The potential risk of hackers taking control of a connected vehicle is well known. ‘White hat’ hackers have shown they can hijack the controls of cars, including the brakes and accelerator – a worrying thought as the next generation of cars, with their increasing levels of electronic connectivity, prepare to move off the drawing boards and on to the production lines.
No security system can be foolproof - but building resilience into connected cars from the design stage to minimise vulnerabilities is a crucial first step.
Two recent guidelines from the International Organisation for Standardisation (ISO) and United Nations aim to install that resilience. BlackBerry’s 2022 Threat Report notes that the ISO/Society of Automotive Engineers ISO/SAE 21434 document, published in August 2021, sets the standard for handling security during vehicle design, manufacturing, use and decommissioning, while UN R155 enforces that cybersecurity be considered - not just in vehicles, but also in the surrounding infrastructure.
BlackBerry’s report cautions that there are vulnerabilities that will not be found during system design and development and that preventing these unidentified loopholes from being exploited will involve detecting an attack against the system and preventing it from progressing.
However, one complication in modifying a vehicle’s safety-critical electronic systems to prevent malicious attacks (including introducing a new prevention) will require a re-certification of the system. Re-certification involves performing a hazard analysis for every prevention action that might be taken, BlackBerry notes. The costs and timescales involved in such actions are uncertain.
There are also concerns that the data used to train artificial intelligence (AI) systems in connected vehicles may itself be the target of cyberattacks. “It is, therefore, critical to not treat new AI systems as infallible, and to understand why they fail when they do,” says the report.
Prevention by AI
Work is underway within ISO and SAE to determine the necessary cybersecurity assurance level for various components in the vehicle, based on the cyberthreats they may face.
“Prevention-first AI cybersecurity does not need to focus exclusively on production environments. Preventing the introduction of vulnerabilities during software design and development, including those of AI systems, is another avenue through which cybersecurity can be improved,” says BlackBerry. The company’s Ivy platform is designed to facilitate the introduction of AI into the vehicle.
Sarah Tatsis, BlackBerry’s senior vice president, Ivy Platform Development, predicts that software supply chain security will be a key concern for many vehicle manufacturers in 2022, following a dramatic increase in the number of software supply chain attacks over the last year. “In addition, techniques like using highly complex quantum computing to carry out attacks, or targeting 5G networks, are new approaches that will be require prevention as a priority,” says Tatsis. “Preventing attacks by using AI relies upon detecting and mitigating them before they can be executed.”
She says OEMs can do this by using AI solutions such as BlackBerry Protect, which uses the power of AI to spot the signs of these attacks on the horizon. “Similarly, when an attack is designed to mimic legitimate pages in order to gather confidential or personal information, AI can work to prevent users from opening such URLs, or from visiting spoofed websites,” Tatsis concludes.
Canada’s approach to cyberthreats
In Canada, action is being taken to prevent the threat of attacks on connected vehicles through Transport Canada’s Vehicle Cyber Security Strategy.
Alongside this, a new standard, Road vehicles — Cybersecurity engineering was published in August 2021. This addresses the cybersecurity perspective in the engineering of electrical and electronic systems within road vehicles.
It is designed to help manufacturers keep abreast of changing technologies and cyberattack methods, and defines the vocabulary, objectives, requirements and guidelines related to cybersecurity engineering for a common understanding throughout the supply chain.