Post on 12-Apr-2017
• A presentation given at How the Internet of Things is Changing Cyber Security - an event organised by Optimise Hub (Portsmouth University) on January 26th 2017 at Havant.
• This talk describes the issues relating to cybersecurity of Connected Cars and Autonomous Vehicles.
• It is a perfect case study in the challenge of achieving cybersecurity on a massive scale.
OptimiseHub University of Portsmouth
25/01/2017 © 2017 Astius Technology Systems Ltd 2
About your presenter
Bill Harpley
bill.harpley@astius.co.uk
Bill Harpley MSc
• 30+ year experience working in the technology sector
• Founder of Astius Technology
• Organiser of Brighton IoT Forum meetup group (740+ members)
• Event organiser for the Self Driving and Autonomous Vehicles meetup group
25/01/2017 © 2017 Astius Technology Systems Ltd 3
• Innovation consultancy • Internet of Things
• Blockchain
• Wireless Technology
• Cybersecurity
• New Business Thinking
• Digital Business Strategy
• New Business Models
• Disruptive Innovation
• Training and Skills
astius technology
25/01/2017 © 2017 Astius Technology Systems Ltd 4
Route for today
1. Why this topic is important
2. What we mean by
‘Connected Cars and
Autonomous Vehicles’
3. Identify the major known
cyber-risks
4. Explore the challenges of
finding a scalable
cybersecurity solution
25/01/2017 © 2017 Astius Technology Systems Ltd 5
A century of innovation
• Both the Model-T of 1910 and the Tesla electric car of 2016 represent truly
transformational technologies.
• Expect the evolution from ‘manual’ to ‘connected’ vehicles to be every bit as
revolutionary as the shift away from ‘horse powered’ transport more than a
century ago.
25/01/2017 © 2017 Astius Technology Systems Ltd 7
The Opportunities
• Connected Cars market represents major growth opportunity
– Markets & Markets estimate it will be worth $47 billion by 2020 ( ~ £38 billion at today’s rate)
– PwC estimate it will be worth £120 billion by 2022
• Greater public safety
– WHO state there were 1.25 million road deaths globally in 2013
– More than 200,000 people die through traffic accidents in China alone!
• Tremendous spur to R&D and product innovation on a global basis
– Nothing like this since ‘space race’ of the 1960s
25/01/2017 © 2017 Astius Technology Systems Ltd 8
The story so far …
Society of Automotive Engineers: standard SAE J3016 defines six classes of vehicle automation.
25/01/2017 © 2017 Astius Technology Systems Ltd 9
Levels of Vehicle Automation
25/01/2017 © 2017 Astius Technology Systems Ltd 10
Here is a summary of the SAE J3016 automation levels:
Technology Timeline
Multiple generations of technology will co-exist on our roads for many years.
25/01/2017 © 2017 Astius Technology Systems Ltd 11
ADAS in Action
• ‘Tesla Autopilot predicts collision ahead seconds
before it happens’
– Dashcam recording from within a Tesla car of
road incident in the Netherlands
– http://www.kurzweilai.net/tesla-autopilot-predicts-
collision-aheads-seconds-before-it-happens
• Thanks to @HansNoordsij , an enthusiastic
champion of Tesla Model S and Nissan Leaf
25/01/2017 © 2017 Astius Technology Systems Ltd 12
Attackers have many Faces
http://opengarages.org/handbook/2014_car_hackers_handbook_compressed.pdf
Organised Criminal gangs intent on theft of personal data and deploying “ransomware”
State-sponsored actors, terrorists and political
‘hactivists’
Small-time crooks intent on stealing vehicles and property
“Curiosity driven” attacks (e.g. car owners ‘tweaking’)
25/01/2017 © 2017 Astius Technology Systems Ltd 14
It’s complicated …
Example: Ford F150 ‘smart’ pickup truck
150 million lines of
software code
Multiple ‘Electronic
Control Units (ECUs)’
Numerous potential points of attack
Complexity is the enemy of security!
25/01/2017 © 2017 Astius Technology Systems Ltd 15
Examples of Risks
Unauthorised access to vehicles Keyless door entry systems use mobile apps or electronic key-fobs
Theft of personal information Owner details, GPS logs, Credit Card info, etc.
‘Hijacking’ of individual vehicles Feasibility demonstrated by ‘Jeep hack’ (2015)
Creation of mobile ‘bots’ Vehicle software compromised by hackers and used to launch cyber-attacks
Installation of ‘ransomware’ Victims must pay money to regain control of their vehicles
25/01/2017 © 2017 Astius Technology Systems Ltd 16
A first look at the problem KEY V2V Vehicle-to-Vehicle V2I Vehicle-to-Infrastructure V2P Vehicle-to-Person V2C Vehicle-to-Everything
V2V
V2I
V2P
Data Storage
Data Analytics
The Cloud Back Office Billing Provisioning Operations Cybersecurity
End-to-end Security
Phone-to-Car
Myriad of attack points
Myriad of Stakeholders
GPS
V2X
25/01/2017 © 2017 Astius Technology Systems Ltd 17
In-vehicle systems
Manual controls Driver-assisted
GPS jamming
Malware infection via smartphone
apps
Wireless hacking
(e.g. door security)
Many types of threats
25/01/2017 © 2017 Astius Technology Systems Ltd 18
Vehicle-to-Vehicle (V2V)
Radar for hazard detection
Status message
V2V messages must be securely transmitted and processed. Reliable Encrypted Authenticated Ensure privacy (no tracking)
Vehicles transmit status messages to each other to improve traffic flows and increase safety. “Traffic jam ahead” “I have just put the brakes on” “Ice on the road ahead”
Secure these wireless links
25/01/2017 © 2017 Astius Technology Systems Ltd 19
Vehicle-to-Infrastructure (V2I)
“Spaces available in Broad Street car
park”
“Road works ahead”
“Traffic lights not working at junction
ahead”
ROADSIDE UNITS Status messages can be transmitted from kerbside infrastructure to warn of delays, hazards or provide useful advice to travellers.
“Road ahead closed. Turn left at junction”
Secure these wireless links
25/01/2017 © 2017 Astius Technology Systems Ltd 20
Vehicle-to-Person (V2P)
Pedestrians and joggers
Horses (and other animals)
Cyclists, scooter riders and other 2-wheeled transport
Non-vehicular road users can indicate their presence by sending status messages to oncoming vehicles
Secure these wireless links
25/01/2017 © 2017 Astius Technology Systems Ltd 21
Vehicle-to-Everything (V2X | V-LTE)
Cellular Operator
• V2X developed by 3GPP (organisation which develops Cellular technology standards)
• Not likely to be available until 2018 at the earliest
• Aims to provide all the functions of V2V, V2P and V2I
• UK has relatively poor 4G coverage!
• Would vehicle owners be able to choose which MNO to subscribe to?
• Would government license infrastructure as a concession?
• Would key roads be privatised to facilitate use of V2X?
Leverages security of Cellular network
25/01/2017 © 2017 Astius Technology Systems Ltd 22
A second look at the problem KEY V2V Vehicle-to-Vehicle V2I Vehicle-to-Infrastructure V2P Vehicle-to-Person V2X Vehicle-to-Everything
V2V
V2I
V2P
Data Storage
Data Analytics
The Cloud Back Office Billing Provisioning Operations Cybersecurity
Phone-to-Car
Myriad of attack points
Myriad of Stakeholders
GPS
V2X Potential vulnerabilities within Service Provider networks and Back Office functions
25/01/2017 © 2017 Astius Technology Systems Ltd 23
Cybersecurity at scale
So far, we have just
considered a handful of
vehicles. But how do we
make cybersecurity scale
to encompass huge
number of stakeholders?
Cities Major routes
Nation states Major regions 25/01/2017 © 2017 Astius Technology Systems Ltd 25
How do we scale this up?
National Cybersecurity
Strategy
Electricity
Telecoms
Transport
Local Government
Central Government
Infrastructure
Owners
Infrastructure
Operators
1. Promote
cybersecurity initiatives within Automotive industry
2. Promote
partnership and dialogue between infrastructure owners and operators
3. Plan for Connected
and Driverless vehicles within a national cybersecurity framework.
Cybersecurity industry has major leadership role in facilitating these conversations. 25/01/2017 © 2017 Astius Technology Systems Ltd 26
Automotive Industry
Drive to improve software quality
Publication of automotive
cybersecurity standard
SAE J3061
Provision of Over-the-air
software updates to cars
Sharing of cybersecurity expertise via AUTO-ISAC
• Automotive industry has started to take cybersecurity seriously
• Many important initiatives have been launched
25/01/2017 © 2017 Astius Technology Systems Ltd 27
Let’s talk about Infrastructure
Cyber-attacks could cause:
• Traffic gridlock
• Economic losses
• Accidents and loss of life
• Massive insurance claims
• Political repercussions
Integrate with other forms of
transport!
Who owns the infrastructure?
Who pays for the
infrastructure?
Legal and regulatory barriers to
co-operation?
Clear need for common approach to protecting infrastructure, data and services.
25/01/2017 © 2017 Astius Technology Systems Ltd 28
The Policy of Government
CPNI
Centre for the
Protection of
National
Infrastructure
NCSC National
Cyber Security
Centre
Department
of Transport
These websites are silent about
cybersecurity for Connected and
Driverless vehicles
This document has nothing to say about
cybersecurity for Connected and
Driverless vehicles
We may conclude that H.M. Government has no coherent strategy for dealing with this issue!
25/01/2017 © 2017 Astius Technology Systems Ltd 29
How do we compare?
• Very active program of research and development
• Have conducted open discussions about vehicle cybersecurity for several years now
• Sept. 2016 announced formal policy on Autonomous Vehicles
• All documents can be freely downloaded from website
• Formal cybersecurity strategy since 2013
• Has funded numerous research projects
• Published research into cybersecurity of vehicles
• Hosts a Cars and Roads Security (CarSEC) Experts Group
• All documents can be freely downloaded from website
UK lags well behind in terms of developing cybersecurity strategy for Connected and Autonomous vehicles.
25/01/2017 © 2017 Astius Technology Systems Ltd 30
Conclusions
1. Connected and Autonomous Vehicles are a great opportunity.
2. It will take several decades to build the necessary infrastructure.
3. It’s not clear who will build and operate the infrastructure.
4. We can only speculate what kind of cyber-attacks may happen.
5. The automotive industry is building capability in cyber-security.
6. Dialogue needed between infrastructure owners and operators.
7. Major challenge to plan, deploy & manage large scale cybersecurity.
8. UK Government appears to have no coherent strategy in place.
25/01/2017 © 2017 Astius Technology Systems Ltd 31