, steering etc.

While vehicle hacking has been rare, all the above types of threats have been proven feasible in tests and demonstrations.

“There haven’t been a lot of malicious attacks so far,” says Tom Gage, CEO and managing director of Marconi Pacific. Gage chairs the ATIS Connected Car Cybersecurity Ad Hoc Group. “Hacking an individual vehicle is risky, but a larger risk is to a whole class of vehicles. If all Fords or Volvos were made vulnerable because of a software deficiency, for example.”

“The thing to watch is how hackers can make money from hacking cars,” says Jim McEachern, senior technology consultant at ATIS. “Ransomware or some version of that could be a possibility. Most of these attacks are motivated by making money.”

Cars also may be accidentally targeted. For example, connected medical devices sometimes are affected by malware because hackers are scanning for all ports looking for computers. A medical device or car that isn’t secure could be infected in a way that affects operational systems.

As cars become more connected, the pathways into the vehicle systems are increasing. Those include internal paths (via connections to personal mobile devices), connected to other vehicles, external wireless networks, satellite connections and cloud access connections.

Some of these connections are managed (such as those provided by wireless carriers or OEMs), while other are unmanaged (such as a connected personal tablet to the vehicle).

Comprehensive security

Because of the large number of companies involved in providing in-vehicle technology systems – OEMs, suppliers, component manufacturers, third-party tech firms, etc. – having security established at a very high level will be important. That means wireless carriers will play an important role in securing access to vehicle systems.

“There needs to be end-to-end security, which means everything from the server that the application resides on remotely into the network, through devices, and into the vehicle,” Gage says. “OEMs have a responsibility to work with their suppliers to be sure there is an integrated security solution.”

"Connected vehicle security requires an ecosystem of end-to-end players to address security threats. Telecommunications carriers play a critical role. But we can't do it alone. This white paper shows how our industry and automobile manufacturers can work together to provide the most secure solutions possible for connected vehicles," adds Cameron Coursey, vice president, Internet of Things Solutions, AT&T.

This collaborative strategy will require what ATIS calls a Connected Vehicle Security Framework that takes an end-to-end approach. This would encompass the connected vehicle domain, network domain and cloud domain (back-end systems). Security models must also be able to be updated and flexible. Systems should be able to receive over the air updates to address new security threats as they emerge.

Among the approaches and best practices ATIS recommends:

• Virtual Private Networks (VPNs) that can provide secure dedicated transmission capabilities, and ensure that all traffic is encrypted end to end.

• The Universal Integrated Circuit Card (UICC), which allows for bi-directional authentication between the endpoint and the network.

• Secure boot capabilities to protect against malware corrupting the operating system.

• Firmware verification using encryption.

• Deep Packet Inspection (DPI) security to identify malicious content before it reaches the vehicle.

• Following the “rule of least privilege” to ensure that each entity only has access to the minimum information and resources needed to perform its function.

• Establishing secure vehicle app stores.

• Providing secure storage in the vehicle to protect keys, firmware updates, certificates and other information.

Because there are so many components involved in vehicle connectivity, a centralized security model could be a good approach. “All communication links would go through a central security module, whether that’s a physical link through a dongle or over the air link through the mobile network,” Gage says. “Everything would cycle through this one module, which would be updated constantly to identify risks.”

What makes this challenging in automotive is that there a number entry points, and there may be multiple networks involved – passengers and the vehicle may be using several different wireless networks at the same time.

ATIS also outlined a proposed engagement model between automotive and telecommunications companies. Those steps would include:

• Create a sub-committee of the Automotive Information Sharing and Analysis Center (Auto-ISAC) including telecom, OEM and other supplier members to address cybersecurity and define connected vehicle use cases.

• ATIS could expand its cybersecurity working group to engage vehicle OEMs and share best practices. Those could include establishing ongoing monitoring of vehicle connectivity by carriers, providing fully managed vehicle connections, and ensure secure, guaranteed delivery of content to vehicles.

• ATIS and Auto-ISAC could reach out to other industry groups to share best practices. Such groups could include the 5G Automotive Association, European Union Agency for Network and Information Security, etc.

Gage says that the federal government can play a role by conducting more research and encouraging adoption of industry best practices. He points to NHTSA’s role in working with industry to accelerate the adoption of automatic braking systems as a good example.

“If we wait for studies to be concluded and data to be certified, we run the risk that we’ll wait too long,” Gage says.

Subscribe to Aftermarket Business World and receive articles like this every month….absolutely free. Click here.

About the Author

Brian Albright

Brian Albright is a freelance journalist based in Columbus, Ohio, who has been writing about manufacturing, technology and automotive issues since 1997. As an editor with Frontline Solutions magazine, he covered the supply chain automation industry for nearly eight years, and he has been a regular contributor to both Automotive Body Repair News and Aftermarket Business World.

Voice Your Opinion!

To join the conversation, and become an exclusive member of Vehicle Service Pros, create an account today!