Rusty Carter, VP of product management at Arxan Technologies talked to Annie Turner about why security still isn’t at the top of the connected car agenda and the smart things some automakers are doing about.
Annie Turner: What makes you say car makers are more focused on competitive edge than security? Surely security is fundamental to their success?
Rusty Carter: Security is and will be fundamental to success in the long run, but with the rapid innovation around connected systems focused on the user experience, automakers in many cases are and will face decisions on trading security for ease of use and convenience to be on the ‘cutting edge’.
As the number of systems involved in a vehicle increases – and without a significant change in the architecture of inter-system communications via the controller area network bus – vulnerabilities will grow not shrink. In some cases, the automakers are not equipped with the staff or expertise to protect these systems from attack.
AT: Can you give some examples of the huge number of elements involved in securing autonomous cars – especially the ones that aren’t commonly recognised?
RC: For autonomous vehicles, there is a significant number of sensing and controlling systems which need to be protected for the vehicle to operate as expected and are probably the most obvious of many. Beyond the vehicle operation systems, are others such as entry/operation entitlement, location & tracking, and service/diagnostics systems.
Of these, the likely first vector of attack will be the entry/operating entitlement which gives access to the vehicle (and if defeated would be likely to result in theft) as well as location and tracking systems which may be used for distance/fare tracking and other uses.
AT: How do you think the question of responsibility for security can be sorted out? Do you think that’s what will happen?
RC: The court of public opinion I think will judge this one quickly – it is the automakers’ responsibility, and it is their reputation on the line. Suppliers providing systems and services to control, operate, or secure the vehicle may be culpable for breaches or losses, but the public and consumers will hold the automaker responsible.
AT: Are threat analytics anything new, or just new to automotive?
RC: Analytics in general have been a growing area, even for automotive, as more and more systems become connected. What is new, is analytics directly related not just to the safety of the system, but of the security protecting the system itself. In other words, threat analytics go beyond detecting threats to a given system (for example a mobile app being used as a key to access or operate the vehicle), but also to detect attacks to the protection system itself. This level of analytics to instrument the protection itself is new across many industries.
AT: What are the inhibitors to deploying these analytics?
RC: Some of the primary challenges related to deploying threat analytics are having effective protection and detection mechanisms in place. Many solutions look from the outside to instrument applications which is ineffective, and some other types of protection cannot be instrumented.
These challenges can be overcome by implementing protection that creates pass/fail tests (such as detecting a change in code by comparing check sums of a range against an expected result), and then reporting those results securely. Back-end systems should also look for not just the failing tests, but systems that are not reporting at all, as an indicator of compromise.
AT: Can you provide an example of where threat analytics have been successfully deployed in automotive?
RC: Threat analytics have been used by a large automaker to make near real-time decisions about access and operation of a vehicle via ‘phone as a key’. While protection can detect many different threats and risky environments, the automaker is using the analytics and reporting how those factors contribute to a risk score and alter behaviour of other safety and security systems based on the result.
For example, if a device is rooted [hacked], the car’s systems may allow the device to unlock and operate the vehicle, but other systems such as location tracking are instructed to increase their reporting. They also may use the analytics to assess the application’s current state of protection, which, when combined with the reporting of other systems, enables them to make more holistic and contextual decisions about the abilities or behaviours of the vehicle.
For more information, see Arxan.
The author of this blog is Rusty Carter, VP of product management at Arxan Technologies