In medieval times security was delivered by thick walls, drawbridges to restrict access, protected supply routes and enough food to survive prolonged sieges. These defence technologies and techniques worked fairly well when you needed to defend a clearly owned and defined boundary against a visible, co-located enemy that tried to attack with brute force.
Now we live in a connected world. Our paradigms of defence and attack have changed. No longer is the ownership clear or our boundary wall well-designated. No longer is the enemy visible and co-located and brute force is just one of many, many types of attack.
This change affects all areas of our connected life, but one area that is particularly vulnerable is our connected and autonomous vehicles. Taking each of these conditions in turn for connected vehicles you find:
- No clear ownership – Imagine your autonomous vehicle hits another autonomous vehicle that failed to detect you coming. The hit happened directly after an instruction from city infrastructure to your vehicle. At the time you were asleep at the wheel and the autonomous vehicle was telling you to take it out of autonomous mode. This is one of many sorts of situations where it will be very tricky to determine fault and ownership. While not strictly a security issue, this really complicates the landscape for which we are looking to achieve security.
- No defined boundaries – With current electronic systems it was easy to consider the vehicle as a discrete unit with a defined boundary. Now the physical vehicle is just one node in an unbounded network of connected actors such as the navigation systems directing it, the over-the-air updates being pushed from the manufacturer, other vehicles it connects to in a V2V mesh and the smart city infrastructure with which it interacts. Also with in-vehicle networking sub-systems used much more frequently, there are more options for attacks to proliferate within a vehicle.
- Enemy is not visible & co-located – In 2010 the Stuxnet virus was released to the world targeting Iran’s nuclear centrifuges. It exploited a weakness in the Microsoft Windows and Siemens programmable logic controllers. It searched for specific controllers delivering specific instructions before inserting itself. With vehicles being connected, attacks can come from anywhere in the world and lodge themselves within critical systems.
- Brute force is just one of many types of attack – A famous automotive hack took place in 2015 when security researchers remotely controlled a jeep with a journalist driving it. This became known as the jeep hack and is achieved by inserting fake messages between the CAN (controller area network), the so-called brain of a vehicle and other electronic subsystems in the vehicle. This is just one of an increasing range of different attacks.
These changing conditions mean that the old paradigm of defending walls is no longer appropriate for securing connected and autonomous vehicles.
To be successful in this complex environment a new approach is needed. In the UK, an industry collective of the AESIN (Automotive Electronics Systems Innovation Network) and the UK Automotive Council and Zenzic advocate a new approach. It focuses on designing vehicles and subsystems that are:
- Heavily instrumented: so you can monitor health and detect attacks
- Simulatable: so in the event of an attack you can determine the cause and identify solutions
- Updatable: so that fixes can be rapidly put in place
The key to this approach being successful is a mindset shift away from static knowable threats to dynamic unknowable ones. This encourages us to build systems with greater resilience by encouraging more engineered differences to slow the propagation of threats and create a culture of continuous learning and deployment delivered through over-the-air updates.
This new mindset needs a new metaphor. The one most regularly being offered is that of epidemiology, the ongoing detection, vaccination and knowledge sharing effort used to tackle infectious diseases.
At Star, we deliver applications and platforms that support connected vehicles. We take our responsibility to leading vehicle security practice very seriously, delivering in line with ISO standards (look out for the new ISO 21434 standard for road vehicle cybersecurity coming out this year) for quality management and information security as well as subjecting our code to rigorous penetration testing. We continue to grow and evolve our security practice not with the mindset of defending castles, but of fighting diseases.