In August, it was hard to ignore the Jeep hack carried out by a WIRED journalist, where he arranged for the car he was in to externally be taken control of whilst he drove a St. Louis highway. It was also hard to ignore the furore that followed. The story was shared over 200,000 times, thousands of follow-up articles were written, and a hasty product recall programme launched. A US senator even proposed legislation to establish new federal standards for digital security.
For many who work in the field of digital security, this type of attack had always been coming. Even since the Jeep attack we’ve seen similar incidents with Tesla and Corvette. Were people so shocked because the journalist was put in peril on a highway? Or were they wondering why anyone would want to connect a car to a network in the first place? Wasn’t it obvious that a connected car would be the target of hackers? Are the benefits of a connected car plentiful enough to justify this risk?, says Manfred Kube, head of M2M segment marketing, Gemalto
To be frank, the benefits of adding wireless connectivity to devices are enormous—expanded productivity, time and cost savings, and enriched services are simplifying our lives as we speak. But when it has come to adding internet connectivity to cars, homes and cities, digital security has often been overlooked. A survey by VDC Research showed that almost 70% of original equipment manufacturers (OEMs) said security is important to design, but only 30% indicated that they made the required changes in personnel, processes or tools to improve security.
In light of the Jeep hack though, this looks to be changing. No one would ever consider building a home on a beach without a foundation. This fact isn’t lost on carmakers, developers and OEMs. They are beginning to use intelligent security architecture as the foundation on which to build consumer trust.
The auto industry and industrial IoT developers need to approach connectivity with the same intelligence as IT system integrators. We must recognise that the software running cars and devices is a source of potential threat. In many industries, such as banking and healthcare, security threats like these have existed for decades. They have tread the path that we now must be following.
- Security by design
Security must be considered at the start of the development phase, and never treated as an afterthought. It should define design. - Risk Evaluation
Developers need to know and understand all potential system vulnerabilities. An early comprehensive risk evaluation is critical to implement security architecture across the entire connected device ecosystem. - End-to-End Trust Points
Developers should protect, encrypt, and authenticate all automotive devices and infrastructure with tamper-resistant hardware and software. Encryption keys which manage access to connected systems must also be securely managed to protect data. - Lifecycle Management
Car makers and IoT developers need to design an interoperable, dedicated platform that can deploy security updates over the lifetime of the car—which could be as long as 15 years or more. We’re all used to software security updates on our computers and smartphones. With cars increasingly becoming smartphones on wheels, it’s only logical to apply this kind of evolutionary security approach in this domain as well.
As more of our world goes online and cyber-attacks become more common, trust has never been so important. Some car makers are already in the position to respond to these well-publicised threats quickly, and hopefully this will reassure consumers that the connected cars are to be embraced and not feared.
This author of this blog is Manfred Kube, head of M2M segment marketing, Gemalto
