The importance of protecting intelligent, connected transport

Connected vehicles are practically here and driverless cars could be as little as five years away[1] (sooner if you’re reading this in Japan[2]). These highly complicated, safety-critical and interconnected computers-on-wheels will soon be chauffeuring us around the 246,500[3] miles of UK roads. In a world of increasing risk of cyber-attack and when 95% of all incidents are considered to be human-related[4], are we doing enough about cyber-security to keep us safe?

Of course, the potential opportunities of the most disruptive technology of our time excite me, but as a security consultant (whose job it is to be paranoid) these stats also concern me. It concerns me that known and trusted mechanical components will be operated by vast interconnected electronic systems, that millions of us will be interacting with on a daily basis.

So far, we as consumers have managed to get by knowing (or caring) little about security. However, this has to change when we consider the impact of a vehicle behaving abnormally after a malicious software upgrade or being hit by a ransomware attack 100 miles from home. The vehicle is the first consumer device that could impact our health and safety. We need to improve our cyber-hygiene if we want to protect ourselves in this new world.

Many of us think that cyber-security is a dark art or that there is little we can do to protect ourselves from hackers. This is not the case; there are a number of basic things we can do to significantly reduce the chances of getting hacked. Here is a quick round-up of five things you can start doing today:   

1. Don’t download software from unknown/illegal sources. If you are one of the 57% that admit they pirate software[5] do you know that you are almost certainly at risk of a cyber-attack?
2. Don’t click suspicious links. 86% of us are believed to have experienced a phishing attack and 4 in 10 aren’t able to fully distinguish between a real and fake message
3. Take the time to install security updates. We know that updates appear at inconvenient times but delaying an update increases your exposure to a cyber-attack
4. Think about what you are plugging in to your system. Malware spreads through connected devices. USB devices are a common source of malware but other devices connected in different ways could also be a source of infection
5. Improve your password management. 63% of all data breaches are a result of weak, reused or default passwords[6].

The problem needs to be approached from both directions: as well as consumers improving their cyber-hygiene, vehicle manufacturers need to think about ways to protect their customers. Security solutions need to be simple, invisible and transparent. For example, smartphone companies using biometrics rather than passwords and banks using behaviour analytics to detect fraud. Reducing the number of cognitive processes on the user will reduce the opportunity for human-error.

BAE System’s autonomous vehicle, Wildcat, is currently being used on a UK Government funded trial into CAVs

Security is a difficult problem for vehicle manufacturers. Complexity is the enemy of security and the modern vehicle is one of the most complex systems of all time. A vehicle is a system of interconnected sub-systems, with over 100 Engine Control Units (computers to me and you) and over 150 million lines of code[7] (more than a Boeing 787, Facebook and a large hadron collider[8]).

With the ever-growing reliance on hackable electronic systems, vehicle manufacturers need to consider software security as part of quality assurance and develop plans for dealing with software maintenance post-sale. New vulnerabilities are discovered daily. Manufacturers need to understand if these vulnerabilities put their customers at risk and come up with a way to fix those that do.

All-in-all, the increasing dependency between safety and security will not be more obvious than in the transport industry. The responsibility for our safety in a connected world falls to us as consumers as well as the vehicle manufacturers. We need to close the skills gap with improved awareness and a fresh new attitude to cyber-security and we also need vehicle manufacturers to prioritise security in the race to market.

Biography

Emyr Thomas is a cyber security consultant for BAE Systems who has spent the last five years specialising in Industrial Control Systems. His ICS experience has prepared him well for dealing with complex safety systems and he is now leading security on a number of exciting CAV projects.

References

[1] https://techcrunch.com/2017/05/16/bmw-intel-and-mobileye-bring-delphi-in-on-their-self-driving-platform/

[2] http://www.bbc.com/news/technology-34464450

[3] https://www.gov.uk/government/statistics/road-lengths-in-great-britain-2016

[4] http://www-03.ibm.com/security/data-breach/cyber-security-index.html?cm_mc_uid=51327254232015076694342&cm_mc_sid_50200000=1507669434&
cm_mc_sid_52640000=1507669434&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US

[5] http://globalstudy.bsa.org/2011/downloads/study_pdf/2011_BSA_Piracy_Study-Standard.pdf

[6] http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf

[7] https://www.digitaltrends.com/cars/the-ford-gt-uses-more-lines-of-code-than-a-boeing-787/

[8] http://www.visualcapitalist.com/millions-lines-of-code/