Adam Bannister

Editor, IFSEC Global

Author Bio ▼

Adam Bannister is editor of IFSEC Global. A former managing editor at Dynamis Online Media Group, he has been at the helm of the UK's leading fire and security publication since 2014.
August 9, 2017

Sign up to free email newsletters

Download

Converged Security in 2019: Highlights and Insights from IFSEC International

Cyber

UK government issues cybersecurity guidelines for connected cars

The Department for Transport has published cybersecurity guidelines for manufacturers of smart or connected cars.

Written with help from the Centre for the Protection of National Infrastructure, the principles implore everyone in the automotive supply chain to collaborate during the design process and over software upgrades and maintenance long after cars hit the road. The authorities are concerned about the prospect of older vehicles running outdated software.

As cars become increasingly automated – and ultimately, driverless – the stakes will rise. Last year ‘ethical’ hackers managed to wrest control of a Tesla Model S while the car was moving and slam on the brakes (see how they did it in the video below).

“Attacks can even inject malicious code into the electronic control units (ECUs) and controller-area-network (CAN) bus, which control critical systems such as electric steering and braking.” Mark Noctor, VP EMEA, Arxan Technologies

The eight principles, which were launched by transport minister Lord Callanan, follow:

  • Organisational security is owned, governed and promoted at board level
  • Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
  • Organisations need product aftercare and incident response to ensure systems are secure over their lifetime
  • All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system
  • Systems are designed using a defence-in-depth approach
  • The security of all software is managed throughout its lifetime
  • The storage and transmission of data is secure and can be controlled
  • The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail

Connecting to WiFi and external devices via Bluetooth, Modern cars are increasingly ‘smart’.

“The communications and entertainment systems are particularly vulnerable to attack, and can be reverse engineered to access the API libraries that facilitate data sharing between systems,” says Mark Noctor, VP EMEA at Arxan Technologies. “From here attacks can even inject malicious code into the electronic control units (ECUs) and controller-area-network (CAN) bus, which control critical systems such as electric steering and braking.

“Preventing application code from being accessed and tampered is one of the biggest priorities in protecting a connected vehicle, and it is encouraging to see the government’s guidelines specifically list the ability to protect code and ensure its integrity as key principles.

“Manufacturers must deploy code hardening measures to prevent attackers from accessing their source code and removing vital data such as cryptographic keys which can be used to access other systems. Anti-tampering measures should be hidden in the code to alert them if the code has been changed, and prevent systems from starting if alterations are detected.”

The government announced the Autonomous and Electric Vehicles Bill, which will “allow innovation to flourish and ensure the next wave of self-driving technology is invented, designed and operated safely in the UK”, during the Queens Speech in June.

The outcome of recent efforts by the US government to engage with US automakers over the issue do not augur well. Asked by a Senate committee if they supported mandatory privacy and safety standards, executives from Google, General Motors, Delphi and Lyft were evasive.

Discover the latest in cyber security - join the live conversation

Don't miss the Future of Security Theatre at IFSEC International 2019 - June 18-20, ExCeL London

As Europe's leading integrated security event, IFSEC 2019 is delivering a programme of education dedicated to innovation at the cutting edge of the security industry, courtesy of IFSEC’s education partner Tavcom.

Get your free ticket today to join the CPD-accredited sessions and presentations tackling the critical issues around advancing technologies.

Related Topics

1
Leave a Reply

avatar
1 Comment threads
0 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Andrew Snyder Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Andrew Snyder
Guest
Andrew Snyder

Adam, it is great to see the UK govt tackle this need for application shielding and usage of whitebox technology and code protection and obfuscation to create code that defends itself.

Keep up the good work!

Sign up to free email newsletters