270 million mobile computers roam U.S. roads today. Not traditionally associated with either computers or networks, cars and light trucks increasingly serve as end-points of the Internet of Things (IoT). In the first quarter of 2016, mobile carriers reported activating more connected cars than phones for the first time.
Connected cars increase consumer safety and convenience, help protect the environment, and improve traffic management. As new cars manufactured in the near future will be connected to the cloud, traffic signs, road sensors, and other sources of data, they will alert drivers to potential road hazards, help prevent collisions, provide timely car maintenance, improve the driving experience, and deliver new infotainment services to drivers and passengers.
These benefits of the digital transformation of transportation go hand-in-hand with the potential downsides of increased accessibility such as vulnerability to cyberattacks. Cybersecurity, however, has not been a major concern of the automobile industry and computer engineering has not been its core competency. This is now changing with the rapid convergence of the IT and automobile industries, the merging of IT skills, best practices, and competencies with the design, manufacturing, and operational excellence that has been the hallmark of the automobile industry for many years.
There are a number of ongoing efforts that facilitate this meeting of the minds to ensure the security of connected cars. An example of the automobile industry reaching out for cybersecurity expertise is the Automotive Information Sharing and Analysis Center, established in 2015. It serves as a central hub for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities and incidents related to connected cars. The information disseminated by the center helps in the design of connected cars’ computer systems that are better protected against cyberattacks.
There are also efforts by automotive industry outsiders to apply their cybersecurity expertise specifically to connected cars. An example is a recent whitepaper published by the Alliance for Telecommunications Industry Solutions (ATIS), a consortium of nearly 200 companies. The white paper, “Improving Vehicle Cybersecurity: ICT Industry Experience and Perspectives,” shares lessons learned by the IT industry to assist car manufacturers with improving vehicle cybersecurity, and highlights the ways by which the IT and automobile industries can benefit from working together. Based on the IT industry’s experience with cybersecurity, here are the whitepaper’s key suggestions to car manufacturers:
- Design and develop cars with in-vehicle security architecture that implements intrusion detection and prevention mechanisms within the vehicle.
- Let the external network—and its established policies—help protect the connected car by allowing or denying network access based on the source of the traffic.
- Adopt secure coding practices and languages long established in the IT industry. For example, open source libraries that are well-documented and continuously monitored for updates and potential vulnerabilities. Similarly, a Connected Vehicle App Store would ensure connected vehicle apps received wide scrutiny, and that security vulnerabilities could be rapidly identified.
- Consider using secure end-to-end data paths and secure connectivity mechanisms (e.g., VPNs, tunneling, and encryption) that protect the data moving through the network.
- Implement Deep Packet Inspection (DPI) to identify and stop malicious content before it even reaches the vehicle. Working with network providers, car companies can develop a solution that protects consumers’ privacy.
- Enhance the effectiveness of specific car companies’ “bug bounty” programs (offering a payout for reporting new security bugs) by using telecommunication carriers or another third party as a front end. This would enable all car companies and all telecommunications carriers to have the same view of the bugs and risks, improving analysis and mitigation against new vulnerabilities for all members of the connected vehicle ecosystem.
Combining the respective expertise of the automobile and IT industries will result in numerous beneficial outcomes, including designing cars with built-in security and data privacy protection, developing and adopting new security standards in a timely manner, eliminating redundant security research efforts, and developing new services for the connected car market.
The collaboration across industries, engineering disciplines, and best practices is already influencing proposed legislation in the U.S. The Internet of Things Cybersecurity Improvement Act of 2017, introduced by Senators Steve Daines (R-MT), Cory Gardner (R-CO), Mark Warner (D-VA), and Ron Wyden (D-OR), seeks to enforce a basic level of security of IoT devices by using the federal government’s buying power. And looking forward to autonomous vehicles—the next stage in the evolution of connected cars—the Highly Automated Vehicle Testing and Deployment Act of 2017 attempts to define a framework for their regulation and is currently working its way through Congress.
The fast-expanding connected web of devices erases industry boundaries, requiring inter-disciplinary and cross-industry efforts to tackle the new challenges. Connected cars drive the convergence of multiple industries and skill-sets—IT, communications, automotive, and consumer electronics—ensuring the safety, security, and satisfaction of millions of drivers and passengers around the world.