This week, we have a guest post from Christian Koch, Senior Manager GRC & IoT/OT at NTT Security.
The number of intelligent cars on the road is growing. We are now seeing a vast array of technology embedded into connected and autonomous vehicles (CAVs), promising accident prevention, safer driving, lower emissions and an enhanced driver experience.
However, this same enabling technology also creates a growing attack surface which allows hackers to exploit vulnerabilities to access car systems – meaning drivers’ personal information and their physical safety could be compromised.
We have seen numerous high-profile hacks of cars in recent years that have resulted in safety recalls and reputational damage for the manufacturers.
In 2015, for example, hackers took over a moving Jeep Cherokee from a laptop miles away, to prove that they could infiltrate the car, and control the brakes, steering and transmission. In 2016, insecure APIs meant that hackers could take control of Nissan Leaf vehicles and control some of the car’s systems.
The fact that attackers no longer need to rely on physical access to a vehicle to take control is forcing the automotive industry to focus its efforts on more than just the physical security of vehicles.
It therefore comes as no surprise that cyber insurance for cars is set for a sharp spike in growth as a market. Insurance providers will have to prepare for a new range of risks such as ransomware, where a hacker could disable a car unless a ransom was paid by the driver; or malicious attempts to take over the controls of a car to cause damage to the vehicle, the driver or other road users.
However, there are still many security complexities and challenges across the entire supply chain that need to be addressed in order to prepare for this growth. Who will reassure the insurance industry that a car is secure? Is it possible to underwrite policies when there is little historical data? And who is ultimately responsible for securing a car against cyber attacks – the manufacturer, suppliers of component parts, or the driver himself?
The main challenge is the responsibility for security. It needs to be owned by somebody in the automotive supply chain before the insurance industry can even start to look at underwriting policies.
Insurance providers will look first to the manufacturer to ensure that the car is secure, and that might mean a closer look at the risk profile of the organization, its production plants and the design of the car itself.
The manufacturer however will look to its supplier ecosystem to share the responsibility for security. Traditionally, the manufacturer will specify exactly what they expect the suppliers to produce, but they will only vaguely specify cybersecurity requirements and are unlikely to mandate the use of specific standards or frameworks. And suppliers have been reluctant to invest in creating their own standards in case the manufacturer mandates a different one.
It creates a stalemate situation but this can’t continue if security is ever to be part of the design stage of a vehicle and the manufacturer – as the final assembler of all component parts – needs to take responsibility for ensuring that third-party systems are also secure by design, and that systems do not become vulnerable when connected.
What’s needed, then, is for the industry as a whole needs to fully understand security, threat intelligence and what prevention and response measures are possible and indeed necessary. The most obvious next step is to get all interested parties together – so government advisers, insurers, manufacturers, suppliers and independent security advisers – to talk through the challenges and build a model for security best practice for connected vehicles. Until then, responsibility sits with everybody – and nobody – at the same time.