Mobile - secure - connected to launch into the future
How we can protect ourselves against tampering in the vehicle
Published HANSER Mobile Automation (2016)
Even if we cannot always recognise it at first glance, the future transformation on the road has already begun. We live in a networked world and from now on we will always be connected to the Internet. This awakens the same expectations for the vehicles of the future that move us or our goods from A to B. At the same time, the increasing automation makes these vehicles much more independent and less controllable by the user. Greater driving comfort, in which the driver is more and more released from his original job of steering, and more effective use of time are the results.
This progressive development holds innumerable new opportunities and application scenarios, but also new dangers and possibilities for abuse. In addition, the responsibility for the traffic situation is increasingly shifting from the driver to system manufacturers.
In the case of a connected vehicle, all information must be available in real time over the Internet in order for the "Internet of Things" to become a reality. Vehicles are no longer isolated objects, but are integrated into data streams, with virtual entities on different systems that correspond to them.
The vehicle becomes a component in a larger network of interconnected systems, whereby the possibilities for criminal intrusions increase exponentially. As a result, weak points in the data streams and the system communication must be detected and corrected, or preferably prevented, as early as possible. A restriction of the network is not a solution because the advantages resulting from the connectivity are too great and ultimately a clear competitive advantage.
In the future, software from third-party providers will also increasingly be used, as is already evident today in infotainment. “Apps” will interact via mobile devices with the internet and also with the vehicle. Therefore, they must be prevented from having harmful access to the vehicle electronics.
Many attacks on systems should reveal security loopholes and, above all, the weaknesses of manufacturers and users. But not all attackers have such noble objectives. The damage resulting from the failure of hacked systems and associated costs will grow considerably. At the same time, additional sources of risk arise for functional safety, which means malfunctions can occur that also harm people.
Through current examples, the inevitable question arises whereby an attacker will in the future be able to gain access to a vehicle, for example via a remote diagnostic interface. In current press reports on intrusions and successful tampering, for example, the infotainment and the diagnostic interface are cited as critical interfaces. The data flows in the vehicle provide a variety of attack points that can serve for tampering and misuse of these data.
In order to be able to secure vehicle electronics in the future against external access, the companies and service providers involved in the development must create an adequate security culture which ensures the protection of the vehicle, both the physically available and the distributed data, over the entire life cycle.
A purely technological solution does not accomplish the objective. Instead, a change in the working method is needed, since requirements can only be improved by means of a functioning requirements management process, which takes security fully into consideration. Security aspects must consistently be taken into account in the same way as is nowadays already the case for the consideration of functional safety. Starting with development and validation, through production and on to operation of the vehicle and probably also beyond that, for example, when we think of personal data or company secrets.
At the outset of vehicle development are an analysis of the potential attack scenarios and a risk assessment. In the future, this will have to go beyond the isolated treatment of the vehicle, to the entire chain over which vehicle data will be exchanged in the future.
A process-oriented and modular approach is necessary in order to be able to master the complexity. In this way, manufacturers and suppliers must establish an overarching security and quality culture, as well as a security process that is lived by all stakeholders.
As an external service provider and as a development partner, ServiceXpert Gesellschaft für Service-Informationssysteme mbH provides support via a company-neutral process evaluation, starting with an actual situation analysis and the creation of a roadmap, up to complete process consultancy. Solid know-how and a passion for the product combine in the work of ServiceXpert employees in order to make vehicles safer.
ServiceXpert, an ESG-Group company, employs over 85 staff in Hamburg and Munich. ServiceXpert is a Europe-wide operating system and software house with a focused service portfolio for Lifecycle management of EE information for leading manufacturers of commercial vehicle and their supplier industry.