The world is experiencing interesting times with connected devices redefining how human beings interact with the ecosystem. In this context, innovation in the automotive industry is particularly noteworthy, with connected vehicles becoming equipped for varying degrees of autonomous driving. Their popularity will only continue to grow in the near future with an expected market size of $469 billion (Rs 36,61,952 crore) in 2030.
To deliver the expected quality of service, modern connected vehicles mostly rely on cloud-based architecture built on 5G technology. Vehicular communication is enabled by Vehicle-to-Everything (V2X) technologies such as Cellular Vehicle-to-Everything (C-V2X) and Dedicated Short-Range Communication (DSRC) based on the IEEE 802.11p system, which aggregate information across network drop points. These technologies use embedded SIM (eSIM), mobile network, wi-fi, Radio Data System (RDS) among others to glean relevant insights and develop environmental awareness about the infrastructure present around vehicles.
Cybersecurity as a key determinant of quality of service
These advancements and automation capabilities of connected vehicles is amplifying the need for stronger cybersecurity controls. Connected vehicles use distributed electrical/electronic cloud architecture. Such a setup when coupled with a high-availability and low-latency 5G network can embody/manifest an attack surface, which is more vulnerable to various cyberthreats including unauthorised access, man-in-the-middle attacks, a compromised supply chain. Any compromise within the ecosystem could adversely affect the safety, security and privacy of the vehicle(s) and its user(s). For example, cloud-specific misconfigurations or weak authorisation of APIs used in connected vehicles can be exploited by attackers to gain remote unauthorised access to vehicles and allow them to disable safety functions, causing loss of PII data or increasing the vehicle’s susceptibility to threats such as theft.
Government bodies, vehicle manufacturers and suppliers must collaborate and continuously focus on containing and mitigating such situations wherein the assets of a connected vehicle can become its weakest links. To comprehensively address cybersecurity challenges, they need an elaborate, risk-based prioritisation and defense framework derived through threat modeling and risk analysis of the attack surface for connected vehicles. Such a framework should:
Visualise and incorporate ‘Secure-by-design’ principles into all technologies (including custom-developed, third-party OEM delivered) defining the electronic/electrical architecture of connected vehicles.
Establish segregation of the navigation systems and design adequate solutioning to do away from any possible attacks. Gaining visibility across the connected vehicle landscape, enabling detection and isolation in response to identified threats is critical.
Have in place the reference architecture blueprint, functions and capabilities that will deliver connected vehicles with secure management of hardware and software components, required resilience and recovery mechanisms to address cyber incidents.
Integrate a mechanism for information gathering and sharing across the automotive industry to enhance the overall cybersecurity posture associated with the paradigm of connected vehicles.
Constitute the management of identified vulnerabilities, including the criticality and risk analysis of vulnerabilities, identification of architectural and design-related vulnerabilities, and gaps in operational procedures and processes, patching of the software.
Leverage a Vehicle Security Operations Center (VSOC) typically required by automotive manufacturers and large fleet owners to defend against next-generation cyberattacks. The VSOC continuously collects data around events from vehicle endpoints, interconnected network infrastructure and backend systems, correlates the data, applies monitoring models of AI/ML, and detects any anomalies from a wide spectrum of threats.
Enforce and refine policies, standards, procedures, and processes.
With the application of this ‘Vehicle’ framework, the solution to better the security of autonomous vehicles should include the following, at a minimum:
Enforce best practices for supply chain security for critical hardware and software components that get updated with over-the-air (OTA) updates.
Define architecture and procedure which facilitate the process for detection, the resiliency of controls, and accelerated recovery from any incidents.
Establish intelligence and information sharing standards across the autonomous vehicle industry for collaboration on cyber learnings. Such best practices-based solution focuses on defining cybersecurity considerations across the spectrum of autonomous vehicles. For example, the attack surface for remote connection attacks can be controlled by allowing only outbound connections and restricting any inbound connections to the connected vehicle interfaces.
Dedicated legislative focus and regulations will ensure a foundational layer of protection is built into connected vehicles and their surrounding ecosystem from threats.
Regulations such as UNECE WP.29 or industry standards like ISO/SAE 21434 will require OEMs to establish cyber-risk management practices across the lifecycle of the vehicle with demonstrated compliance. The UNECE WP.29 regulation on cybersecurity will become binding on member countries. In fact, broader adoption of these regulations across the world is required as cybersecurity has largely remained unregulated in the automotive industry unlike financial services or healthcare. To this end, different countries have established multiple initiatives to incorporate cybersecurity as a key factor in the adoption of autonomous vehicles. For example, in the US, the National Highway Traffic Safety Administration has defined a framework that leverages the cybersecurity standards prescribed by the National Institute of Standards and Technology to improve the cybersecurity posture of connected vehicles. In France, Telecom Paris has set up the Connected Cars and Cyber Security (C3S) Chair as one of the authorised bodies that will determine whether the level of autonomy in connected vehicle technology is in conformance to corresponding French regulations.
As more connected vehicles enter our roads promising greater safety and a more comfortable driving experience, the onus is on automotive manufacturers to adopt these standardised frameworks ensuring cybersecurity. Their adoption of sound cybersecurity principles will help manage growing customer expectations whilst neutralising the growing threat of cyberattacks.
By Kumar MSSRRM, AVP and Delivery Head at Infosys Cybersecurity