Are we ready to protect our cars from cyberattacks?
Connecting networks seamlessly and automatically used to be an impractical goal of the past. Now, with the advancements of the Internet of Things (IoT) and its continuous development and enhancement, any electronic device can be connected via a network easily, whether it’s through a cloud platform or a software.
While this is a dream come true for most technology firms who are driving this sophisticated development, one must be aware that the seamlessness of connectivity can result in growing vulnerabilities given the open network access to cyberthreats. Apart from just electronic devices, the automotive industry has begun venturing in this field, and vehicles are no exception regardless of how and tough automobile components. These components, unfortunately, are also increasingly susceptible and vulnerable to hackings which can cause substantial damages to one's life.
The dawn of Automotive Security
Early this year, Tencent Keen Security Lab pointed out the vulnerability in the Bluetooth system of Lexus, through which hackers could potentially overwrite the rest of the car system. As some vulnerabilities of car systems against cyberattacks have been revealed, Automotive Security has become a huge topic in the past couple of years within automobile engineering and cybersecurity sectors. This time, our Tokyo Cyber Security Meet-Up had the privilege to have two members from Automotive Security Research Group (ASRG) – a subject matter expert in this field – as our panel of experts, namely:
- John Heldreth – Product Security Lead at Porsche Engineering and Founder, Automotive Security Research Group
- Kamel Ghali – Automotive Cybersecurity Architect, White Motion and Contributor Automotive Security Research Group).
Moderated by Thomas Glucksmann and Gino Bautista, our discussion covered several topics to discover the current situation and challenges in Automotive Security in Japan, in comparison to other countries.
If you have missed the session, you may watch the full recording of it below.
Challenges in automotive security
Automobiles used to function on a confined internal network and their systems never required the need to communicate externally. However, with advanced developments, they now have a have a variety of external communication channels including:
- Sound systems connected to our cell phones
- System through which a car manufacturer provide emergency assistance
- Geolocation services
As any new convenient function involving network connection could be another threat to the system, making sure that all the systems used in developing vehicles meet the requirements and are tested safe is a major challenge. Heldreth and Ghali raised below two points as major challenges for car manufacturer in securing the car system.
1. Managing the supply chain
Developing a car is an extremely complex process where a significant number of tier 1 to 4 suppliers are involved and then Original Equipment Manufacturer (OEM) brings parts, hardware, and software together. As so many organisations take part in this process, it has been a major challenge to secure the supply chain. For example, how we can ensure that every piece of software does not contain any type of additional malicious code is a work in progress.
2. Roadblocks and inflexibility
Ghali continued that there is a huge gap between the traditional automotive industry and the way IT and cybersecurity work, mainly in speed in its response. While a quick incident response is recognised as a high priority in the cybersecurity area, anything related to automotive security takes much longer before something is proven to be vulnerable, and then it takes even more time before necessary changes are rolled out.
The current state of the automotive industry is far from flexible. Processes are very rigid and there are too many roadblocks to overcome. Take for instance Tesla – a leader in updating automotive security software. Tesla isn't as reliant as the traditional automotive industry on various different suppliers for their components, they do it in-house.
Ghali shared: “Tesla is always on focus with its futuristic and cool cars, but there is also a lot to learn in terms of security strategy and car design”. Heldreth voiced in agreement, sharing that Tesla should be viewed as an IT company rather than a vehicle manufacturer.
Current industry standards and regulations
There are two key recent updates for automotive security.
- UNECE WP.29
Ratified by the United Nation in 2019, to ensure the safety of automobiles that go out to the markets. OEMs are the ones to follow those regulations, but suppliers are also affected in a process of guaranteeing the security of vehicles.
- ISO/SAE 21434
This focuses more on the technical side providing in-depth solutions and proposed measures for ensuring the lifetime security of a vehicle.
Each country takes these standards in a different way. For example, Japanese government already set a system that dictates the rules for technology related to vehicles. Japan is also very advanced regarding automotive security.
The major reason behind this is the 2020 Olympics, where the government was expecting autonomous vehicles to play a large part in its facilitation. The government explicitly mentioned hacking as a potential cause for an accident and already established this liability framework.
Looking at other countries, Germany has been successful in taking WP.29 and implementing and other European countries have also taken all of these different requirements to bring secure products on the streets. Some countries haven't signed WP.29, one of which is China. Nonetheless, they are developing technically deeper validation systems. Pros are there are a lot more test specifications and technical details, but cons are that these need to be adapted and maintained continuously to meet the needs of the market. USA and Canada, which haven't signed WP.29 either, are also waiting to see how WP.29 will pan out in other countries.
Join our community!
ASRG is operating globally with more than 5000 members worldwide. They've been hosting webinars on a variety of topics within the Automotive Security field to share knowledge. Their Tokyo branch is currently run through the platform called meetup. Car Hacking Village is also a great place to network if you’re interested in the space. Don’t forget to follow our Tokyo Cyber Security Meetup LinkedIn and Twitter channel too! Feel free to reach out to us from the form below if you have any questions or look for advice.