Connected and autonomous cars are apparently the future, with vehicle manufacturers and suppliers devoting millions to research and regularly announcing new initiatives. But connected vehicles also run the risk of being open to cyber attacks. On the eve of this week’s annual Canadian International Auto Show in Toronto two more companies announced a plan to move into the market.
Panasonic and Trend Micro said they are teaming up to jointly develop cyber security solution to detect and prevent cyber-attacks against electronic control units (ECU)in the new generation of vehicles that oversee acceleration, steering and braking, as well as in-vehicle infotainment and navigation systems. A complete package is expected in three years.
“The risks of hackers taking control of steering and braking systems in connected cars are real,” the companies said in a statement. “New security vulnerabilities are discovered every day and they pose a risk for remote exploitation. It is therefore more important than ever to not only implement security measures in each vehicle but also to analyze new attacks by constantly monitoring in-vehicle systems from the cloud and utilize the results to implement countermeasures against cyber-attacks to all vehicles.”
The partnership will leverage Panasonic’s Control Area Network (CAN) intrusion detection and prevention technology and Trend Micro IoT Security, the companies said. Panasonic’s technology will be able to detect any unauthorized commands sent to ECUs that control driving operation, while Trend Micro IoT Security will be implemented on devices such as automotive navigation systems to detect Internet attacks. Events identified by both technologies will be collected and sent to an analysis platform in the cloud to detect and block suspicious traffic.
The overall development will enable the provision of solution including in-vehicle and cloud systems to prevent cyber-attacks against autonomous and connected cars. The partners hope to be able to offer the solution commercially sometime after 2020.
Among those developing cyber security systems for cars is BlackBerry, which in December announced it providing its QNX operating system for Delphi Automotive’s autonomous driving system. That system called, Centralized Sensing Localization and Planning (CSLP), is planned to launch next year, will be a turnkey automated driving solution car manufacturers can buy.
The auto industry understands the importance of cyber security for sales. In 2015 U.S.-based car makers formed the Automotive Information Sharing and Analysis Center (Auto-ISAC), a global information sharing community to address vehicle cybersecurity risks. It’s a central hub for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities and incidents related to the connected vehicle. Members now include makers from the U.S., Europe and Asia.
The recommended best practices include security by design.
But a 2017 report from McKinsey warned there are challenges. “Compared to other industries, automotive – namely OEMs and suppliers – are behind the maturity curve when it comes to cyber defense capabilities. Even among those with up-and-running cyber security units, less than half of OEMs and suppliers are confident in the capacity of their units to fully handle the threat. In addition, in many cases these units are shells of what they ought to be to address the aforementioned threats through capabilities like, for example, red teaming and blue teaming.”
One problem is the complexity of the auto industry supply chain, with hundreds of partners. That’s one reason why major companies — BlackBerry and Trend Micro for example — are forging partnerships to create turnkey solutions.
Still, McKinsey says the major car makers have to create a culture of cyber security in the whole product development lifecycle, from concept through continuous update and
“A product can only be secured if it is designed with security in mind,” says the report. “‘Quick fixes’ on top of an unsecure product do not only add complexity, cost, and sometimes weight, but can also be easier to circumvent … Future car design must be “cyber security native,” integrating security solutions into the earliest stages of product design.
“Secure design, while necessary, is not sufficient to guarantee full product security over time. Solutions are effective only when they are consistently implemented and the components – both software and hardware – used to implement the design are optimally quality controlled. This requires a sound and managed development process, including reinforced collaboration between the product security team and the company IT security team. Accordingly, OEMs must implement and enforce strict development guidelines
effective in minimizing the chance of bugs and unintended software security gaps and in making it easier to modify or patch as necessary. In doing so, they should manage security as a single extended product-enterprise perimeter in order to boost synergies on the protection effectiveness and cost sides.”