While automakers scramble to explore how IoT can be exploited for the advancement of connected car services and features, addressing cyber security for automotive applications has become an equal priority. The pressing need to protect connected vehicles from a wide range of cyber threats has spawned a burgeoning new industry: automotive cyber security.
Industry experts forecast that 250 million connected vehicles will be on the road by 2020. To combat the threat of cyber attacks against vehicle systems, the auto industry formed the Automotive Information Sharing and Analysis Center (Automotive-ISAC) in July 2015. By encouraging collaborative efforts toward automotive cyber security, the organization endeavors to put the industry on a proactive footing, rather than waiting for the first automobile cyber attack headline to appear.
The Automotive-ISAC has developed a set of Best Practices for automakers to voluntary follow when developing connected car systems. Since these recommendations establish the guidelines automakers are likely to follow, they should be of interests to developers of outsourced OEM systems and aftermarket products, as well. The guidelines can not only inform developers of the considerations manufacturers will be looking at when validating 3rd party software, but they also reveal opportunities where innovation can happen.
The Best Practices created by Automotive-ISAC establish seven key functions of automotive cyber security. The functions represent factors across the vehicle ecosystem that can affect cyber security. While the last two functions concern governing cyber security efforts and training within an automaker, the first five functions, shown below, should be of particular interest to developers looking to operate in this space. The five functions are:
- Security by design
- Risk assessment and management
- Threat detection and protection
- Incident response
- Collaboration and engagement with appropriate third parties
At first glance, the connection between the Best Practices functions and custom development solutions might not be clear. However, as you will see, each exposes opportunities for innovative developers to enter the emerging and lucrative automotive cyber security space.
Before we explain what each function means for the developer, we need to explain a bit more about what the functions do. Each function includes a list of Best Practice considerations that target automakers at various phases in design, as well providing ongoing cyber security efforts once a vehicle has been purchased. While not all Best Practices lend themselves to software development opportunities, there are clearly takeaways from each of the seven functions that do. Let us explore the takeaways most likely to spark innovation from software solution developers.
Automotive Security Best Practices
The first function includes 5 best practices on which developers can capitalize. We will explore them one by one.
Best Practices suggests a layered security approach to automobile cyber security. While that can involve hardware and software solutions, it can also involve implementing security measures at various points within the smartphone-based telematics platform.
Although this places a burden on developers who would develop telematics platforms, it creates opportunity, as well. A layered approach to automotive cyber security provides opportunity in several areas, including:
- Security solutions that guard the phone-based telematics and infotainment platforms from vulnerabilities exposed elsewhere within the phone
- Firewall solutions that protect the vehicle onboard systems from security threats that may exist within the phone-based telematics and infotainment platforms
- Solutions that protect the telematics or infotainment platforms from vulnerabilities posed by 3rd-party apps
- Security solutions that protect the connected car and all components by focusing on the Internet gateway portal
Emphasize Secure Connections
Herein lies an opportunity to help both automakers and aftermarket vendors with development of specialized security solutions that target automobile Bluetooth and WiFi connections. Few such solutions currently exist, and the need will only grow as more and more mobile devices interact with connected car telematics and infotainment systems.
Limit Network Interaction
This Best Practice indicates the need to maintain separation of environments wherever possible. For example, third-party applications should be limited to interacting with the smartphone-based telematics and infotainment platforms, with limited or no access to the onboard OEM systems.
Can developers capitalize on this restriction? Developers working at the platform level can absolutely use this to their marketing advantage. By knowing that automakers will want 3rd-party applications to have limited access to onboard systems, developers can focus on developing platforms that inherently provide such protections.
Authenticate and Validate Software Upgrades
This Best Practice goes on to further suggest consideration of data privacy risks, and observance of consumer privacy protection principles.
What these mean for the developer is this: expect your applications to receive manufacturers’ validation before receiving initial acceptance, but also for your updates to be subject to validation. Further, expect acceptance to involve scrutinizing your applications to make sure they do not make users’ personal data vulnerable to unauthorized access.
Finally, manufacturers are concerned that the software they allow to run in their vehicles does not neglect consumer privacy protection principles. And, while the Best Practices does not specifically say so, you can be sure they do not want 3rd party applications violating consumer privacy protection laws, which already exist in both the U.S. and Europe.
Risk Assessment and Management
Monitor and Evaluate Risks Changes
A key takeaway from the Risk Assessment and Management function is the Best Practices principle of staying aware of changes in cyber security risks. This affects developers at the initial design stage of software they develop. As auto manufacturers monitor changes in cyber security threats, they will reflect those changes in their validation requirements. A 3rd party phone-based app that was validated and accepted last month may not be approved for an update, if that update is vulnerable to a recently discovered cyber threat. This Best Practices principle will have a significant effect on app development and platform software development.
Developers who demonstrate a track record of making their automotive applications and updates hardened against the most recent of threats are those who automakers will favor in the long run.
Threat Detection and Protection
Identify Threats and Vulnerabilities by Routine Scanning and Testing
Since automakers are interested in routinely testing onboard and 3rd party applications against emerging threats, there is the opportunity for developers to help them do just that.
Automakers will be looking for security solutions that can plunder all connected applications in search of vulnerabilities, and to do it in real time without adversely affecting application performance. Developers who can provide firewall and real-time threat detection solutions will carve out a lucrative market for themselves — especially if those solutions can effectively scan new apps as they are added.
Incident Response and Recovery
Contain Incident to Eliminate or Lessen Their Severity
Developers can find opportunity in helping automakers satisfy this principle. What is needed are solutions that isolate and disable non-critical connections when a threat is detected. Whether such solutions exist as features within broader applications, or as stand-alone firewalls, manufacturers are sure to be interested in what you bring to the table.
Collaboration and Engagement with Appropriate Third Parties
Build Partnerships and Collaborative Agreements
While this Best Practices principle has clear benefits for automakers, how developers can turn it into an opportunity for them might not be so obvious. However, the opportunity is quite apparent upon closer examination.
With whom will automakers be looking to forge “partnerships and collaborative agreements”? With other automakers, of course, but also with companies that can provide OEM and 3rd party cyber security solutions. Not all OEM platforms will be developed inhouse. Manufacturers are already showing willingness to outsource when it makes sense to do so. Developers who can provide robust, validatable solutions can seek their own partnerships and collaborative agreements with automakers.
How Ignite Can Help
Connected car technology opens up a whole new world for automakers and developers, alike.
But while manufacturers are looking to make the most of what IoT offers them, they are also keen on protecting their vehicles from cyber security threats. Not every developer will meet the stringent requirements that are sure to be placed upon all connected products. Only those who understand the full landscape and are able to deliver validatable solutions that meet Best Practices for automobile cyber security will be awarded opportunities.
Ignite are specialists in providing technology solutions for the automotive industry. With six R&D labs across Europe, we have the expertise in house to develop solutions that meet the most rigid security standards for connected car cyber security.
If your business model includes outsourcing your solutions to a world-class technology partner, why not contact us today? We offer custom development solutions at outsource prices.