Self-drive vehicles are no longer just a hypothetical possibility. But while these new vehicles herald a revolutionary new era for transport, there are also some important security issues to be considered. Intelligent CISO hears two experts’ take on self-drive vehicles and hears how two companies have collaborated to try to tackle the cybersecurity problem.
Scott Manson, Cybersecurity Lead – Middle East and Africa, Cisco, said: “In the next five years we will see more and more self-driving vehicles, or autonomous vehicles, hit the market. An autonomous vehicle is what is known as a cyberphysical system because it has elements in both the physical and virtual worlds. This makes security particularly challenging.
“Although self-driving vehicles have the potential to drastically reduce accidents, travel time and the environmental impact of road travel, concerns remain that could delay widespread adoption.
“Of particular concern are data privacy and security risks. Not only are they at risk from traditional cyberattacks to the information and running of the vehicle, but also to a new breed of attacks around things such as ransomware and vehicle theft.
“There are also security risks to the networks that connect vehicles, whether the financial networks that process payments, roadside sensor networks, electricity infrastructure or traffic control features.
“From a cybersecurity perspective, driverless cars present a number of unique considerations, challenges and risks. While many of the issues at play are not necessarily unique to driverless cars, these connected vehicles collect massive amounts of information by design and travel into areas that may often increase the risk of inadvertent disclosure.
“Moreover, these vehicles may be used to cross borders and enter jurisdictions that require the protection of information in materially different ways.
“Autonomous vehicles aren’t going to be here tomorrow, they are here today. The numerous points of entry into a self-driving vehicle’s computer system give clever thieves and cyberterrorists multiple opportunities to take control of vehicles. They will be vulnerable to those that regularly disrupt computer networks, like data thieves of personal and financial information, spoofers who present incorrect information to a vehicle and denial-of-service attacks that move from shutting down computers to shutting down cars.
“Driverless cars are of course designed to travel. These vehicles are expected to share and collect information from a wide array of connected vehicles, devices and surrounding infrastructure across wide geographic ranges and borders.
“While the evolution in driverless car capability promises many benefits, the greater responsibility and power delegated to driverless cars also creates a greater risk of negative privacy implications, injury, or property damage if these vehicles fail, mishandle personal information or operate in an undesirable manner.
“Any connected device can potentially be compromised by malicious actors. Therefore, as driverless cars become more prevalent, the number of vulnerabilities that can be exploited by the pool of increasingly sophisticated malicious actors will also continue to grow. Moreover, there is a greater risk when driverless cars interact with third-party and cloud service providers. When multiple devices are connected, there is a risk that a weak link in any of them can be exploited to compromise them all.
“In particular, manufacturers should consider cybersecurity issues from the outset and build security into the design and development of the product. Building data security and privacy into the design of driverless cars from the outset can improve functionality and decrease costs, as well as maximising compliance with legal requirements.”
Andy Kemp, Director of BAE Systems Applied Intelligence’s Transport business, said: “Across all transport modes, whether that is rail, road or air, transport networks face a common challenge of increasing customer demand on fixed capacity networks. Building new roads and railways helps, but is expensive, has long lead times and often the extra capacity created is very quickly consumed by the backlog of demand that has built up.
“Technology and digitalisation are therefore vital in addressing this challenge. One example of this is through using technology to safely allow trains, road vehicles or aeroplanes to run closer together – thereby improving passenger throughput.
“Another is the opportunity for greater cross modal collaboration to enable passenger choice through improved information provision and passenger experience, potentially leading to significant changes in the way that people view their transport choices such as Mobility as a Service (MaaS).
“However, this increasing dependence on technology also increases all components of cyberrisk (threat, vulnerability and impact), particularly in terms of impact on integrity and availability of information but also, critically, from a safety perspective.
“For example, the increasing reliance on automation, for example in automated train operation systems or in connected and autonomous vehicles, is driving a convergence of safety and security as cyberrisk now has a very clear safety impact.
“BAE Systems Applied Intelligence is supporting customers across all transport modes in addressing these challenges. We sit on the steering group for the standard for security informed safety, PAS11281, and provide a range of security monitoring, assurance and audit services to our customers to help protect critical transport networks.”
Meanwhile, Argus Cyber Security, a global leader in automotive cybersecurity, has announced a collaboration with Ericsson to provide seamless cybersecurity for the connected automotive ecosystem – across vehicle cloud services, fleets and vehicles.
As the number and diversity of connected services that interact with vehicles continue to increase, cyberthreats also evolve and grow. Recent cyberattacks on vehicles via connected services have led automakers to understand that securing vehicles and passengers from attacks through these services is paramount to ensuring consumer trust, the success of these platforms and safety.
The collaboration involves integrating Argus Security Operation Centre with Ericsson’s Connected Vehicle Cloud platform to provide automakers with an additional powerful layer of security that leverages intelligence findings across both platforms. The combined insights equip automakers with actionable intelligence derived from ‘big data’ analysis across millions of connected vehicles and their cloud services to identify the first signs of an attack campaign and mitigate its damage by immunising the fleet in hours.
In addition, Argus’ multi-layered cybersecurity solutions embedded in the vehicle provide real-time protection from cyberattacks, including attacks on remote vehicle commands originating from the cloud – such as heating the interior cabin and opening the vehicle door – via smartphone applications.
The combination of Argus’ and Ericsson’s solutions will provide automakers comprehensive cybersecurity coverage of the cloud, connected services and vehicle fleets. The companies will work hand-in-hand to enable automakers to securely integrate and monetise the connected vehicle ecosystem.
“In order to enable an increasing number of vehicle cloud services to interact with a vehicle, the automotive industry recognises the need for a holistic cybersecurity strategy, which demands multi-layered, end-to-end cybersecurity covering every node in the ecosystem, throughout a vehicle’s lifespan,” said Yoni Heilbronn, Chief Marketing Officer, Argus Cyber Security. “Together with Ericsson, we are helping automakers ensure the security and privacy of their customers through comprehensive cybersecurity solutions and services, while simultaneously maintaining consumer trust and brand identity.”