Connected-car designs must prioritize security

Alexander Meisel

While connected cars provide wonderful advantages, their integration with cloud connectivity come with a heightened risk for cyber attacks.

Commentary by Alexander Meisel

When it comes to connected cars, automakers are innovating fast. Consumers are experiencing increasing amounts of futuristic features, be they passenger connectivity, automated speed regulation or autonomous driving capabilities.

However, these innovations and their integration with cloud connectivity come with a heightened risk for cyber attacks. A recent study conducted by U.K. self-driving hub organization Zenzic found that becoming cyber-resilient will be the biggest technical obstacle to successfully deploy self-driving cars on roads by 2030. This mountain will be a big one to surmount, and it’s only growing in size: The auto industry has seen a 94% year-over-year increase in hacks since 2016.

How can automakers prioritize security while keeping up with the demand for innovation in today’s connected cars?

Carmakers must consider security from day one

To make sure that security is built into the very foundations of a car, automakers must make it a priority from the first day of design. This focus is lacking amongst carmakers at the moment. In fact, 19% respondents to one survey said they don’t do enough security testing in the design phase, and only 28% said that they do a lot of the testing during the design stage.

Automakers can use design principles to build in security from the outset. For example, the principle of complete mediation allows for enhanced security as it ensures that a software stem “requires access checks to an object each time a subject requests access.” This means that attackers are only invited to exploit a system on one single occasion due to checks on subjects’ permissions.

Carmakers can also ensure that they are not sacrificing security by considering its importance when purchasing components from separate suppliers. These components must be specific enough to enable security in the system, but generic enough to allow for innovation.

Automakers must make cybersecurity a priority from the first day of design.

Here, companies can leverage the software engineering principle of interface segregation. This means that a shrunken, clear interface should be supplied by the vendor, so that the customer only uses the methods that are of interest to them.

In turn, this allows systems to remain decoupled and thus easier to then build a rich interface on top of. However, carmakers will have to stay on top of the security of the part in the development phase, and ensure that dormant functions are not abused by at least logging their execution once somebody tries to call them out of context.

Developers and cybersecurity experts must become a core part of the team
Software development is relatively new territory for carmakers. Now, cybersecurity is a key component of building connected cars, and automakers need to embrace developers that have expertise in this area and make them part of the core team.

This cultural change must be championed by the business leaders to allow car security to advance alongside the innovative features that the industry is building. This can be done by implementing DevSecOps ideology into the team, in order to “build the mindset that everyone is responsible for security.”

Car development teams will likely need a group of cybersecurity experts who can educate the rest of the developers and are willing to participate in the development process in order to check and implement safe and secure functions. If a company doesn’t have this kind of expertise in-house, they can partner with an expert third-party to help them along this journey.

Innovation and security can complement each other

Cybersecurity doesn’t mean sacrificing feature innovation: developments are being made in the field of security too, such as biometric technologies that can be integrated into car design.

For example, Blackberry’s QNX technology “has built in concepts for hardware and software trust validation, hypervisor to maintain a separation between the safety critical and infotainment systems, and a core operating system which passes all the functional safety standards,” according to the company’s senior VP SVP, head of QNX, John Wall. Innovation need not suffer at the hands of security, and vice-versa.

Potential AV thieves would first look to use GPS data to disable or falsify a car’s GPS system, making it untraceable.

In addition, the world’s leading electric vehicle provider, Tesla, ensures security in its cutting-edge, connected cars by sending security updates to cars’ operating systems overnight, and even providing awards for hackers that manage to hack its cars.

Image: peshkov/iStock/Getty Images Plus/Getty Images

Looking ahead to the possibilities of autonomous vehicles (AV) that can drive passengers without needing to have their owner inside, innovation in GPS will be necessary to ensure security and accountability of the car. Potential AV thieves would first look to use GPS data to disable or falsify a car’s GPS system, making it untraceable.

However, carmakers can make this impossible for hackers by not just logging the data in its raw form, but also combining it with other car data using cryptographic algorithms. This ensures that the GPS data remains traceable even after the hardware has been taken apart and sold on the auto-parts black market. In this way, the signature of the original data combined with the GPS position adds an additional layer of security.

Integrating security into connected car design is no simple feat, but it’s a necessary one for carmakers that want to ensure the safety of their passengers while on the roads. By using design principles, diversifying expertise within development teams, and understanding that security and innovation need not be a trade-off, they can do just that.

Alexander Meisel is an automotive cybersecurity engineer at intive. He has a computer networking diploma from Hochschule Furtwangen University, and he has served as a CTO and Development Team Director in previous companies. He has experience with venture capital, successful M&As, and product and technical marketing strategies. He is also a public speaker at technical conferences and trade shows.