Adding communication capabilities to vehicles creates security risks as third parties could have uncontrolled access to vehicle data, jeopardising the safety of the vehicle, occupants and other road users as well as the privacy of passengers and other citizens. These risks include system intrusion, personal data theft, cyberphysical attacks, data corruption, among others. The different networks in the vehicle (i.e. infotainment, chassis control, power train, body control), which are interconnected by a central gateway, have diverse security requirements and risks (see Figure 22). In the case of AVs, vehicle manufacturers develop, implement and manage software and hardware extensions (Gleave et al., 2016). “The connection between the in-vehicle system and the manufacturer's central server has to be secure, so that all data transfers are protected from unauthorised disclosure and manipulation” (Gleave et al., 2016). Vulnerability cases have been discovered in the past.
For instance, in 2015, hackers took control of a Jeep over the internet, revealing a security hole in Fiat Chrysler Automobiles’ Uconnect internet-enabled software (Gibbs, 2015). In the same year, an attack was performed by security researchers on the BMW ConnectedDrive and managed to remotely unlock vehicles (C’t magazine für computer
(17) See European Commission Digital Single Market site on “Building a European Data Economy” https://ec.europa.eu/digital-single-market/en/building-european-data-economy, last accessed 22 February 2017.
technik, 2015). Similarly, in 2016, security researchers discovered how to use Software Defined Radio (SDR) to remotely unlock different brands of vehicles including Volkswagen, Alfa Romeo, Citroën, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot (Gitlin, 2016). Another example is the attack made by researchers from the Chinese Keen Security Lab who remotely manipulated the brake system on a Tesla while it was on the move (Lee, 2016).
Figure 22. High level architecture of a smart car
Source: ENISA, 2016 (© European Union Agency for Network and Information Security (ENISA)).
In (European Commission, 2016a) the cyber-security of C-ITS communications has been acknowledged as being critical and requiring action at European level. There is a need for clear rules, adopted at the Union level, avoiding fragmented security solutions which will put interoperability and the safety of end-users at risk. An EU-wide security framework for the deployment and operation of C-ITS in Europe, based on Public Key Infrastructure technology (defined in this context as the combination of software, asymmetric cryptographic technologies, processes, and services that enable an organization to secure C-ITS communications) and addressing vehicle and public infrastructure elements (including a compliance assessment process) is needed. Working on a common security solution for C-ITS will serve as preparatory work for stronger security at higher levels of automation. The following specific actions on security of C-ITS communications are identified:
— “The Commission will work together with all relevant stakeholders in the C-ITS domain to steer the development of a common security and certificate policy for deployment and operation of C-ITS in Europe. It will publish guidance regarding the European C- ITS security and certificate policy in 2017.
— All C-ITS deployment initiatives should participate in the development of this common security policy by committing from the beginning to implement future-proof C-ITS services in Europe.
— The Commission will analyse the roles and responsibilities of the European C-ITS Trust Model, and whether some operational functions and governance roles should be taken over by the Commission (as, for instance, in the case of the Smart Tachograph).”
Figure 23. Summary of good practices to ensure the security of smart cars
Source: ENISA, 2016 (© European Union Agency for Network and Information Security (ENISA)).
The ENISA report recently published (ENISA, 2016), although not explicitly addressing automated vehicles or connected vehicles, maps the current threats that passengers and drivers are exposed to on a daily basis, both as private vehicle users and commercial vehicle users. It identifies good practices that ensure the security of smart cars against cyber threats, divided into three categories: Policy and standards, Organizational measures and Technical. Good practices are summarised in the figure below (Figure 23). Then, the following recommendations are given:
“Recommendations for smart car manufacturers, tiers and aftermarket vendors:
— Improve cyber security in smart cars. The industry actors should establish the good practices that effectively enhance the security of their products.
— Improve information sharing amongst industry actors. Information sharing helps industry actors challenge the relevance of their security mechanisms according to field information. Communities for information sharing already exist, and we recommend pursuing this effort.
— Improve exchanges with security researchers and third parties. Industry actors should enhance their contacts with third parties, especially from the security domain.
Recommendation for smart car manufacturers, tiers, aftermarket vendors and insurance companies:
— Clarify liability among industry actors. Living in heavily-tiered environment, industry actors should define processes to clarify their respective liability in case that security issues arise.
Recommendation for industry groups and associations:
— Achieve consensus on technical standards for good practices. The good practices listed in this report are meant as an input for a standardization effort, rather than being directly applicable to a specific car design. The details of the security requirements should be defined in the context of standards.
— Define an independent third-party evaluation scheme. The existing safety standards for automotive systems only marginally address security, and we recommend to define an independent evaluation scheme.
Recommendation for industry groups and associations and security companies:
— Build tools for security analysis. Industry actors can directly improve their security testing skills by building tools for security testing and security monitoring.”
In the NHTSA policy guidance document (NHTSA, 2016a), cybersecurity is covered by instigating manufacturers and other entities to follow a robust product development process based on a systems-engineering approach, including systematic and ongoing safety risk assessment for the AV system, the overall vehicle design into which it is being integrated and, when applicable, the broader transport ecosystem. The following established best practices for cyber physical vehicle systems are suggested to be considered by manufacturers and other relevant organizations. In particular, the Alliance of Automobile Manufacturers (AAM) formed in 2014 a voluntary Information Sharing and Analysis Centre (Auto ISAC) to target the threat of hackers (McCarthy et al., 2014). An ISAC (Information Sharing and Analysis Center) is a trusted, sector-specific entity that can provide a 24-hour per day and 7-day per week secure operating capability that establishes the coordination, information sharing, and intelligence requirements for dealing with cybersecurity incidents, threats, and vulnerabilities. Sharing lessons learned on cybersecurity is as important as the sharing of the data itself. Therefore, reporting on cyber vulnerabilities to the Auto-ISAC is strongly encouraged. Adopting a vulnerability disclosure policy is also encouraged.