Connected cars bring tremendous promise for automakers and customers alike. At the same time, connectivity brings new risks. Today’s cars have many more attack points—from the cloud-based and data center systems to which vehicles connect and the connection itself, to the various modules including the chips driving the modules and the bus protocols connecting them—than just a few years ago. Stolen cars and embarrassing online videos, although certainly a problem, pale compared to the potential hacking of entire fleets.
Building lasting, complete security into cars—protecting the entire ‘stack’ at every layer—will take years, especially given the complexity of spanning all supplier relationships. In the meantime, attackers continually seek to exploit the weakest links.
What End-to-End Security Looks Like
What’s needed is a trusted ecosystem of manufacturers, third-party suppliers, service providers, and regulatory bodies.
Comprehensive protection requires hardening critical modules, authenticating all code as authorized to run on the car, enabling ‘over the air’ (OTA) updates, and implementing security monitoring mechanisms. Automakers need to manage signing permissions for entire ecosystems of software developers and publishers, both internally and externally, and retain the ability to revoke signing capabilities as employees and partners come and go.
Factories need cyber security too—especially as manufacturing becomes increasingly connected and related threats continue to rise. Automakers can protect industrial control systems (ICS) with security that covers programmable logic controllers (PLC), automation equipment, and robotics.
Ready Today: Symantec Critical System Protection
Securing firmly established automotive architectures is challenging. So, while security vendors are developing long-term, complete vehicle cyber protection, we’re also providing near-term, more-focused fixes that are already proven effective. Some of these establish a security ‘beachhead’ in the car—usually by locking down the bigger compute platforms such as the vehicle ‘head unit.’
Our first contribution here is Symantec Critical System Protection, which we’ve adapted for the automotive industry from technology that currently protects countless financial transactions every day. Critical System Protection helps enforce whitelisting of good code and how that code is permitted to behave; it can also report anomalous behaviors to manufacturers in real time.
Critical System Protection is easy to build into head unit, in-vehicle infotainment (IVI), and 32-bit body control modules (BCMs) of most cars. Dealer OBD-II equipment can also use it to help prevent dealer diagnostic equipment from becoming an infection vector.
Automotive Network Security: Better All the Time
As I’ve said, protecting each module, supplier by supplier, will take time. So, some carmakers and communication service providers are aggressively updating network security for vehicles.
For instance, network proxies can deeply inspect all connections to and from the car, even inspecting encrypted traffic—going far beyond the security conferred by firewalls, intrusion detection, and intrusion prevention systems.
Such proxies come in both physical hardware and cloud-based security-as-a-service flavors and form factors. Suppliers support network-based security because it can inspect and protect all vehicle internet connections without forcing suppliers to modify their particular modules.
In some cases, network-based security can even help protect cars that have already shipped: A simple reconfiguration of the vehicle’s telecommunications unit ensures it connects to only trustworthy gateways capable of deeper, more effective inspection and protection.
Last, vehicles that boast stepped-up IVI systems with full web browsers can now similarly go to the next level of cyber security with full web threat isolation.
Benchmark Your Cyber Security
Automakers, it is crucial that you learn how the cyber security of your vehicles, or your components, compares to those of your competitors. You don’t want to miss out on taking a critical step or get caught at a disadvantage; this is true regardless of your experience or expertise in building security into vehicles. To stay ahead, we recommend you work with an experienced vehicle security consulting company—such as Symantec.
Symantec already protects over a billion IoT devices in other verticals. We’re adapting our unequaled portfolio of security technologies to the unique challenges of automotive security—and quietly, behind the scenes, we’ve begun building security into tens of millions of vehicles.
Brian will appear as an expert on the “The Cyber Threat Landscape in the Automotive and Trucking Sector” panel at the 2nd Billington Automotive Cybersecurity Summit, August 3, in Detroit.
We encourage you to share your thoughts on your favorite social platform.