The connected car is here, but is it being designed in a way that prevents criminal hackers from taking control and causing havoc? It is a question that has sparked much debate within the automotive industry, and a topic that looks set to rumble on for some time.
However, Megatrends learns that although the automotive industry is making a concerted effort to find vulnerabilities in vehicle networks, this is not enough by any stretch. According to Kaspersky Lab, the industry needs to come together to provide a complete solution from cradle to grave – and this requires a redesign of vehicle architecture.
Described as a ‘strange company’ in the sense that its Russian roots led to sales first arising with the Italian Ministry of Foreign Affairs, Kaspersky Lab is becoming a household name in automotive cyber security. Based in Moscow, Alex Moiseev, Managing Director of Europe at Kaspersky Lab, explained how the company works with cyber security “in a wider sense.” As he noted, not only does the company work to protect customers at home or in the office, but also to secure critical infrastructure, factories, vehicle components and the car itself. As part of a multi-faceted role, Moiseev is not only in control of European operations, handling marketing and protection against automotive specific threats, but is also a racing driver in the Kaspersky championship.
Without changing the design, its not really possible to provide a fully secured system
Through Kaspersky’s mixed portfolio of automotive clients, which includes Tier 1 suppliers and their OEM customers, the company is in conversation with stakeholders to redesign the in-car system architecture to become more secure from the outset. “The design itself is not really secure,” said Moiseev. “We can provide patches and add-ons which basically solve 70% of issues. The problem is the remaining 30%,” he warned, and “without changing the design, it is not really possible to provide a fully secured system.”
In order to design such a completely secure vehicle system – that is, an in-car network that cannot be hacked – OEMs need to cover all bases. “It must be covered 360 degrees,” said Moiseev. Even if bought-in components are designed to be secure against hacking, the connected car’s Internet connection is an entry point to the overall system, he explained. In addition, entry to the network could be gained at the factory or at a dealership during maintenance.
The day you declare that the car is connected, you need to play by the rules of the connected world
Kaspersky has had a close-knit relationship with Ferrari since 2010 as part of “a wide partnership,” said Moiseev. “We work with them on a technological level which allows us to learn a lot.” Full security of Ferrari factories – from the robots in assembly facilities to the aluminium melting process – forms part of this partnership. “That’s on the factory side, and we have started to work with them also on the car side to open the dialogue about car security,” he advised. What’s more, Kaspersky works with the Ferrari Formula 1 team to provide a complete cyber security service, even while the cars are on the track.
From aerodynamics to fuel efficiency, it has long been demonstrated how the understandings from motorsport can be transferred to passenger cars. What similarities are shared between Formula 1 and cars on the road today when it comes to cyber security? “With the Formula 1 car, the technologies involved will sooner or later move to road cars. The big difference is that the time for taking a decision in Formula 1 doesn’t exist,” highlighted Moiseev. “You really must be live and make a decision about whether something is malware, if you need to stop an attack, or if it simply looks like an attack but is not. You can’t allow false positives because you risk blocking something which would be a tremendous disaster afterwards.”
Safeguarding autonomous driving
In particular, there is a close link between the speed of decision making during a Formula 1 race and the requirements of an autonomous driving vehicle. Decisions need to be made immediately, and without a false positive or negative. In Formula 1, an incorrect decision could lead to lost position in the race, but indecision in an autonomous vehicle could very quickly lead to loss of life.
If anybody started building a security company from scratch, it would take them about ten years to be at the required level of expertise
In this case, a complete redesign of new car infrastructure is “fundamental”, said Moiseev. With many cars featuring advanced driver assistance systems (ADAS), camera and radar sensors have become commonplace. These sensors are linked to the vehicle’s electronic control unit (ECU) which manages the car’s electronic systems and communicates with components. But as Moiseev explained: “The entry to this communication is not encrypted and right now, it’s not even possible to detect which devices are communicating with each other in the car. That’s problematic.” This can be solved through software patches he advised, and is “quite easy” to re-design it securely. “The complicated part is that while the automotive world moves pretty fast, it is also quite conservative and does not like to change things it is used to. Unfortunately, the day you declare that the car is connected, you need to play by the rules of the connected world.”
Many stakeholders believe that the issue lies with the fact that OEMs are not inherent cyber security experts, and are effectively playing catch-up. Do they need to reach out to companies such as Kaspersky to gain a better idea of what needs to be done to protect consumers? “Of course, yes,” Moiseev affirmed. “If anybody started building a security company from scratch, it would take them about ten years to be at the required level of expertise. So why would you reinvent the bicycle?” he asked. “For automotive, the goal is to be connected to unload and upload data. For us, the goal is to analyse whether this data is bringing any threat or risk.”
Getting sensitive
With a high end brand such as Ferrari, such luxury vehicles are prime targets for theft, but are they also prime targets for hacking?
Yes, said Moiseev, but adds that it is not quite that simple: “In terms of the vulnerability of a Ferrari, the car being stolen is a threat, but it is a less sensitive issue for their owners. They say, ‘All right, it’s insured and at the end of the day it’s not that painful.’” In essence, for consumers that can afford to purchase a Ferrari, the cost of insurance or even replacing the vehicle is of less concern than for mainstream car owners. However, “car features can be disabled, and then they can be ransomed,” warned Moiseev, “especially when we speak about a car which costs you six figures. If somebody asks you for US$100 to re-enable that feature, you would probably accept that, which is quite dangerous.”
While the automotive world moves pretty fast, it is also quite conservative and does not like to change things it is used to
What luxury vehicle owners are worried about is the data that is stored in the car’s network. “It’s about the private data,” said Moiseev. “Microphones, cameras, address books, whatever contains data in the car can be removed, and that data could be compromised. In the case of the luxury car, these people are particularly sensitive about that data.”
One in, all in
In order for the automotive industry to tackle the issue of cyber security in all senses – from the manufacturing plant, to the dealership, to securing the in-vehice network – a collaborative approach is required. “We would be crazy to skip at least one of the [cyber security] vendors,” stated Moiseev. “Everybody must get in. Commercially, we all compete and try to provide more attractive marketing propositions, but technically we are providing the same solution: security for people. The more choice people have, the more attractive prices will be,” he concluded.
This article appeared in the Q2 2016 issue of Automotive Megatrends Magazine. Follow this link to download the full issue.