WCX17: Cybersecurity fears soar as connectivity escalates

  • 06-Apr-2017 05:28 EDT
Cyber panel Costlow WCX17.jpg

Cybersecurity panelists (from left) Russ Bielawski from the University of Michigan; Dan Massey from the U.S. Dept. of Homeland Security and Andre Weimerskirch of Lear Corp. listened to questions from a large Cyber Security  crowd at WCX17. (Terry Costlow) 



For security experts, connectivity is the gift that keeps on giving. The number of threats will increase rapidly as more vehicles are connected, and vulnerabilities on older vehicles will be in constant need of updating.

Tier 1s and OEMs have many reasons to worry about hackers, and the use of vehicles in terror attacks makes them a concern for security agencies at many levels. While successful real world attacks are still quite rare, many observers fear that things could change quickly.

“I don’t think we’ll have a gradual change,” said Dan Massey, Cybersecurity Program Manager at the U.S. Dept. Of Homeland Security. “I’d love to see a slow progression starting with one or two one-off attacks. I fear we won’t have the opportunity – that it will go from seeing nothing but a few cyber-attack demonstrations to tens or hundreds of thousands of vehicles to be concerned about.”

Massey and other panelists at the SAE WCX 2017’s “Vehicle Cybersecurity and the IoT” session cited a number of instances where connectivity has the potential for considerable problems. Kevin Harnett of the Dept. of Transportation’s Volpe Center noted that new vehicles acquired by the FBI, U.S. Border Patrol and other agencies have factory-installed connectivity, raising the dangerous possibility that their movements and locations can be tracked.

Graham Watson of Stinger Ghaffarian Technologies expressed concern that equipment from various levels of the supply chain could be compromised, creating vulnerabilities in vehicles if malware is not detected. Large fleet vehicles may be particularly vulnerable to attacks, partially because of their long lifetimes.

“Trucks are often 20 years old; the architectures you see on the road now are quite outdated,” said Andre Weimerskirch of Lear Corp. “They do not have separation between networks, and they use standardized CAN messages. Once there’s a successful hack into the telematic system, hackers have access to the vehicle network, they can speed up the truck or control the brakes.”

There’s a lot of work aimed at preventing attacks. In 2015, the industry formed the Automotive Information Sharing and Analysis Center (Auto ISAC) to focus on cybersecurity. Executive Director Faye Francy described an extensive Best Practices project that was created to provide guidelines for suppliers. Panelists also noted that SAE, IEEE and NHTSA are also working diligently to help the industry ramp up its security efforts. Efforts span the entire supply chain.

“The semiconductor industry has risen to the challenge,” said Brian Murray of ZF-TRW. “They put hardware security modules on chips.”

Testing systems for security is an area that still requires more work. Panelists agreed that penetration tests should be performed, often by outsiders rather than staffers who helped create the system under test. While some suggested standardizing penetration testing to ensure that companies address a wide number of potential vulnerabilities, that was not a consensus opinion.

Penetration testing has to be a very creative process,” said Russ Bielawski of the University of Michigan. He also noted that over the air updating will be an important factor. As new threats emerge, vehicles already on the highway will need to be updated. However, these updates must be extremely secure, since they alter the firmware that controls the vehicle. That will make updates an attractive target for hackers, panelists agreed. Attacks that are deep within the vehicle may be particularly difficult to address.

“If a Tier 4 inserts compromised code in a module and the OEM authorizes it, how will companies deal with compromised code that’s been certified?” Lear's Weimerskirch mused. “Most companies aren’t able to do anything about that.”

HTML for Linking to Page
Page URL
Rate It
4.50 Avg. Rating

Read More Articles On

The dangers of faulty car airbags recently have become all too clear. The product-liability issues associated with airbags and the largest, most costly automotive recall in history make it essential to characterize them thermally at high speeds and with high levels of sensitivity and accuracy.
Volvo and Uber executives provide insights into their collaboration to develop next generation autonomous driving (AD) cars aimed at reaching full SAE Level-5 standard.
Focused on the near-term safety-improvement potential underlying autonomous-driving technology, Toyota - counter to much of the auto industry - sees real promise in developing SAE Level 2-3 systems.
Connectivity spawns need for security designed-in from the beginning, a complex issue that spans many disciplines.

Related Items

Training / Education