The Complex Challenge of Cyber Security for Connected Cars
Last week, we looked at how crucial security is for the connected car industry, given the risks involved. We also examined whether complete security is, in fact, an achievable goal. In today’s follow-up post, we’ll take a square look at how why cyber security for connected cars is such a complex challenge, as well as what we can do to achieve it at every point along the supply chain.
A complex task
“Automotive cyber security is so complex because of the multitude of suppliers involved in the supply chain,” said journalist Susan Kuchinskas in a report released in association with the TU-Automotive Cybersecurity and TU-Automotive Detroit 2018 conferences. “That makes it quite difficult for any entity along the chain to understand how secure a component is.”
- Coding errors in the car’s software could be exploited
- The factory floor where hardware and software are installed could be compromised
- Connected cars could be hacked on their way to the dealership
- At the dealership, further vulnerabilities could crop up when software is installed or updated
- After cars are sold and deployed, their two-way communications (WiFi, cellular, V2V, V2X, and over-the-air updates) could be attacked
- The data that the cars produce and transmit to OEMs for storage could be breached
How to respond
Given the scope of the challenge, it’s good news that auto makers, startups, and tier-one companies have been working together to secure connected cars. There are two keys: redundancy and monitoring.
Redundancy is a major part of any best-practice security effort. It’s called defense in depth security, and the idea is, with many overlapping layers of protection, the odds against exploitation are stacked as high as possible.
As for monitoring, that too is par for the course in cyber security at large. Every year, the Verizon RISK team releases a national Data Breach Investigation Report. When asked how they get their information, they’ve historically said they learn about breaches the same way anyone else does: by reading the logs.
While no one can guarantee complete invulnerability for connected cars, the automotive industry can employ a multi-layered approach to security that demonstrates best practices at every level, from governance, to risk management, to design. It can prioritize threat detection and incident response. It can implement training and awareness for all parties along the chain, from tier one company to consumer, treating security as an iterative process that’s never complete. And it can collaborate with third-parties to hone its security strategy at every level.
We’re glad to note that cyber security is already high on the priority list for OEMs, automakers, and software vendors. It’s rising in priority for consumers, too, as people become aware not only of the benefits, but of the risks that connected cars bring.
Can your policy administration system easily adapt to emerging risks? Silvervine can. Request a demo to learn more.