Cybersecurity for smart vehicles: a new paradigm

“For full IT security in the transport infrastructure it is not enough simply to make the cars themselves secure. The more autonomous cars become, the more they depend on external information,” says Alexander Kruse, Senior Key Account Manager at secunet, G+D’s cybersecurity subsidiary and Germany’s leading cybersecurity company.

Consider the “external information”: it comes from roadside units, which look at, among other things, data on the condition of the roads, hazards, and possible accidents. All this tech derives from good intentions: it is there to maximize traffic flow without compromising safety, and it seeks to mitigate automotive impact on the environment, for example by shortening drive times, which reduces emissions. All this information is being fed to, and processed by, the individual car. That car may well be security-compliant to a very high degree when it comes to cybersecurity. But the environment it is embedded in is open to attack. Eventually, then, the car itself is at risk.

The move towards smarter, more autonomous vehicles is gathering momentum. More sensors means more information, the better to react to any traffic scenario. Increasingly sophisticated software is being deployed, to make driving both more convenient and safer through better communication between the vehicle and the larger transport system. This system is of course highly connected with an ever-growing number of interfaces, all of which are portals to possible attacks. Standalone systems won’t be able to cope with these threats. Traffic safety depends upon consistent security standards being set that all manufacturers and suppliers follow, and a strategic template of system design that allows for ongoing innovation.

“Cybersecurity in the automotive sector cannot be achieved purely through standalone solutions – especially not in the case of a highly networked, intelligent transport infrastructure,” says Kruse. “Manufacturers and suppliers must therefore consider the entire technical chain, from hardware, control units, and internal and external communication interfaces, through to back end. They then need to aim to create an all-in-one solution in the form of a comprehensive and secure system design.”

The bigger picture

If anything, the cases cited above show that a holistic view is required if IT security for networked vehicles is to actually be effective. Flexibility needs to be designed into it as well. The automotive industry is a dynamic environment, where industry standards and requirements change continuously. Technology changes, and so do the demands we make of it. To meet these demands in a secure way, the automotive sector can rely on secunet’s broad portfolio of cybersecurity solutions and consulting services, which address not only the connected car but also related aspects like car sharing, logistics management, or electromobility. 

There is a recognition that there are simply too many platforms and protocols in play, from those used by automotive OEMs, for example, to those utilized by MNOs. There needs to be an industry-wide agreement on a framework or set of conditions, or even specific standards for the requirements certain products must have, safety-wise. Consider the example of electric vehicles, which need to be connected to a charging infrastructure that requires the quick exchange of information, including payment contracts. The international standard in vehicle-to-infrastructure communication in the electric mobility sphere is ISO 15118, which secunet helped develop. Its motto, “Plug & Charge”, is a useful way of thinking about how deceptively easy these daily transactions are. The consumer’s user journey has to be convenient and quick, but the work going on in the background is dynamic, and must always be secure; data regarding charging contracts is protected through the use of digital certificates.

There are great opportunities here if consistent security standards are applied across the sector. Not only are there security benefits; these standards also ensure more compatibility, and the payoff of modularizations helping IT solutions be increasingly flexible. “Comprehensive regulations would also increase the cost-effectiveness of cybersecurity in the transport infrastructure – and thus also the level of IT security itself,” says Harry Knechtel, Head of Development in secunet’s Industry division.

Flexible for the future

The solutions delivered by secunet are not limited to specific manufacturers. There is scope for HSMs manufactured by different entities to be operated at the same time – for instance, using secunet’s in-house hardware abstraction layer. Support is available for the CloudHSM solution used by Amazon Web Services (AWS). A microservice deployment is also offered, in the form of docker containers with secunet’s PKI.

For the future, secunet is busy developing prototypes whose specifications are not even covered by the market yet. In a world that is changing very quickly, it is already implementing quantum-computing-resistant algorithms. The need of the hour is to be flexible and responsive, and identify vulnerabilities before they are exploited.

Published: 13/04/2023