Connected car

Cybersecurity for smart vehicles: a new paradigm

Technical Innovation
5 Mins.

The software and hardware technology we take for granted now in our vehicles ranges from parking assistance to autonomous cars. These technologies rely on inputs from the internet, radar equipment, and the like. However, all these points of external communication to an increasingly connected transport system renders the whole more vulnerable to attack. Let’s look at how we can provide automotive cybersecurity in this hyper-connected reality.

“For full IT security in the transport infrastructure it is not enough simply to make the cars themselves secure. The more autonomous cars become, the more they depend on external information,” says Alexander Kruse, Senior Key Account Manager at secunet, G+D’s cybersecurity subsidiary and Germany’s leading cybersecurity company.

Consider the “external information”: it comes from roadside units, which look at, among other things, data on the condition of the roads, hazards, and possible accidents. All this tech derives from good intentions: it is there to maximize traffic flow without compromising safety, and it seeks to mitigate automotive impact on the environment, for example by shortening drive times, which reduces emissions. All this information is being fed to, and processed by, the individual car. That car may well be security-compliant to a very high degree when it comes to cybersecurity. But the environment it is embedded in is open to attack. Eventually, then, the car itself is at risk.

The move towards smarter, more autonomous vehicles is gathering momentum. More sensors means more information, the better to react to any traffic scenario. Increasingly sophisticated software is being deployed, to make driving both more convenient and safer through better communication between the vehicle and the larger transport system. This system is of course highly connected with an ever-growing number of interfaces, all of which are portals to possible attacks. Standalone systems won’t be able to cope with these threats. Traffic safety depends upon consistent security standards being set that all manufacturers and suppliers follow, and a strategic template of system design that allows for ongoing innovation.

“Cybersecurity in the automotive sector cannot be achieved purely through standalone solutions – especially not in the case of a highly networked, intelligent transport infrastructure,” says Kruse. “Manufacturers and suppliers must therefore consider the entire technical chain, from hardware, control units, and internal and external communication interfaces, through to back end. They then need to aim to create an all-in-one solution in the form of a comprehensive and secure system design.”

“Cybersecurity in the automotive sector cannot be achieved purely through standalone solutions – especially not in the case of a highly networked, intelligent transport infrastructure.“
Alexander Kruse
Senior Key Account Manager, secunet

Long-lived, but vulnerable

Vehicles these days collect, create, and process enormous amounts of data. In fact, research indicates that connected cars generate up to 25 GB of data every hour! Numerous hackers, white-hat and otherwise, have exploited vulnerabilities manufacturers weren’t aware existed, proving the need not just for greater vigilance, but also for better security design.

The biggest problem for a car’s security is, ironically, its longevity. A vehicle’s life cycle can be 20 years or more. In other areas where single units need to be secured – for example, a laptop or a mobile phone – the life cycle is a fraction of that. The entire unit is replaced at regular intervals.

A vehicle will, by contrast, reach a stage where it is still completely roadworthy, but is no longer physically capable of having its software updated. This is an issue that the entire automotive sector has to face.

This is at the level of the individual vehicle. A public key infrastructure (PKI), hardware security module (HSM), or other conventional standalone IT solution does offer safeguards against data being read or altered. But these offer little protection if the access to the solution itself is vulnerable. If anything, attackers can then use them once they are inside the system. In the same way, a security chip may give a user peace of mind. But it is useless if the software analyzing it is open to attack.

Woman unlocking mobile phone in car

The bigger picture

If anything, the cases cited above show that a holistic view is required if IT security for networked vehicles is to actually be effective. Flexibility needs to be designed into it as well. The automotive industry is a dynamic environment, where industry standards and requirements change continuously. Technology changes, and so do the demands we make of it. To meet these demands in a secure way, the automotive sector can rely on secunet’s broad portfolio of cybersecurity solutions and consulting services, which address not only the connected car but also related aspects like car sharing, logistics management, or electromobility. 

There is a recognition that there are simply too many platforms and protocols in play, from those used by automotive OEMs, for example, to those utilized by MNOs. There needs to be an industry-wide agreement on a framework or set of conditions, or even specific standards for the requirements certain products must have, safety-wise. Consider the example of electric vehicles, which need to be connected to a charging infrastructure that requires the quick exchange of information, including payment contracts. The international standard in vehicle-to-infrastructure communication in the electric mobility sphere is ISO 15118, which secunet helped develop. Its motto, “Plug & Charge”, is a useful way of thinking about how deceptively easy these daily transactions are. The consumer’s user journey has to be convenient and quick, but the work going on in the background is dynamic, and must always be secure; data regarding charging contracts is protected through the use of digital certificates.

There are great opportunities here if consistent security standards are applied across the sector. Not only are there security benefits; these standards also ensure more compatibility, and the payoff of modularizations helping IT solutions be increasingly flexible. “Comprehensive regulations would also increase the cost-effectiveness of cybersecurity in the transport infrastructure – and thus also the level of IT security itself,” says Harry Knechtel, Head of Development in secunet’s Industry division.

Flexible for the future

The solutions delivered by secunet are not limited to specific manufacturers. There is scope for HSMs manufactured by different entities to be operated at the same time – for instance, using secunet’s in-house hardware abstraction layer. Support is available for the CloudHSM solution used by Amazon Web Services (AWS). A microservice deployment is also offered, in the form of docker containers with secunet’s PKI.

For the future, secunet is busy developing prototypes whose specifications are not even covered by the market yet. In a world that is changing very quickly, it is already implementing quantum-computing-resistant algorithms. The need of the hour is to be flexible and responsive, and identify vulnerabilities before they are exploited.

Published: 13/04/2023

Share this article

Subscribe to our newsletter

Don’t miss out on the latest articles in G+D SPOTLIGHT: by subscribing to our newsletter, you’ll be kept up to date on latest trends, ideas, and technical innovations – straight to your inbox every month.

Please supply your details: