Transcription
Automotive Cyber Security:An IET/KTN Thought Leadership Review ofrisk perspectives for connected .uk
ContentsExecutive summary3Background to this Review3Introduction4Terminology5Connected car trends7Benefits of automotive connectivity8A known problem?9Media interest in automotive cyber security9Academic interest in automotive cyber security11Cyber-threat motives and targets12Driver responsibility issues13Appendix: Automotive industry initiatives14Recommendations from this Briefing15References16Images courtesy of iStock. The library images used in this Review appear as generic illustration only, and do not denote or refer to specific types of technology.2
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehiclesSafety first: one compelling reason to connect cars via wireless links is to reduce the risks of collision on the roadExecutive summaryBackground to this ReviewConnected vehicles take us toward a mode of transportthat is safer and more efficient, by enabling aninterconnected driving experience. One way cars areinterconnecting is via the Internet, but there is concernthat this could expose connected cars – and the people inthem – to potential risks from online threats. This Briefingsurveys issues related to this concern, but prescriptionsfor remedial solutions are not part of its scope.This Review is based, in part, on inputs from theAutomotive Cyber Security Thought Leadership event(November 2014) attended by more than 50 expertsfrom a range of engineering and technical disciplines.It has been further extended by additional input fromthe project managers, and by supporting supplementaryinformation and references from external sources. Thisjoint initiative by the Institution of Engineering andTechnology (IET) and Knowledge Transfer Network aimsto promote cross-industry debate on a topic that has thepotential to impact a broad range of professional fields.This Review focuses on the areas of automotive cybersecurity that, at this stage in their development, arereceiving attention. Research undertaken to identifypossible automotive cyber security vulnerabilitiesare highlighted, how automotive OEMs seem to beresponding to the claims that cars can be ‘hacked’,along with examples of media coverage of some of theissues. It looks at some of the motivating factors thatmight make connected vehicles and their workingsattractive to malevolent actors, and where some of theresponsibilities and liabilities for countering threats mayultimately be assumed, ranging from automotive OEMsto car users themselves. The document also scopessome Recommendations for further debate.In brief, these Recommendations encourage consultationbetween the automotive industry bodies for which cybersecurity should be an agenda issue and professionalbodies in non-automotive sectors already engaged incyber security awareness-raising; the development ofguidelines for issues around professional disciplines withan interest in automotive cyber security and autonomousvehicles; and extended thought leadership into the areas ofconnected vehicle driver responsibility, and issues aroundliabilities related to automotive cyber security incidents.It is a topic that stems from the convergence betweenautomotive technology and computer technology: thishas increasingly changed the methods by which motorvehicles are developed and are driven. The automotiveindustry makes extensive use of computers andcomputerised electronics in the design, production,and operation of vehicles. Within vehicles, sensors,actuators, embedded computers, and audio-visualsystems are used to enhance safety, performance, andthe driver/passenger travelling experience.Other industry bodies and interest groups are starting totake an interest in the automotive cyber security issue,as is the media. Professional bodies such as the IETand Knowledge Transfer Network can bring balance tothis interest by providing an independent and widelyinformed perspective to the topic as events unfold.3
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehiclesIntroductionIt is confidently presumed that new cars travelling futurehighways will be connected. Powerful communicationscapabilities will be built-in to automotive systemsdesigned to facilitate a variety of driving functions andother enhanced features. Internal control systems willexchange data via complex internal networks; otherapplications that interface with drivers through dashboarddisplays and devices could share information with otherconnected vehicles; they could also exchange data withconnected roadside entities, such as streetlights, that arealso linked-in to the Internet of Things (IoT).The one- and two-way electronic communicationssystems that road vehicles have increasingly beenequipped with over recent decades, such as radioreceivers and transmitters, have been augmented bylinks to cellular voice/data devices and to satellite signals.In-vehicle infotainment networks, and the notion of ‘caras-hot-spot’, have been introduced by automotive OEMs(original equipment manufacturers) variously in recentyears. These typically co-exist with the automotive controlnetworks that enable the transit and exchange of datarelating to the operation of the vehicle itself.Coming generations of connected cars will differ as aresult of moves toward greater convergence betweenautomotive communications technology and connectionsto resources beyond the confines of the car. This prospectof a motor vehicle becoming, in effect, an Internetlinked ‘device’ is bound to stir debate in a world whereawareness of online threats, and the malicious ‘hacking’of computer systems, could affect the use of almost anyphysical entity that qualifies as a ‘connected device’.Cyber security is a much-debated aspect of theemerging Internet of Things, especially given maliciousagents’ tendency to ‘follow the market opportunity’:as they become more numerous, connected carswould likely represent another addition to the cyberattackers’ expanding hit-list of prospective targets. Thismay sound conjectural, but some automotive OEMshave acknowledged that they are taking the possibilityseriously – and taking steps to defend ‘vehicle computersystems’ against it.1The importance of identifying potential ‘vulnerabilities’– flaws in a connected car’s communications anddata systems that could be exploited by somebodyseeking to ‘hack’ into that vehicle’s control mechanismsor other onboard technology – and protecting suchvehicles against interference or attack, has steppedup in the last five years, as online menaces havebecome potentially more hazardous – and morepenetrative. Some users are becoming accustomed tothe practice of protecting their ‘endpoint devices’; butnowadays the very communications infrastructuresthat form the ‘backbone’ of our hard-wired andwireless networks regularly come under attack. Thishas created yet another ‘field of battle’ to be defended,as national Internet exchanges, for instance, and theinternetworking equipment they rely on – such asswitches and routers – are maliciously probed.2The gaps between the computer technology built-in to vehicles, and computertechnology taken into vehicles, is narrowing4
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehiclesTerminologyWhen starting to consider the broad issues necessaryfor an understanding of cyber security in the automotivesector there can be a tendency to draw comparisons withwhat might be termed the ‘mainstream’ cyber securitymarket, where the protection of personal computingdevices, enterprise information and communicationstechnology (ICT) systems, and industrial control systems(ICSs), most notably, has escalated into a matter fornational concern over the last 15 years.3A range of cyber security issues are regularly discussedusing technical terms whose meanings will not only beunfamiliar to many within the automotive sector, butalso hold different meanings to those working withinthe cyber security market itself. The very words ‘cyber’and ‘security’ may have very different connotations forautomotive engineers, for instance, where ‘security’ isalso used in the context of a vehicle’s physical security –i.e., its locks and other anti-theft disabling mechanisms.An example of potential for cross-purpose confusionbetween audiences, is the falsely-applied, usuallypejorative, use of the term ‘hack’. In computerprogramming the term describes an amendment tocode intended to fix an error or tweak an effect fora specific purpose. The term is an ethically-neutral,if rather crude, descriptor of a quick fix or tune-up.Perhaps not appreciated in mainstream coverage isthat the everyday usefulness of the term has migratedacross to any part of life – from re-imagining Legodesigns, and adapting Ikea furniture, to getting morepower output from an old car model. The issue athand intersects, however, where hacking is performedremotely and without permission. Both must apply.It can be imagined that such hacking-in to withpermission may also be a healthy and productivepastime, but would likely be a minority to pursuit.Exactly what is meant by ‘permission’ is important. Itgoes to show that discussions of cyber security andautomotive electronics must be mindful of the pitfallscaused by imprecise vocabulary.However, it is also worth noting that automotive cybersecurity does present issues that are specific to thatindustrial sector, and attempts to make comparisonsbetween the mainstream concept of ‘cyber security’,and the concept as it will affect the road vehicle market,should be drawn with caution.Many car owners increasing rely on connected technology-based driving aids: they would be lost without them5
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehiclesThere could be many possible reasons why somebody would want to ‘hack’ in to a connected car: owners themselves might want to ‘tweak’ their vehicle’s performanceAnother example of this from enterprise informationsecurity is the notion of ‘insider threat’ – individualsworking within an information technology system, forinstance, who gain unauthorised access to data assetsfor nefarious or idiosyncratic reasons. Connectedcars may also have owners who, for reasons knownand unknown, will attempt to reconfigure their car’sdata systems. (The author of a freely-available onlinepublication called The Car Hackers Handbook suggeststhat owner-access to their vehicle’s inner workings isnecessary in order for them to personally validate thesecurity of their vehicles.4)There is, of course, an established ‘after-market’catering to automotive customisation: this has beenmainly for physical modifications like spoilers, ‘growly’exhausts, and ‘nitro-boost’ kits; but there are alsothose who will ‘tweak’ electronic control units (ECUs)to enhance performance or power output. An increasein the amount of vehicular systems software callsfor ever-tighter requirements to prevent (or at leastdetect) attempts to tamper with it in the event, say,of a warranty or insurance claim. Arguably, this is, ineffect, a cyber security issue when viewed in terms ofthe Parkerian Hexad elements of information securityrelated to authenticity and integrity*; it also hasfunctional safety implications. The general issue ofconnected vehicle owner responsibilities in the contextof cyber security will be returned to later in this Briefing.Meanwhile, it is reasonable to remind ourselves that, aswith ‘mainstream cyber security’, two facts will cropup. First, no connected computer system is 100 percent guaranteed secure in terms of invulnerability orthe integrity of the data it holds or processes, and theowners of targeted systems must be ever-vigilant for asyet unknown threats and undetected vulnerabilities toemerge at some future time. Second, given the historyof more conventional cyber security, it is reasonableto hypothesise that some kind of ‘arms race’ betweenthe automotive OEMs and their cyber foes will establishitself, as each side seeks to outdo the other’s efforts tosecure/un-secure the cars, vans and lorries that useour highways.* The Parkerian Hexad is a six-element checklist of standard information security attributes – Confidentiality, Possession/Control, Integrity,Autheticity, Availability, and Utility – proposed by Donn B. Parker in 1998.6
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehiclesConnected car trendsConnectivity is set to become a compelling feature ofthe global car market over the next five years, leadingto a market worth 39 billion by 2018, according toforecasts from research firm SBD and mobile industrybody the GSMA.5 In general terms, a connectedcar is a road vehicle equipped with three sets ofcommunications systems: Internet access, and (usually)also an internal network, usually wireless, which enablesthe car to route its connection access (sometimesknown as vehicle-to-Internet, or V2I) to other devicesthat are installed inside – and possibly outside – of thevehicle. Alongside these typically there is the CAN bus(or similar) used to interconnect the gamut of ECUs,sensors and actuators that now form part of a vehicle’sinner electronic workings. Increasingly, such carsare fitted with specific technologies that link into theInternet access or internal network to provide additionaldriver benefits: automatic notification of collisions,notification of excessive speeding, and other safetyalerts, for example.There are two additional communications typesthat could supplement these. The more mature ofthese is vehicle-to-vehicle (V2V) technology thatenables cars to communicate wirelessly and evenmaintain temporary networks between vehicles thatcan inform accident prevention, road hazards, andother driving intelligence. A number of automotiveOEMs are reported to be developing V2V capabilities.The connected vehicle is also poised to become abona fide part of the Internet of Things (abbreviatedto Vehicle-to-IoT or V2IoT), as a connected entityreceiving data from external sources, and sharing datathat it captures with remote third-parties for specificapplications (traffic flow updates, say). The IoT is anevolving concept, and several aspects of the role ofmotor vehicles within it are yet to be determined.Connected cars driving in ‘smart’ built environments –as to be found in ‘Smart City’ ventures now emergingaround the world, and being ‘retro-fitted’ into manyexisting metropolitan areas – will be able to takeadvantage of the infrastructure that is graduallyassembling to target and support connected road(and indeed human) traffic. It is important to notethat the possibility of cyber-attacks on the wirelesscommunications networks that support connectedvehicles should count as another factor in theassessment of automotive cyber security factors. Thesenetworks must be secured against signal jamming(devices that do this are cheap and easily obtainable)6,denial of service attacks, and the transmission ofbogus data to connected cars and their drivers.In considering automotive cyber security going forward,there will be issues concerning the security of intelligenttransport systems that communicate with the vehicle. Forexample, the driverless/autonomous car trials planned inthe UK include testing of roadside infrastructure that willcommunicate with vehicles to inform them of congestion,roadworks, etc., and allow drivers or their vehicles toplan and use alternative routes. Malicious attacks on thisinfrastructure, or the jamming/interference of satellitenavigation signals, could in future severely disrupttraffic in urban areas, and bring large parts of a city to astandstill. It is important, then, that our future vehiclesand their supporting smart infrastructure are designedto be resilient under both normal and adverse operatingconditions.7
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehiclesBenefits of automotive connectivityThe connected vehicle concept is not being driven solelyby developments in automotive technology, but thesedevelopments are key to its progress. It is important toconsider the connected car as an integrated system,and as a connected entity, maybe interacting with V2I,V2V, V2IoT, and its own internal automotive systems,becoming a part of a bigger connected ‘ecosystem’ thatmay or may not encompass those specific applicationtechnologies. Each of these technologies has beenconceived with one or more beneficial objectives.Intelligent vehicle re-routing around congested sectionsof a town or city, for instance, would help alleviatetraffic jams, give drivers advance warning of impendingdelays, or provide the data to enable them to adoptan alternative way of getting to their destination. Asthey develop, such technologies would also createopportunities to make more efficient use of the existingroad transport infrastructure, and find some solutionsto road utilisation problems that might otherwisehave resulted in costly and contentious new transportinfrastructure.Such technologies would also of course make travellingby car safer – for drivers, passengers, and other roadusers. As already mentioned, in respect to safety, animportant point for connected vehicles is that althougha car may be securely designed against a ‘direct’cyber-attack; in a connected automotive ecosystem,where many players may be under some obligation toexchange data and share connectivity, vulnerabilities inthe system may exist in parts of the system seeminglyfar removed from car or carriageway.A range of ‘market forces’ are influencing the installationof enhanced automotive communications:n Additionalpoint of transaction for consumerpurchases (products and services)n Consumer preference – embedded communicationsenhance in-vehicle driver-passenger experiencen Electric vehicle functions (such as mileage/rangetracking, plus value-added EV services for optimisingrange and delivering charging point information)n Mandated legislation; mandated regulatorycommunications-based services, such as eCall*n Non-mandated communications-based services(navigation tools, traffic flow updates, parking apps)n New unique selling point to sustain car sales – andtheir contribution to GNPn Remote diagnostics for servicing/predictivemaintenancen ‘Smart’ vehicle insurance systems and services thatuses vehicle data to adjust premiumsn Stolen vehicle tracking and recoveryn Telemetry – for commercial applications* eCall is the European Union initiative intendedto bring rapid assistance to motorists involved in acollision within the EU. The eCall architecture aims todeploy a device installed in all vehicles that will dial112 automatically in the event of a serious accident,and wirelessly send airbag deployment and impactsensor information, along with GPS co-ordinates to localemergency agencies.Connected carriageways: communications technology built into cars enables them to share data with eachother – and the wider world8
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehiclesA known problem?As well as opportunities, the advent of the ‘connected’car brings several major challenges to the automotivesector, and will affect the operating models of OEMs,distributors, dealers and mechanics, road infrastructuremanagers, law-makers, and of course drivers andtheir passengers. In the public domain verifiableinformation about automotive cyber security risk levelsis scattered, and can tend toward the sensationalist.How far car makers have gone, and still have to go, interms of treating vehicular cyber security as seriously aspassenger safety, for instance, is not easily discoverable.Some manufacturers, however, have acknowledged theirawareness of the issues, and say that they are on top ofthe challenge.7Even without their new connectivity, cars representmuch more than powered driving machines. Insuranceis a hugely influential governing factor in the automotivemarket. Questions of liability with respect to drivingmishaps of any kind can turn unexpectedly contentious,and could prove a factor in drawing attention to anydisquiet over whether more detailed information aboutthe provisions automotive OEMs are making in orderto counter any threats. But concern about how thisconnected technological evolution may play-out is beingvoiced from within the automotive sector itself, even ifnot especially stridently from its OEMs.Interviewed by The Times newspaper toward the end ofDecember 2014, Edmund King, President of motoringorganisation the AA (and Visiting Professor of Transportat the University of Newcastle), acknowledged the‘hacking threat’ to drivers of connected cars: “If cybercriminals targeted automobiles like they’re targetingother things, we’d be in for a hard and fast ride,” hesaid.8 That a senior industry figure like Mr King hasgone on the record to express his forebodings indicatesthat concerns over whether automotive cyber security isreceiving the full measure of attention that it warrants,are both timely and legitimate.Media interest inautomotive cyber securityEdmund King’s remarks at the end of 2014 followed amarked increase in published expressions of concernregarding automotive cyber security risks. Theseappeared against a media background where computersecurity in general was a hot topic. Here are somespecimen headlines:9nnnnn‘Security researchers raise concerns over car cybersafety’ (IT Pro, 12/8/14)‘Hi-tech cars are security risk, warn researchers’(BBC News, 1/9/14)‘Is car hacking the Next Big Security Threat?’(Live Science, 16/10/14)‘Connected cars raise privacy and safety worries’(Financial Times, 20/11/14)‘Wireless systems expose drivers to cyberattacks’(The Times, 27/12/14)In fact, the media coverage around automotive cybersecurity was largely based around a very limited numberof insider event presentations on the subject thathave taken place at cyber security conventions in theUnited States, and on other automotive cyber securityspeculation that has appeared in the public domain.The findings of Charlie Miller (a security engineer/researcher at Twitter) and fellow researcher ChrisValasek (Director of Security Intelligence at consultancyIOActive) for instance, have generated much mediainterest, even though the two highest-profile publicdeclarations of their research into ECUs at two events –Def Con Las Vegas in 2013 and Black Hat USA in 2014– were based on conditional one-off research projects.They were published as a paper entitled ‘Adventures inautomotive networks and control units’.10In brief, the researchers reportedly used cables toconnect laptops via the on-board diagnostics ports tothe electronic control units inside two different makes ofcar. They wrote software which sent instructions to thecars’ network computer and over-rode the commandsfrom the vehicles’ actual drivers, enabling them totake control of some steering functions and cause thefuel gauge to show empty – all while the vehicle wasin motion under driver control. The underlying issuefor automotive cyber security that Miller-Valasek’s9
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehiclesdemonstrations appeared to confirm, is that therising number of internally-connected ECUs in thetest vehicles seemed to have no screening processfor authenticating the messages they received, or forblocking inauthentic transmissions.“By examining the [controller area network] onwhich the ECUs communicate, it is possible tosend proprietary messages to the ECUs in order tocause them to take some action, or even completelyreprogram the ECU,” Miller-Valasek have been quotedas stating. “ECUs are essentially embedded devices,networked together on the CAN (controller areanetwork) bus. Each is powered, [with a] number ofsensors and actuators attached to them.”11The CAN bus operates using an open protocol developedby Bosch in 1983. It is relatively safe under normaloperation, but inherently insecure to external influence.According to Roy Isbell, from the Cyber Security Centrein WMG at the University of Warwick, it is essential thatany external point of interconnection to the CAN bus isadequately protected. This should include connections toconsumer interfaces, such as the vehicle head unit.A researcher in the team at University of Warwick hasdeveloped CMAP (CAN bus mapper): this is the CANbus equivalent of the NMAP open-source networkmapping tool. This allows researchers and securityanalysts to enumerate all devices and ECUs connectedto the CAN bus, an important capability whenaddressing functional safety and security issues.Miller and Valasek’s findings made an impression onUS Senator Ed Markey. In a series of letters he asked10some leading car makers to respond to seven pagesof cyber-threat-related questions, including: “Howwould you be alerted to the possibility that a cyberattack or inadvertent introduction of malicious codehas occurred?”, and “Does any of the testing describedabove include the use of independent third parties whoare contracted by your company to attempt to infiltrateyour vehicles’ wireless entry points?”12Media interest in automotive cyber security was furtherfuelled in August 2014, when a ‘security advocacygroup’ calling itself I Am The Cavalry proposed anautomotive cyber security rating system for carconsumers.13 The ‘Five Star Automotive Cyber SafetyProgram’ proposal offers ‘a five-point checklist ofcomputer technology best practices for automakersto implement’. The five aspects the program focuseson are: Safety by Design; Third-Party Collaboration;Evidence Capture; Security Updates; critical systemsegmentation and isolation measures. The movewas described as ‘an important first step towards acollaborative future between security experts andautomakers’.14One automotive OEM who would have been moreinclined to respond favourably to Senator Markey and IAm The Cavalry, is electric-powered car manufacturerTesla. Tesla’s product range is highly digitally connected,with the transmission, engine systems, battery, climatecontrol, door locks and entertainment systems allremotely accessible through an Internet connection. Thecompany attracted media attention when it announcedthat it is hiring penetration testers – tasked withdeliberately trying to break-in to Tesla’s vehicle securitysafeguards.15
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehiclesOne way to access a vehicle’s data systems is via the connect ports intended for use by car mechanics when conducting diagnostic testsAcademic interest in automotive cyber securityAcademic research into automotive cyber security datesback at least five years. In 2010, a team of researchersfrom the Universities of California-San Diego andWashington set out to see what resilience cars had to anattack on their control systems. Using software called‘CarShark’ running on a computer cable-connected toa test car’s servicing port, they were able to monitorcommunications between the electronic control units,and insert their own data to cause attacks.16In 2010 and 2011 two academic research paperspublished by a team comprising researchers from theUniversity of California San Diego and the University ofWashington delved into the areas of ECU exploits in asmuch – if not greater – detail as Miller-Valasek, yet seemnot to have generated the same level of wider interest.The first of these, ‘Experimental Security Analysisof a Modern Automobile’ (2010)17 experimentallydemonstrated that an informed attacker who is able toinfiltrate ECUs can circumvent a broad array of safetycritical systems.Published the following year, ‘ComprehensiveExperimental Analyses of Automotive Attack Surfaces’(2011)17 proposed that remote exploitation of connectedvehicles is feasible via a broad range of ‘attack vectors’(including mechanics tools, compact disc players,Bluetooth links, and cellular radio); and further, thatwireless communications channels can allow remotevehicle control, location tracking, in-cabin audio‘exfiltratrion’, and vehicle theft.Over a range of experiments in the laboratory andin road tests, the research teams claim to havedemonstrated the ability to take over control of a widerange of automotive functions and ‘completely ignoredriver input’ – including disabling brakes, brakingindividual wheels selectively on demand, causing theengine to stop, and more. “We find that it is possible tobypass rudimentary network security protections withinthe car,” the researchers noted, “such as maliciouslybridging between our car’s two internal subnets”.Another academic to raise concerns over automotivecyber security shortcomings is Professor AndryRakotonirainy of the Queensland University ofTechnology’s Centre for Accident Research & RoadSafety. He has claimed that the security protection on[existing fleet, future autonomous and connected cars] is“virtually non-existent. The basic security requirementssuch as authentication, confidentiality, and integrity arenot strong. This means. that as vehicles become moreand more connected and autonomous, with the ability tocommunicate to other vehicles and infrastructure throughwireless networks, the threat of cyber attack increasesputting people’s safety and security at risk.”1811
Automotive Cyber Security: An IET/KTN Thought Leadership Review of risk perspectives for connected vehiclesCyber-threat motives and targetsThe question of to what extent the automotive worldshould be mindful of the cyber security experiencesof other targeted vertical sectors, is one that evokedmuch debate among contributors to this Briefing. Forsome of these business sectors, cyber security was nota priority agenda issue until relative
cyber security awareness-raising; the development of guidelines for issues around professional disciplines with an interest in automotive cyber security and autonomous vehicles; and extended thought leadership into the areas of connected vehicle driver responsibility, and issues around liabilities related to automotive cyber security incidents.
