In 2015, security researchers Charlie Miller and Chris Valasek remotely took control of a Jeep Cherokee vehicle as an experiment. By exploiting vulnerabilities in the vehicle’s Internet-connected entertainment and navigation systems, the two researchers activated the windshield wipers, turned on the radio and even turned off the engine in the middle of the highway. It was a frightening experiment which compelled automotive major Fiat Chrysler to recall 1.4 million cars. This remote hijack was also a reminder that as vehicles become more connected and autonomous, their cybersecurity risks will only grow.
The different levels of automation
The Society of Automotive Engineers (SAE), a US-based organization which defines standards in automotives, classifies autonomous vehicles into five different levels, based on the level of autonomy. Fully autonomous vehicles are categorized as Level 5 and are defined as a level of automation where the steering wheel is optional and no human intervention is required whatsoever.
While most automotive experts agree that Level 5 vehicles are still far into the future, the cybersecurity aspects of how these vehicles will operate cannot be ignored. Already, vehicles nowadays have some level of automation, whether it is through cruise control, parking assistance, lane assist or GPS features. Cars are getting increasingly connected to each other over wider networks more than ever before. This dependence will only increase as humanity progresses towards the first fully autonomous vehicle.
Security experts have warned of potentially disastrous repercussions if cybercriminals start taking disadvantage of autonomous vehicles at scale. A few scenarios that have been hypothetically put forward include:
- Criminals gaining access to autonomous vehicles through backdoors and vulnerabilities in the vehicle’s operating system and remotely controlling them
- In a fully autonomous world, cars will be connected to each other and also to a wider transport system regulating transportation of an entire city or region. If cybercriminals hack into the transport system, they can bring down entire transport networks, causing extensive damage
- Data theft is also a lucrative industry for automotive and the advent of autonomous cars would lead to a rise of such vehicles being targeted for data misuse
As research continues on autonomous vehicles, the levels of cybersecurity threats that will be needed to deal with will only become clearer. But cybersecurity experts have already started working on recommendations on the aspects that will need to be kept in mind.
Regulations and standards
To ensure that autonomous vehicles are not caught out by cybersecurity threats, it is imperative that automotive bodies and cybersecurity enterprises start working together to create regulations and standards. Encouragingly enough, some developments are happening in this regard – a new automotive cybersecurity standard, ISO/SAE 21434 is currently under development and could be published as early as 2020. Concurrently, the World Forum for Harmonization of Vehicle Regulations (WP.29) is also working on regulatory proposals for vehicles.
Invest in R&D for securing FOTA updates
Most of the latest automotive models have operating systems providing infotainment and other features. In the near future, autonomous vehicles will run completely on software systems which will receive regular updates, like mobile devices and operating systems. However, it is imperative that automotive companies start investing in research & development to ensure that these Firmware Over The Air (FOTA) updates take place in a secure framework.
Understand the unique security requirements of autonomous vehicles
Autonomous vehicles will need unique security requirements which will differ from the requirements for mobile devices or enterprise security. As an example, autonomous vehicles will require seamless vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication. At the same time, these communications need to be encrypted to prevent unauthorized access which will necessitate ultra-fast cryptography solutions.
Cybersecurity as part of the entire manufacturing process
Automotive manufacturing is an extended process with many suppliers working on different aspects of the vehicle. When it comes to the manufacture of autonomous vehicles, cybersecurity will need to be an integral part of the entire manufacturing process. All aspects of the supply chain must be on the same page to ensure that the final product is safe and secure.
Whether it’s Google, Ford, Mercedes-Benz or Uber, the world’s biggest technology companies have stated serious research and testing on autonomous vehicles. While the era of the fully autonomous car may still be a while away, it is important that cybersecurity remains a core component of this research to ensure that the end-user gets the most secure experience.
Get in touch if you would like for us to assess the cybersecurity posture of your business.