Connected vehicles have the potential to deliver tremendous value to both consumers and the transportation industry. As part of the larger intelligent transportation ecosystem changes, connected vehicle applications provide connectivity between and among vehicles, infrastructure, and wireless devices. This, in turn, can to assist in preventing crashes, easing traffic congestion and delivering new and exciting applications directly to the vehicle.
As connected vehicles become more prevalent on our highways and applications become more sophisticated and integrated into our everyday lives, the threat of cyber intrusion also grows. This makes it critical that the connectivity provided between and among vehicles, infrastructure, and wireless devices is authenticated, trusted and secure.
In the connected vehicle, two broad areas need to be secure: the communications paths to and from the vehicle (cloud, servers and networks), as delivered largely by the Information and Communication Technology Industry (ICT Industry); and the vehicles themselves, the internal vehicle communications platform, delivered by the vehicle original equipment manufacturers (OEMs) and their suppliers.
Collaboration between the ICT Industry and the vehicle OEMs can enhance cybersecurity and help to deliver comprehensive end-to-end security. Industry-to-industry collaboration (communications platform to the vehicle platform) can supplement the many company-to-company cyber initiatives that are already underway. Industry-to-industry collaboration can also advance the success of the work of the Automotive Information Sharing and Analysis Center (Auto-ISAC), an initiative launched by vehicle OEMs in 2015 to enhance cybersecurity awareness and collaboration across the global automotive industry.
Collaboration between the ICT and auto industries offers many benefits, including improved consumer confidence in the safety of connected vehicles; reduced overlap in security R&D aimed at connected vehicles; reduced costs by having all partners share responsibility and accountability to define, design, and deploy security best practices; decreased time to market; as well as a greater potential to develop new connected vehicle services and applications.
The Connected Vehicle: Risks, Threats & Challenges
In the connected vehicle environment, cyberattacks can be directed against not only the vehicle itself, but also against the telecommunications networks and cloud-based platforms that offer connected vehicle services. These threats can include malicious hacks, malware and Distributed Denial of Service (DDoS) attacks as well as threats against the ICT infrastructure itself. Depending on the type of attack, it could affect a single vehicle or many. Imagine if an entire make/model/class of vehicle were subject to a hack or malware intrusion?
According to the National Highway Traffic Safety Administration (NHTSA) cyber threats to vehicles and their occupants can cause problems in the following area:
- Unwanted/Unauthorized Commercial Transactions
- Non-Safety Operational Interference
- Safety Operational Interference
To address these threats, vehicle manufactures and their suppliers are taking action to incorporate security features into every stage of the design, manufacturing, testing and vehicle delivery process.
The ICT industry, particularly communications service providers, are leveraging their expertise in network and device security by employing a variety of cybersecurity methodologies in a layered approach across its networks to manage communication paths and offer secure connections to the end-point (cellular subscriber, enterprise user and connected vehicle).
Of course, not all communications paths into the vehicle (such as peer-to-peer short range wireless WiFi and Bluetooth) are operated or secured by service providers. These will require other cybersecurity methods to ensure end-to-end safety and security. These unmanaged connections are typically used to support services such as Infotainment (e.g., Bluetooth connectivity between a mobile device and the vehicle’s audio system), tire pressure monitoring, and diagnostics from aftermarket On Board Diagnostic-II connectors, to name a few.
Furthermore, if the connected vehicle is viewed as a complex IoT (Internet of Things) endpoint capable of establishing communications with other IoT endpoints, additional security risks may be involved from unsecured IoT devices.
Securing the overall ecosystem of connected vehicles requires coordinated planning and execution across the many players in the industry (OEMs, ICT industry, Tier 1 and 2 suppliers, after-market suppliers and repair and body shops) as well as from the application across the networks to the vehicle end to end.
ATIS’ Role in Securing the Connected Vehicle
ATIS, in conjunction with its members, has proposed a comprehensive end-to-end security framework that addresses both the managed and unmanaged environments of the connected vehicle.
Beyond the framework, ATIS has also proposed a potential engagement model between communications service providers and vehicle OEMs which involves the following:
- Expanding the ATIS work group to further explore how the ICT Industry can best participate and enhance cybersecurity as well as work with vehicle OEMs.
- Collaborating with the Auto-ISAC as appropriate.
- Expanding the connected vehicle ecosystem to foster greater industry-wide participation in the education, detection, prevention and remediation of threats.
A collaborative engagement between the ICT industry and the connected vehicle industry would foster further dialog across a range of ideas and topic areas such as a Centralized In-Vehicle Security Model, Deep Packet Inspection Security, Connected Vehicle App Store concept, as well as a Connected Vehicle Bug Bounty Program.
A recently released ATIS white paper, Improving Vehicle Cybersecurity: ICT Industry Experience and Perspectives, describes approaches that the ICT industry is taking to mitigate the risk of connected vehicle cyber intrusion. It outlines concrete next steps to continue this work into the future. ATIS sees the paper as a starting point and an invitation to dialog for continued collaboration between the ICT industry and vehicle OEMs. As new technology developments, knowledge, experience and threats emerge, this dialog will be critical to advancing connected vehicle cybersecurity.