UK’s cyber security guidelines for connected vehicles is not boring, but much more information needed
This started as a review of a UK government publication titled, “The Key Principles of Cyber Security for Connected and Automated Vehicles,” words that came across as boring civil servant-speak.
Forget that, says freelance IoT writer, Bob Emmerson: it’s anything but boring. This document is short, 18 pages; well written, an easy read; and packed with punchy guidelines that apply equally well to other industrial sectors.
It works well as an introduction to cyber security, but for anybody with a serious interest in the subject it came across as being somewhat superficial. There are seven pages of nicely crafted line drawings of automotive bits and pieces that don’t really add anything.
They could and should have been used to provide more content on important topics without dropping down into heavy techie detail. Topics like secure authentication, using standards-based proven technologies, and solutions that leverage digital certificates to provide the highest level of security. Similar comments came from specialists in the industry.
Gary McGraw, VP of security technology at Synopsys commented: “Counting on any government to regulate autonomous vehicles is not likely to be too fruitful, especially when it comes to security. Privacy regulation in Europe (and the UK) may have a better impact. Fortunately, manufacturers are stepping up and working on security diligently. They are much more likely to get this right with companies like Synopsys without the government being involved at all.”
There were doubts, too, from Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies: “The proposed key principles sound reasonable, but we doubt it’s enough to provide security when it goes to real tech. The most doubtful principle is the last one, saying the system should ‘respond appropriately when its defence or sensors fail’. If the sensors have not failed but are compromised, they can provide wrong data and endanger human lives.”
“Another principle that would be hard to put in practice is the one saying ‘all organisations, including sub-contractors, suppliers and potential third parties (should) work together to enhance the security of the system’. Although we agree with this guideline, some of the recent IoT incidents prove this concept to be hardly possible. Telecom providers don’t know about the vulnerabilities in their routers made somewhere in China. Security guards don’t know about the back doors in the surveillance cameras they use,” Galloway added.
Ilia Kolochenko, CEO of web security company, High-Tech Bridge said, “This is a very positive sign and a laudable effort finally undertaken by the government. Connected cars, and the IoT industry in general, need governmental regulation and enforcement of strict security standards.
“However, we need much more detailed practical guidelines with contribution from leading cyber security experts, practitioners and researchers, not just a set of generalised best practices. Moreover, a violation of the guidelines must be severely sanctioned, otherwise car vendors, and especially their suppliers, will likely ignore them,” Kolochenko concluded.
To get this publication click here.
The author of this blog is Bob Emmerson, freelance writer and telecoms industry observer