UK’s cyber security guidelines for connected vehicles is not boring, but much more information needed

Bob Emmerson

This started as a review of a UK government publication titled, “The Key Principles of Cyber Security for Connected and Automated Vehicles,” words that came across as boring civil servant-speak.

Forget that, says freelance IoT writer, Bob Emmerson: it’s anything but boring. This document is short, 18 pages; well written, an easy read; and packed with punchy guidelines that apply equally well to other industrial sectors.

It works well as an introduction to cyber security, but for anybody with a serious interest in the subject it came across as being somewhat superficial. There are seven pages of nicely crafted line drawings of automotive bits and pieces that don’t really add anything.

They could and should have been used to provide more content on important topics without dropping down into heavy techie detail. Topics like secure authentication, using standards-based proven technologies, and solutions that leverage digital certificates to provide the highest level of security. Similar comments came from specialists in the industry.

Gary McGraw, VP of security technology at Synopsys commented: Counting on any government to regulate autonomous vehicles is not likely to be too fruitful, especially when it comes to security. Privacy regulation in Europe (and the UK) may have a better impact. Fortunately, manufacturers are stepping up and working on security diligently. They are much more likely to get this right with companies like Synopsys without the government being involved at all.”

There were doubts, too, from Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies: “The proposed key principles sound reasonable, but we doubt it’s enough to provide security when it goes to real tech. The most doubtful principle is the last one, saying the system should ‘respond appropriately when its defence or sensors fail’. If the sensors have not failed but are compromised, they can provide wrong data and endanger human lives.”

“Another principle that would be hard to put in practice is the one saying ‘all organisations, including sub-contractors, suppliers and potential third parties (should) work together to enhance the security of the system’. Although we agree with this guideline, some of the recent IoT incidents prove this concept to be hardly possible. Telecom providers don’t know about the vulnerabilities in their routers made somewhere in China. Security guards don’t know about the back doors in the surveillance cameras they use,” Galloway added.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge said, “This is a very positive sign and a laudable effort finally undertaken by the government. Connected cars, and the IoT industry in general, need governmental regulation and enforcement of strict security standards.

“However, we need much more detailed practical guidelines with contribution from leading cyber security experts, practitioners and researchers, not just a set of generalised best practices. Moreover, a violation of the guidelines must be severely sanctioned, otherwise car vendors, and especially their suppliers, will likely ignore them,” Kolochenko concluded.

To get this publication click here.

The author of this blog is Bob Emmerson, freelance writer and telecoms industry observer

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow

Recent Articles

Spike in use of cloud-based security to protect corporate data

Posted on: July 1, 2020

A new survey of UK security practitioners by Exabeam shows a marked increase in the adoption of cloud-based security tools compared to an earlier study carried out in March prior to the COVID-19 lockdown. The latest data shows 88% of recent respondents said the accelerated move to the cloud was driven by the need to

Read more

Telcos must be cautiously aggressive to ‘Roar out of Recession’

Posted on: June 30, 2020

As we approach four months since essentially the entire world went on lockdown, telcos have gone through a very mixed experience.

Read more