Cars and Infosec – I should have been a lawyer…


John Arnold

October 15, 2015

Capgemini’s cars online survey 2015 describes what customers are looking for when they buy a new car.  Increasingly, manufacturers will need to deploy information, and IT, to satisfy the market’s expectations.  This creates an increased need for security.  I will describe some interesting aspects below.
In-car features: customers want IT in many aspects of their car.  This includes entertainment, navigation, communication, security, and vehicle management.  Some of these are safety critical, some aren’t.  The critical aspects must be rigorously engineered, and protected from interference.  It is unlikely that the less critical aspects can be engineered to the same standard, so a vehicle will have to separate these out so that they cannot be a source of risk.
Many manufacturers seem to be failing to provide this separation adequately, judging by the analyses performed by security specialists in this space.
This type of problem is best addressed early on in a car’s lifecycle: rigorous assurance and testing work is expensive, but recalling millions of cars to correct a security flaw is even more expensive!
Talking of recalls: wouldn’t it be better to update vehicle software remotely over the air?  Perhaps – but how will manufacturers contact the owners?  What happens if an owner forgets to perform an update?  Will drivers need a cyber security qualification before they are allowed to have a driving a license?
Ecosystem: a manufacturer will have to collaborate with customers during the purchase and fulfilment process.  It must also collaborate with the supply chain (OEMs, dealers, after-market manufacturers etc).  This will involve passing around personal information (people’s contact details and preferences), commercially sensitive information, payment information, and intellectual property. 
Players in this market will need to be able to register many different types of user with many different levels of IT capability.  Players must be able to authenticate their users, control their access, keep appropriate records, and detect cyber attacks and other misbehaviour.
Modern identity management tools can facilitate this through single sign-on, federation and business-focussed access policies.  A Security Operations Centre (SoC) is important for maintaining security situational awareness.
Big Data: as cars become more instrumented, opportunities will arise to start gathering data about them.  Insurance companies, for instance, are starting to offer drivers a discount if they will allow their driving style to be monitored.  This has obvious benefits, but drivers have to think about the consequences for their privacy: are they happy for so much information about them to be made available?
Self-driving cars: this is something of a wild card.  Self-driving cars have gone from a nerdy experiment to a whole collection of commercial ventures.  Obviously, a self driving car needs to be able to navigate the world’s roads safely.  Many common driving self-driving scenarios require the cars to communicate, not just with each other, but with the surrounding environment.  This creates new routes for cyber-attack.
Liability: if a car crashes after it’s been hacked, who’s liable – the driver, the manufacturer, the software developer, or the test house that assured it?  I should have been a lawyer…
Capgemini has a huge global security practice with deep experience of the automotive industry.  Capgemini has specialist practices in risk analysis, application security testing, identity management, SoC and end point security.

This article was written by John Arnold from CapGemini: Capping IT Off and was legally licensed through the NewsCred publisher network.

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter