Security in the automobile Is everyone on track?

Das branchenweit erste Automotive-Security-Entwicklungskit vereinfacht den Schutz fahrzeuginterner Netzwerke vor Hackern

In 2015 cyber security researchers Charlie Miller and Chris Valasek hacked and gained control of a Jeep Cherokee through the internet. Fortunately it was a white hat attack, but it proved that modern vehicles can be extremely vulnerable to hacker attack.

Since then the subject of security has been a major topic at big automotive conferences. Germany’s BSI (Federal Office for Information Security) spoke as follows in its magazine of 2018/01: “While attacks on automotive electronics in the past were primarily for the purpose of car theft, developments in recent years show that meanwhile the potential for attack is going a lot further. A number of other attacks on automotive systems have been published that illustrate the threat to networked vehicles. It was demonstrated, for example, that driving functionality could be penetrated through poorly secured infotainment modules in vehicles by an internet connection. Certain smartphone apps also proved to be vulnerable that control functions like opening doors or to call up driving information.”

The article continues, “In the automated and networked driving strategy of the Federal Government it is explicitly pointed out that clear IT security standards are needed, especially in vehicle approval. The BSI is actively cooperating with the BMVI (Federal Ministry of Traffic and Digital Infrastructure) on devising appropriate criteria, and on the future focus of cyber security in road traffic.”
The subject of security seems to have arrived proper in Germany. But what does it look like in other regions?

Yes, no, yes and no

Björn Steurich, project manager for automotive cyber security in the ATV division of Infineon Technologies, currently sees differences not so much between individual regions as between various OEMs in the regions. Because OEMs are likely to set different priorities when it comes to how critical the various attack scenarios are (e.g. motor tuning, theft statistics). But “meanwhile the majority of carmakers have installed central security functions, and are working on an integral security approach for future vehicle generations.”

Todd Slack, strategic marketing manager for automotive security products in the secure products group of Microchip, has also experienced that there are many common security targets in all regions. But he has also found that the roadmaps and strategies for introducing security can be very different. “Worldwide there seems to be an infinite number of syndicates, best-practice directives, standards and specifications. Still, there’s no documentation that could simply be adopted by all OEMs. So we see that they select extracts from these extensive documents, and ultimately create their own cyber security specifications.”

Here they were intent on upscaling their existing architectures with as little curtailment as possible. Slack: “We see North America and Europe leading when it comes to requirements for a secure boot implementation. That applies in particular to control units that are of critical functional security, and to message authentication in a CAN network.” The last point has to do with upgrading from CAN 2.0 to CAN-FD, which in these regions will come with the 2021 model year. OEMs and tier #1 suppliers in Japan and South Korea are much more careful, reckons Slack, when it is a matter of changes to existing architectures. The companies in these regions would first closely observe the security strategies in Europe and North America. That is also because the introduction of CAN-FD in Japan and South Korea comes much later.