Connected & Autonomous vehicles: cybersecurity on a grand scale v1

Connected Cars & Autonomous Vehicles A case study of Cybersecurity on a Grand Scale

• A presentation given at How the Internet of Things is Changing Cyber Security - an event organised by Optimise Hub (Portsmouth University) on January 26th 2017 at Havant.

• This talk describes the issues relating to cybersecurity of Connected Cars and Autonomous Vehicles.

• It is a perfect case study in the challenge of achieving cybersecurity on a massive scale.

OptimiseHub University of Portsmouth

25/01/2017 © 2017 Astius Technology Systems Ltd 2

About your presenter

Bill Harpley

[email protected]

Bill Harpley MSc

• 30+ year experience working in the technology sector

• Founder of Astius Technology

• Organiser of Brighton IoT Forum meetup group (740+ members)

• Event organiser for the Self Driving and Autonomous Vehicles meetup group


https://uk.linkedin.com/in/billharpley

• Innovation consultancy • Internet of Things

• Blockchain

• Wireless Technology

• Cybersecurity

• New Business Thinking

• Digital Business Strategy

• New Business Models

• Disruptive Innovation

• Training and Skills

astius technology


Route for today

1. Why this topic is important

2. What we mean by

‘Connected Cars and

Autonomous Vehicles’

3. Identify the major known

cyber-risks

4. Explore the challenges of

finding a scalable

cybersecurity solution


The future promise of Connected Cars


A century of innovation

• Both the Model-T of 1910 and the Tesla electric car of 2016 represent truly

transformational technologies.

• Expect the evolution from ‘manual’ to ‘connected’ vehicles to be every bit as

revolutionary as the shift away from ‘horse powered’ transport more than a

century ago.


The Opportunities

• Connected Cars market represents major growth opportunity

– Markets & Markets estimate it will be worth $47 billion by 2020 ( ~ £38 billion at today’s rate)

– PwC estimate it will be worth £120 billion by 2022

• Greater public safety

– WHO state there were 1.25 million road deaths globally in 2013

– More than 200,000 people die through traffic accidents in China alone!

• Tremendous spur to R&D and product innovation on a global basis

– Nothing like this since ‘space race’ of the 1960s


The story so far …

Society of Automotive Engineers: standard SAE J3016 defines six classes of vehicle automation.


Levels of Vehicle Automation


Here is a summary of the SAE J3016 automation levels:

Technology Timeline

Multiple generations of technology will co-exist on our roads for many years.


ADAS in Action

• ‘Tesla Autopilot predicts collision ahead seconds

before it happens’

– Dashcam recording from within a Tesla car of

road incident in the Netherlands

– http://www.kurzweilai.net/tesla-autopilot-predicts-

collision-aheads-seconds-before-it-happens

• Thanks to @HansNoordsij , an enthusiastic

champion of Tesla Model S and Nissan Leaf


http://www.kurzweilai.net/tesla-autopilot-predicts-collision-aheads-seconds-before-it-happens

















https://twitter.com/HansNoordsij

https://twitter.com/HansNoordsij

Vehicle Cybersecurity: what’s the problem?


Attackers have many Faces

http://opengarages.org/handbook/2014_car_hackers_handbook_compressed.pdf

Organised Criminal gangs intent on theft of personal data and deploying “ransomware”

State-sponsored actors, terrorists and political

‘hactivists’

Small-time crooks intent on stealing vehicles and property

“Curiosity driven” attacks (e.g. car owners ‘tweaking’)


http://opengarages.org/handbook/2014_car_hackers_handbook_compressed.pdf

It’s complicated …

Example: Ford F150 ‘smart’ pickup truck

150 million lines of

software code

Multiple ‘Electronic

Control Units (ECUs)’

Numerous potential points of attack

Complexity is the enemy of security!


Examples of Risks

Unauthorised access to vehicles Keyless door entry systems use mobile apps or electronic key-fobs

Theft of personal information Owner details, GPS logs, Credit Card info, etc.

‘Hijacking’ of individual vehicles Feasibility demonstrated by ‘Jeep hack’ (2015)

Creation of mobile ‘bots’ Vehicle software compromised by hackers and used to launch cyber-attacks

Installation of ‘ransomware’ Victims must pay money to regain control of their vehicles


A first look at the problem KEY V2V Vehicle-to-Vehicle V2I Vehicle-to-Infrastructure V2P Vehicle-to-Person V2C Vehicle-to-Everything

V2V

V2I

V2P

Data Storage

Data Analytics

The Cloud Back Office Billing Provisioning Operations Cybersecurity

End-to-end Security

Phone-to-Car

Myriad of attack points

Myriad of Stakeholders

GPS

V2X


In-vehicle systems

Manual controls Driver-assisted

GPS jamming

Malware infection via smartphone

apps

Wireless hacking

(e.g. door security)

Many types of threats


Vehicle-to-Vehicle (V2V)

Radar for hazard detection

Status message

V2V messages must be securely transmitted and processed. Reliable Encrypted Authenticated Ensure privacy (no tracking)

Vehicles transmit status messages to each other to improve traffic flows and increase safety. “Traffic jam ahead” “I have just put the brakes on” “Ice on the road ahead”

Secure these wireless links


Vehicle-to-Infrastructure (V2I)

“Spaces available in Broad Street car

park”

“Road works ahead”

“Traffic lights not working at junction

ahead”

ROADSIDE UNITS Status messages can be transmitted from kerbside infrastructure to warn of delays, hazards or provide useful advice to travellers.

“Road ahead closed. Turn left at junction”



Vehicle-to-Person (V2P)

Pedestrians and joggers

Horses (and other animals)

Cyclists, scooter riders and other 2-wheeled transport

Non-vehicular road users can indicate their presence by sending status messages to oncoming vehicles



Vehicle-to-Everything (V2X | V-LTE)

Cellular Operator

• V2X developed by 3GPP (organisation which develops Cellular technology standards)

• Not likely to be available until 2018 at the earliest

• Aims to provide all the functions of V2V, V2P and V2I

• UK has relatively poor 4G coverage!

• Would vehicle owners be able to choose which MNO to subscribe to?

• Would government license infrastructure as a concession?

• Would key roads be privatised to facilitate use of V2X?

Leverages security of Cellular network


A second look at the problem KEY V2V Vehicle-to-Vehicle V2I Vehicle-to-Infrastructure V2P Vehicle-to-Person V2X Vehicle-to-Everything

V2V

V2I

V2P

Data Storage

Data Analytics

The Cloud Back Office Billing Provisioning Operations Cybersecurity

Phone-to-Car

Myriad of attack points

Myriad of Stakeholders

GPS

V2X Potential vulnerabilities within Service Provider networks and Back Office functions


Vehicle Cybersecurity: the challenge ahead


Cybersecurity at scale

So far, we have just

considered a handful of

vehicles. But how do we

make cybersecurity scale

to encompass huge

number of stakeholders?

Cities Major routes

Nation states Major regions 25/01/2017 © 2017 Astius Technology Systems Ltd 25

How do we scale this up?

National Cybersecurity

Strategy

Electricity

Telecoms

Transport

Local Government

Central Government

Infrastructure

Owners

Infrastructure

Operators

1. Promote

cybersecurity initiatives within Automotive industry

2. Promote

partnership and dialogue between infrastructure owners and operators

3. Plan for Connected

and Driverless vehicles within a national cybersecurity framework.

Cybersecurity industry has major leadership role in facilitating these conversations. 25/01/2017 © 2017 Astius Technology Systems Ltd 26

Automotive Industry

Drive to improve software quality

Publication of automotive

cybersecurity standard

SAE J3061

Provision of Over-the-air

software updates to cars

Sharing of cybersecurity expertise via AUTO-ISAC

• Automotive industry has started to take cybersecurity seriously

• Many important initiatives have been launched


Let’s talk about Infrastructure

Cyber-attacks could cause:

• Traffic gridlock

• Economic losses

• Accidents and loss of life

• Massive insurance claims

• Political repercussions

Integrate with other forms of

transport!

Who owns the infrastructure?

Who pays for the

infrastructure?

Legal and regulatory barriers to

co-operation?

Clear need for common approach to protecting infrastructure, data and services.


The Policy of Government

CPNI

Centre for the

Protection of

National

Infrastructure

NCSC National

Cyber Security

Centre

Department

of Transport

These websites are silent about

cybersecurity for Connected and

Driverless vehicles

This document has nothing to say about

cybersecurity for Connected and

Driverless vehicles

We may conclude that H.M. Government has no coherent strategy for dealing with this issue!


How do we compare?

• Very active program of research and development

• Have conducted open discussions about vehicle cybersecurity for several years now

• Sept. 2016 announced formal policy on Autonomous Vehicles

• All documents can be freely downloaded from website

• Formal cybersecurity strategy since 2013

• Has funded numerous research projects

• Published research into cybersecurity of vehicles

• Hosts a Cars and Roads Security (CarSEC) Experts Group

• All documents can be freely downloaded from website

UK lags well behind in terms of developing cybersecurity strategy for Connected and Autonomous vehicles.


Conclusions

1. Connected and Autonomous Vehicles are a great opportunity.

2. It will take several decades to build the necessary infrastructure.

3. It’s not clear who will build and operate the infrastructure.

4. We can only speculate what kind of cyber-attacks may happen.

5. The automotive industry is building capability in cyber-security.

6. Dialogue needed between infrastructure owners and operators.

7. Major challenge to plan, deploy & manage large scale cybersecurity.

8. UK Government appears to have no coherent strategy in place.


Questions and Answers?

Hack me if you can!


Connected & Autonomous vehicles: cybersecurity on a grand scale v1

Technology

Transcript of Connected & Autonomous vehicles: cybersecurity on a grand scale v1