Today’s Smart Connected World is evolving with AI (Artificial Intelligence), RPA (Robotic Process Automation), IoET (Internet-of-Everything), Edge Computing and Next Generation 5G Core technology, constituting a network of embedded devices that incorporate sensors, actuators and communication functions. In this journey, vehicles are no way exempt from the ‘things’ that are getting ‘connected’. In fact, the pioneering ‘thing’ which caught up the idea and emergence of being ‘connected’ are vehicles.
Already the current IT environments, highly-charged with its performance and potentials, and are characterized by the hacker-powered cyber-attacks for any personal or financial gain, and nation-sponsored warfare for data breach across global infrastructure or networks or applications. In such a scenario, securing the automated, autonomous, automotive vehicles connecting IT, ICT, OT and IoT environments with add-on cloud and edge computers is extremely and seemingly challenging. For this, the scope of MBSS (Minimum Baseline Security Standards) is to be expanded at a larger scale and the hyper-aware cyber security foundation is to be built strongly at the base.
We will see how the security is becoming smarter, imperatively getting built into the fabric of the entire infrastructure, network and applications of the connected transportation system as an enabler with smart measures against the intelligently foreseen threats to proactively prevent any security incidents, instead of reactively correct them later, which will cause lives and can topple the mere purpose of these initiatives.
For this, let me take you back to the industrial revolution which kick-started its 1.0 with ‘Mechanisation’ in 1784, driven by water & steam in, that progressed with its 2.0 with ‘Electrification’ in 1870, coupled with electronics & mechanical, which paved way for designing assembly line by Henry Ford in 1913. When the first PLC (Programmable Logic Controller) was invented as a part of Industry 3.0 with ‘Automation’ in 1969, the manufacturing processes ruggedized and secured with the help of information technology integrated and embedded with a system having dedicated function within a larger mechanical or electrical system. While the earlier 3 industry generations are more-or-less evenly spaced, Industry 4.0 with ‘Cyber Physical System’ involving (RPA) Robotic Process Automation is evolving much quicker than the rest, with Automated Connected Vehicles as one of the outcomes in the Supply Chain. Though this is going to bring in features to the table (in fact to the road), this is going to equally challenge us with inherent security threat for which a smart cyber security with enough threat intelligence built-in is inevitable to sail smoothly with this generation.
For instance, more than 4 decades ago, when the 2nd generation car was first produced in 1977, General Motors Oldsmobile Toronado incorporated the embedded software that had an ECU aka. ECM or PCM (Electronic Powertrain Control Module or Unit) to manage the spark timings, which were earlier managed mechanically. The use of breaker points in the mechanical units are subject to wear and tear, oxidation and burning at the contact surfaces from the constant sparking impacts vehicle’s effectiveness and engine efficiency.
EI (Electronic Ignition) in ECUs solves all these problems and help reducing fuel consumption as well. Thereon, ECUs of vehicles control the behaviour of its devices, communicating through the in-vehicle network. The parallel enhancements of ECUs with RSUs (Road Side Units) to communicate vehicles with other vehicles and to VANets (Vehicular Ad-hoc Networks), with personal devices through WPANs (Wireless Personal Area Networks), and with service centre systems through cellular networks. A connected vehicle, that uses an external network, in addition to the in-vehicle network, need smart mobility applications to use information generated by vehicles, e.g., cooperative adaptive cruise control. However, connecting all these networks together increases the count and complexity of threats to vehicles. Therefore developing ‘threat-intelligent’ solution as smart cyber security to these smart connected vehicles is mandatory to ensure security and to protect privacy of not only the occupants of the vehicles but transients off the vehicles.
The security & privacy challenges could be multi-dimensional in the case of connected vehicles, which include but not limited to, one or all of the following:
Loss of life: Takeover driver controls, to collide on other vehicles, pedestrians, shops or anything.
Loss of data: Infrastructure, vehicle or personal data loss.
Loss of reputation: Brand image, buyer confidence and resulting revenue loss and increased damage claims.
Financial issues: Loss of vehicle or the valuables in the vehicle by tracking through its GPS coordinates.
Functional issues: Loss of break control, steering control and/or engine control.
Systemic issues: Faulty diagnostics, disrupted infotainment system, manipulated navigation, telematics, dysfunctional/inoperative doors, lights, windows, and other occupant safety systems.
|Risks||Attacks to exploit Personally Identifiable Information (PII)||Updates with malicious Firmware/Software||Attacks to exploys secret keys and credentials||Remote attack for data breach and for wrongful doings|
|Controls||Strong Cryptography,Hardware-based protection incl. HSM||Device Credentialing,Code Signing with Rights-to-Repair||Encryption of DAR, DIM and DIU,Strong Auth.||Message Auth.,Code Signing, &Innovative ADAS|
Security cannot be an afterthought but a thought from the start, especially in this connected ecosystem. Connected vehicles are revolutionizing the safety of driver, occupants, and traffic by connecting with the environment around them. Mobility moves manufacturers and their customers into a world of constant presence and real-time communication of big data and analytics. For building trustful relationships between them, ensuring security has become all the more vital for driver-less / self-driving / autonomous vehicles. For this valuable asset of ‘Customer-Trust Business’, the ‘Zero-Trust Security’ model is inevitable measure, as one serious incident exploiting the ‘digital trust’ is all it takes to destroy that ‘customers trust’ earned over years. So how can the automotive industry deliver on the promise of secure connections in the new era of connected vehicles for road safety apart from traffic efficiency, and energy savings?
Let us now see, how we are getting ready for a safe journey with the connected and autonomous vehicles. Here, the triple-A, namely, Authentication, Authorization and Accounting, has to first get their ambit expanded to accommodate the dynamic mobile and cloud platforms. Certificate-based mutual authentication of encrypted data in all the fundamental states, DAR, DIM, and DIU (namely Data at Rest, Data in Motion, and Data in Use) have to be ensured to prevent malicious content from reaching the vehicles. The SIEM (Security Information and Event Management) integration with anomaly detection systems is to be put in place to detect suspicious communication patterns and protects the vehicles from any hacking attempts and data breaches in the system. Implementation of appropriate security measures, fail-safes and constant vigilance of the same have to be built into the connected systems to ensure the CIAPAR (Confidentiality, Integrity, Availability, Privacy, Accountability and Resiliency/Redundancy) throughout. As automotive IoT continues to gain momentum, the features of ADAS (Advanced Driver Assistance Systems) help reduce collisions and accidents on the road. These benefits grow exponentially when the smart vehicles and the AD (Autonomous Driving) vehicles are connected among themselves, so that they can share information V2X (Vehicle-to-Everything); V2X includes V2V, V2I, V2N, V2D, V2G, V2P (Vehicle-to-Vehicle, -Infrastructure, -Network, -Device, -Grid and -Pedestrian respectively) can help make the roads even safer than at present.
“Towards Zero” is the vision of the Victorian state to bring the road deaths down to zero. The ‘threat-aware’ smart Cyber Security measures integrated with connected vehicles for utmost safety of V2X with human-centric design, can help to reach this vision soon.
Cellular technology also has a role to play in this vision; human error is far more likely to cause accidents than overtly dangerous driving, which is why the development of viable European strategy on Cooperative Intelligent Transport Systems (C-ITS) by CAR 2 CAR Communication Consortium is an area being explored in the V2X space. On the other hand, connected vehicle innovation and driverless technology are advancing quickly – but the real benefits of connected automated transportation can only be unlocked with the right network and infrastructure support.
Border-less services and boundary-less networks are inevitable for V2X connectivity. Vehicles, especially Passenger Cars are not just transport vehicles anymore. They are becoming smarter and smarter day-by-day with innovative, scalable, secured, high-quality digital capabilities and add-ons including a full suite of telematics, infotainment systems, electronic instrument panel cluster, smart cockpits, sound systems, connectivity to smartphones, navigations, fleet management, traffic report, weathervane and childcare assistant.
For the SDC (Software Defined Cars), the software/firmware are delivered OTT (Over-The-Top) and seamlessly updated OTA (Over-The-Air). Therefore, rapid data sharing and management enhanced by the increased speed, high bandwidth, low-latency, device processing & data offload, and trusted computing & storage are crucial to many of these innovations for real-time communication between vehicles and the connected ecosystem. Therefore, decoupling software from hardware, and moving complexity to the cloud platforms increase the flexibility of new service roll-out as and when available and simplify the management of connected vehicle systems are the smart cyber security measures for the safer traffic ecosystem, making the vehicles more intelligent to communicate via the distributed cloud with other vehicles, service providers, traffic authorities and regulators.
Automotive OEM (original equipment manufacturers) and their suppliers rely on building effective data protection and security strategies. Today’s technology enables the root of trust needed to advance connected vehicle security and scale to meet the industry’s evolving demands.
To understand the above in detail, I would like to split the Cyber Security challenges and respective mitigation controls in an order:
CONNECTED VEHICLE CHALLENGES
Compromised Telemetry Transmissions
The telemetry data used for maintenance tracking or the consumer devices plugged into the on-board diagnostics (OBD II) port are the weak points for a compromise.
Cyber Attacks through Connected Devices
More features call for regular connectivity to support vehicle infotainment systems, service monitoring, and online support, which opens up new potential threat vectors, exposing the whole system for advanced attackers to exploit.
Unauthorised software and firmware updates
Any modern connected devices and vehicles require software or firmware updates, delivered over-the-air or at a service centre. The code updates sent to connected components have potential tampering and resulting malware threat, unintended errors or violations of rules if they are unauthorized ones.
Cheap, spurious and counterfeit aftermarket components
Unauthorized and insecure aftermarket components added to the vehicle – either deliberately or unknowingly – including gadgets/widgets plugged into the vehicle’s On-board Diagnostics (OBD) II port pose a huge threat to the functionality and security of the vehicle resulting in heavy risk to the occupants and public as well.
SMART CYBERSECURITY SOLUTIONS
Encrypting telemetry and other data transmitted to/from the vehicle to support vehicle maintenance tracking or a V2V infrastructure ecosystem, provides protection against data theft and other compromises. Mutual authentication of connected components to be enabled to trust the data thus transmitted.
DLP (Data Loss Protection), Driver/Vehicle Safety and protection of sensitive fleet operation data of transport/cargo vehicles are ensured by securing the transmission of telemetry data and other information broadcast to/from the vehicle.
Connected Device Authentication
Manufacturers give a unique identification to each of the connected components and devices using HSMs (Hardware Security Modules) and supporting security software for authenticating them individually, with a root of trust along with the foundation for an effective PKI (Public Key Infrastructure).
Strong Code Signing
The software/firmware code must be signed using a strong code signing methodology, including HSMs. Establishing cryptographically-based digital identities for connected vehicle components and securing code updates against tampering help to protect against malware and code tampering, thus safeguarding against unwanted sophisticated attacks, unauthorized modifications to vehicle performance and reputational damage.
Connected & Autonomous Transportation bundled not only featured on the functionality but also on the security at different dimensions through innovative ADAS with Cyclist Detection Auto Brake, Road Work Alert, Lifesaving Emergency Vehicle Alert, Digital Geofencing, Park Assist Pilot and Lane-keeping Aid, to aid controlling vehicles entry, speed, fuel use, line of sight, detours and so on.
With growing smart cities, the transportation is getting transformed with millions of connected vehicles in the supply chain and resulting explosion in the data volumes. Improve response times at an optimum bandwidth for upstream of the edge for better security calls for next generation smart 5G networks with
- proper network slicing, zoning, micro-segmentation, etc. at the network layers;
- traffic routing, distributed anchoring, multi-session breakout, etc. at the transport layers;
- mobile edge paradigm for distributed compute close to consumption points with data caching, synchronization, messaging capabilities, etc. at the data layers;
- AR/VR (Augmented/Virtual Reality) for performing and processing at the presentation layers;
- ML (Machine Learning), caching, predicting the vehicle position at a future point at the application layers;
- consistent and harmonized central management of the network topology and resources including the compute and storage in the on premise or on cloud distributed infrastructure at the orchestration layer.
For connectivity-fuelled uninterrupted disruption of the automotive industry, multi-access mobile edge computing is crucial part of the 5G platform and facilitates the first-mover advantage for communication services providers to provide secured channels. 5G facilitates edge computing service to provide RTEE (Runtime Execution Environment) for VNF (Virtual Network Functions) and non-telecommunication workloads as well. Advancements in 5G connectivity with high-speed, and ultra-reliable-low-latency enables real-time communication between vehicles and the connected ecosystem including the edge.
As an evolution to today’s networks, next generation 5G mobile networks are expected to handle mission-critical communications of big data volume, connect multiple devices, reduce latency significantly and bring new levels of reliability, privacy, security alongside regulatory compliance, thereby, can support safer driving and enhanced V2E connects.
Improved data jurisdiction and regulatory compliance is achieved by processing the generated data near the point of consumption to reduce or eliminate cross-border transfer of data/information. For this edge platforms helps with a shorter control loop, and smaller span of control to provide guaranteed QoS (Quality of Service). Autonomy and survivability with threat-intelligent computer resources are resilient to failures in a static data centre or a dynamic transport network, with intelligent security tools/applications and artificially intelligent HSM – at the edge. This enables fleet orchestration of connected automated fleets with high connectivity needs.
There are hi-tech automotive majors joining hands and forming associations and consortiums to put the ‘security-first’ mindset into perspective for defining & harmonizing broader use cases, for orchestrating the technical & implementation strategies, for standardising certification & regulatory approval processes and for leading the innovation & integration of cutting-edge technology solutions with ‘security by design’ and ‘security by default’ principles. Easy-to-understand and Useful-to-deploy security controls are placed on workloads, effective DevSecOps security framework are constructed around the up-and-coming server-less constructs like Kubernetes and Docker containers to the DevOps Agile development models, without any additional intricacies of wireless or mobile transport networks. These are adding up to smart cyber security.
To leverage these opportunities, connected vehicles to be smart and secure as well with threat-intelligent Cyber Security in two-fold:
- smartly secured from persona point of view involving the ultimate user, app developer, app vendor, TSP (Telecommunication Service Provider), CSP (Cloud Service Provider), content manager, platform provider, infrastructure designer, SI (System Integrator), EISA (Enterprise Information Security Architect), IoT device creator and so on, and
- smartly secured from attributes point of view including trust, authentication, authorization, accounting, monitoring, verification, validation, privacy, integrity, and the like.
The key success factors being considered with 5G communications by the service provides include avoiding failures of past initiatives by building out secure platforms and easy-to-consume APIs (Application Programming Interfaces), avoiding too much of dalliances with APIs by considering proper alliances and due diligence, avoiding isolated technology silos in business by building a holistic core to edge continuum, avoiding over-enthusiasm in automation strategies by following and adopting the success stories of the proven CSPs.
For instance, Amazon’s AWS Greengrass, which allows appropriate synchronization, real-time replication and dynamic orchestration of its IaaS, PaaS, SaaS, FaaS and CaaS (Infrastructure, Platform, Software, Function and Containers) with the hybrid apps to run across AWS cloud, AWS IoT, AWS Greengrass devices, and AWS Lambda instances. Similar is the case with Microsoft’s Azure IoT Edge and Google’s GCP & Flutter.
The threat intelligence of smart security reduces over-enthusiasm in provisioning of communication services and in building of edge strategy and cloud/data lake infrastructure.
While the threat-intelligent smart security help addressing the cyber threats of connected vehicles well, there are compliance considerations such as allowing lawful interception, access restrictions, identifying the data location & localization, etc, pending to be addressed. For drafting necessary compliance standards and guidelines, the security maturity is vital which would be possible only after a good and more take-off and take-aways. In any field, the regulations and standards generally follow the innovation. The initiatives in edge computing and automation, such as, IEEE’s OpenFog, AT&T, Intel seeded Project Akraino, Linux’s EdgeX, CNCF (Cloud Native Computing Foundation), ONAP (Open Network Automation Platform) and AECC (Automotive Edge Computing Consortium) are gaining momentum in their infancy stage itself. The mix-and-match of curated and non-curated applications based on the approach – walled garden or open platform respectively – otherwise to land somewhere in the middle, hosted with a multitude of applications based on the hybrid approach, is another criterion for security of the entire automated ecosystem.
Exposure and upskilling of resources in infrastructure or device / application development, troubleshooting and maintenance are other challenge to security of the smart vehicles. While ignorance and imprecision of Code Developer and Support Engineers are untenable, their education and cross-skilling are keys to swiftly turnaround to end users’ queries and complaints through ready-to-apply toolkits & libraries and easy-to-find documentation & playbooks on the complete telematics of the entire ecosystem.
I am optimistic to see a better and quicker progress in these areas for improvement, for the smart connected vehicles to be sufficiently secured ones as well.
MSK is the Chief Security Architect with over 29 years of rich IT & Cyber Security experience. MSK held various senior leadership positions including DGM-IT and Group CISO. As a CSA, he is presently responsible for designing cyber security architecture framework for various IT transformation projects covering cyber security evaluation and risk management for ADAS (Advanced Driver Assistant Systems) & Driver-less AD (Autonomous Driving) for its full suite of infotainment systems, electronic instrument panel cluster, smart cockpits, navigations, and telematics, Data Lake & AI-based MES, RPA, Big Data, Blockchain and such other modern technologies. While ensuring ROSI (Return On Security Investment) to the global clients, MSK contributes to the company’s vision of ‘Sustained Profitable Growth’ with ‘Security-First’ mindset.
Published in Telematics Wire