Securing the connecting car
Often dubbed a 'data centre on wheels,' the connected car is one of the fastest-growing markets in the ecosystem that makes up the Internet of Things (IoT). The convergence of IoT and in-vehicle technologies, like remote diagnostics, on-board GPS, collision avoidance systems and 4G LTE WiFi Hotspots, has paved the road for new and exciting opportunities in this industry.
Author: Shaun Kirby, Director, Automotive and Connected Car, Cisco
In fact, the connected car market is expected to reach $155bn by 2022, while 75% of the estimated 92m cars shipped globally in 2020 will be built with internet connectivity.
As the market grows, the biggest opportunity for profit comes from the ongoing services that can be offered and the ongoing revenue that subscriptions to these services can create. Although this is where the value lies, many consumers who purchase connected cars have been hesitant to 'turn on' their connected services.
Recent statistics tell the story. A 2016 Spireon survey showed that consumers are interested in connected cars (especially those with safety features), but 54% said they have not actually used connected car features. Similarly, Kelly Blue Book found that 42% of consumers support cars becoming more connected, while 62% said they fear that cars in the future will be easily hacked.
Securing the connected car at each step of the vehicle’s lifecycle
Security must be a top priority – from the design of the vehicle, to the time the driver takes the wheel, and beyond – to improve adoption rates and drive profits. The key to securing the connected car’s vast, potential “attack surface” is enabling the right levels of connectivity at the right times.
In addition to knowing when connectivity should be on or off, it’s also critical to know what a vehicle should be allowed to do with that connectivity at different stages throughout its lifecycle. Automating this knowledge and ensuring proper connectivity to match each vehicle state is crucial to end-to-end security; it eliminates the need to manually track and monitor connectivity - a complex task when you’re shipping millions of vehicles around the world.
These are the steps of connectivity in securing each step of the connected car’s lifecycle:
- Vehicle design: Auto manufacturers must ensure the right technologies – such as in-vehicle routing, security, IoT connectivity and more – are designed into the vehicle from day one. OEMs must consider the types of services they want to enable throughout the life of the car, choose the right connectivity partner and management platform, and design features into the vehicle accordingly. If these features aren’t designed and integrated into the vehicle correctly, there is a greater risk for security issues later on down the road. For example, some manufacturers are designing connected cars with in-vehicle video capture capabilities and even the ability to measure biometrics, with the intention of using the collected data to improve and personalise the customer experience (if the user opts in). If a competitor or a malicious user hacks into these data streams, a great deal of information about the manufacturer’s fleet and their customers is exposed.
- Manufacturing: Connectivity and security need to be engrained in the manufacturing process itself. Auto manufacturers must have converged networking and IoT solutions to automate manufacturing operations, mitigate risk and maximise uptime on the factory floor. Connectivity of mission-critical machines can enable zero downtime (which is vital when every minute of downtime on the factory floor costs $20,000) and therefore, enables more efficient manufacturing of connected cars. Further, OEMs can tap into data they collect to improve quality and produce a more reliable vehicle. There is also a safety aspect here, as manufacturers can use smart, real-time sensing and analytics to address safety and security concerns on the plant floor, and even use IoT and wearables to monitor health of employees and their locations. Access to this information must be limited only to authorised personnel.
- Testing: With connected cars, the ability to test and verify that connected services are working before the vehicle leaves the factory (and then being able to turn those connected services off during shipping) is required to reduce defective vehicles. In this stage, manufacturers must test each individual service before shipment, paying extra attention to services that deliver real-time updates to the driver, such as 3D maps, traffic or weather applications. If any of these are hacked or sabotaged during the car’s lifecycle, it can jeopardise the driver’s safety and even lead to an accident.
- Shipping: Once testing is complete and the vehicle is ready for shipment, the ability to automate connectivity is essential. While vehicles are in shipping containers, manufacturers must be able to automatically disable connected services, while maintaining the ability to track vehicles during their journey. This prevents the abuse of connected services while vehicles are en route to the dealership. Remember: if a hacker can sabotage the vehicle during shipment from the OEM to the dealer, they could potentially plant a back door and obtain access to sensitive data during the car’s life. For example, the SIM card in the car's telematics system is especially vulnerable during shipment; and if tampered with, can lead to a whole list of security issues. While some automakers physically protect the SIM card, it is more efficient to protect it via automated rules. The OEM can apply a rule that when the vehicle is in transport, communications are completely shut off – thereby preventing illicit use of the car’s connection and deterring on-board hackers.
- Demoing: Once the vehicle arrives at the dealership, it is time to turn connectivity back on. Again, an automated system allows OEMs to safely resume connection so that salespeople can demonstrate all the services and devices to potential buyers. During this time, security measures are needed to prevent theft, hijacking or illicit remote control of vehicles. For example, information like the VIN is used to register the vehicle to a new owner’s mobile app. If security is weak, anyone who could have recorded that VIN while visiting the showroom could later use it to control or possibly even steal the vehicle. Proper certificate-based security architecture can help prevent this situation.
- Post-purchase – maintenance and aftermarket: Connected cars allow for proactive, predictive maintenance based on real-time data. Over-The-Air (OTA) software updates help secure this information and provide patches and bug fixes to prevent data breaches. Moreover, the connected car is opening up new opportunities for aftermarket sales as companies move to leverage the vehicle’s connectivity to deliver their own connected services. Undoubtedly, the growth of aftermarket connected services is stirring up additional security concerns, so creating the right security standards and partnering with aftermarket solution providers and third-party security experts will be key in keeping vehicles safe.
The future of the connected car
The connected car is no longer science fiction – it is here today and can provide consumers with a secure, safe, reliable and enriched driving experience. However, to do so requires close attention to security and connectivity at each step of the vehicle’s lifecycle.
Ultimately, the ability to secure data that a vehicle generates comes down to constantly identifying and monitoring how that data should be used. To streamline these efforts, automakers should partner with security experts and invest in IoT connectivity management platforms that are capable of automating how and when a vehicle connects, and what the vehicle is allowed to do with that connection.
With new devices, connections and data points arising every day, no single party is 100% responsible for connected car security. Everyone – from the OEM, to the dealership, to the bank that enables automated payments, to the developers of aftermarket services – must do their part to keep cars safe, consumers happy and our 'data centres on wheels' rolling securely.