Connected vehicles need comprehensive security, says CSA
Cloud Security Alliance report says all aspects of vehicle system-of-systems security needs attention
The ecosystems around connected vehicles (CVs) in increasingly complex, and presents a considerable risk of cyberattack, according to a report from the Cloud Security Alliance (CSA).
The CSA warns in the report that the large number and complexity of connections that make up the CV system-of-systems is creating an environment with many possible means of compromise. The CV community needs to look at the larger picture and develop comprehensive solutions that incorporate security by design to secure this complex environment.
"In the near future, connected vehicles will operate in a complex ecosystem that connects not only vehicles between each other and the traffic infrastructure, but also with new forms of connectivity and relationships to cloud-based services, smart homes, and even smart cites," said Brian Russell, Chair of the CSA IoT Working Group. "For a safe and secure transportation system, the community must take a fresh look at the larger picture, and develop the policies, designs, and operations that incorporate security t
The report, ‘Observations and Recommendations on Connected Vehicle Security', provides a comprehensive perspective on vehicle security connectivity design, possible attack vectors of concern, and recommendations for securing the connected vehicle environment.
The report notes that while there are standards for communications for CVs that have security engineered, the sheer scale and complexity of the connected vehicle environment is creating many areas of risk.
Connected vehicles may be broadcasting data to other vehicles (V2V), infrastructure (V2I) and applications (V2x). Vehicles may also be vulnerable through direct access, such as USB, or onboard diagnostic ports, or through remote access to infotainment consoles via Bluetooth, WiFi or mobile. Keyless entry systems may also be vulnerable.
Once the vehicle starts becoming part of a wider Internet of Things network, connecting to mobile applications, software-as-a-service offerings such as maintenance monitoring; integration with smart home, smart city, smart road applications and systems, or even mobility-as-a-service offerings, then the landscape becomes even more complicated.
Any of these connections could be exploited by hackers with various outcomes, including hijacking control the vehicle's critical and non-critical systems; disabling the same systems, unauthorised tracking, loss of control of the vehicle or unexpected actions.
"Within a system-of-systems (SoS) such as the CV ecosystem, there are many points of interconnectedness. A compromise of any one of these points potentially offers attackers the ability to move laterally throughout the entire ecosystem to compromise other points," the report warns.
Along with the risk to CV, hackers could use exploits to attack other parts of the ecosystem, such as sending fake data to other vehicles, compromising equipment within a transportation centre to send false traffic warnings or squelch the transmission of legitimate warnings.
The report makes a number of recommendations to secure the CV SoS, including securing all aspects of CV platforms, interfaces, and protocols from internal and external threats, strong segmentation of systems, secure by default settings, and secure update processes. The industry should also look to big data, machine learning and AI to better manage the systems and the risks.
"There are a number of motivations for bad actors to compromise connected vehicle components and technologies, ranging from curious hackers attempting to demonstrate weaknesses, to malicious entities attempting to cause harm, on both small and large scales," said John Yeoh, Senior Research Analyst at the CSA. "Only through the thoughtful use of disruptive technologies such as big data, machine learning and artificial intelligence can we help build a better, safer and more secure connected vehicle ecosystem."