Connected cars are made up of digital components that - while improving the driving experience - also make them susceptible to malicious attacks. As an industry traditionally full of engineers now grapples with software development becoming a primary focus, carmakers are encountering challenges along the path to achieving advanced security. Here are the top hurdles OEMs face in keeping connected cars secure.
Keeping connected cars secure: Cybersecurity challenges
Automotive Cybersecurity Engineer
10 min read
Until recently, car security referred to protecting a vehicle from physical break-ins. With the advent of connected cars, this is no longer the only security concern. Now, automakers are not only tasked with the challenge of keeping cars safe from potential thieves, but they also need to protect what is essentially a computer on wheels from hackers that could be thousands of miles away.
Components come from various suppliers
One of the top hurdles between carmakers and advanced car security is bringing all of the different components that make up a connected car together in a secure way. In order to combat this issue, automakers must include security in car design from the very first stages. This can be done by consulting with an expert that has knowledge in both automotive and cybersecurity -- an overlap which is lacking in either field.
For automakers, maintaining consistent security standards across components is often easier said than done, as many of them buy parts off the shelf from various suppliers, intending to put them together into one running system. Unfortunately, a lot of suppliers do not yet view it as their responsibility to prevent cyber threats that could arise further down the supply chain by making the parts secure.
This potential issue brought by varying components is worsened when carmakers purchase specific parts that have yet been brought to market and thus not finalized in terms of security design. These components could end up not fulfilling security needs if the part undergoes further changes down the line.
In order to make sure that different parts can work together, automakers need to strike a balance with security requirements. They must be generic enough to allow for innovation, but specific enough to keep security consistent throughout the whole system. For example, cryptographic algorithms come in all shapes and forms: Some of them are very secure but resource-intensive, whereas others are more lightweight but might not be available for other components that the OEM orders for the same car. This balance can only come from integrating security into car design from the beginning - something which is not yet widespread in the automotive industry.
In fact, 19% of respondents to this survey said they don’t do enough security testing in the design phase, and only 28% said that they do a lot of the testing during the design stage. By implementing security into design, automakers can make sure that the various parts work together to keep the entire system secure.
Lack of a standardized approach
Car cybersecurity is a relatively new field, meaning automakers are not yet building solutions on the foundations of tried-and-tested successes, nor is there a standardized approach of how to build secure systems across the industry. Combined with the lack of openness traditionally seen in the automotive industry, this is resulting in OEMs each trying to come up with their own homegrown solution from scratch.
Like with the key-in-lock function, the sector needs to form a security standard that can be shared, improved upon, and used globally. Suppliers should use common security requirements and allow OEMs to test the end-to-end security of a platform made up of parts from different sources. Ultimately, suppliers and OEMs must speak the same language to achieve end-to-end security to protect drivers and avoid cybersecurity-related recalls - the latter having impacted 1.4 million vehicles since 2015.
Software development is new territory
While the automotive industry has historically had a strong focus on safety, an equivalent culture around cybersecurity is yet to be established. To protect drivers, automakers took decades to create specific safety rules that were essential to follow. With cybersecurity, this isn’t the case. As carmakers attempt to rush the job with the blueprint used for safety still in their minds, they end up creating complicated solutions that don’t actually fill in the security gaps in their systems.
For this to change, cybersecurity cannot remain strictly an “IT topic” in the eyes of automakers. Connected car security needs to be embraced by core teams and part of the core value-chain activities, and soon. By next year, we can expect to see a quarter billion connected cars on the road.
Consulting with an expert partner that acts as a fresh pair of eyes can allow automakers to understand vital parts of advanced car security, such as the necessity of cloud updates. It can also help carmakers revamp culture among teams to see cybersecurity as a core part of car design, rather than something to be tested at a later stage. While the current hurdles to achieving connected car security may seem complicated to overcome - they are necessary for carmakers to clear if they want to protect their systems from destructive hacks and keep drivers safe on the roads.