Automotive Cybersecurity: Meeting the High-Stakes Challenge

Transcription

1 The following is a customized excerpt from a VDC Research report Automotive Cybersecurity: Meeting the High-Stakes Challenge Licensed to Distribute By: Part of the Strategic Insights 2015 Security & The Internet of Things Research Program: Topic 2 By Steve Hoffenberg, Director, with Chris Rommel, Executive Vice President

2 1 Executive Summary Electronics continue to proliferate in automotive applications, such that the typical new car contains dozens of embedded systems. And a hacked car is among the nightmare scenarios for automakers and drivers alike. Security domains for hardware and software include: in-vehicle processors; local area and wide area communications; infotainment; remote software updating and management; and related applications. As Internet connectivity and electronic features proliferate in motor vehicles, cybersecurity threats will increase risks to both occupant safety and data privacy. The tiered nature of the automotive supply chain complicates efforts to design and build secure vehicles. Forthcoming vehicle-to-vehicle and vehicle-toinfrastructure communications technologies will introduce additional cybersecurity risks. A range of automotive hardware and software security solutions is already available with more in development. However, automakers will exacerbate the challenges of data security and privacy through their desire to monetize vehicle data. Key Findings Nearly one-third of new vehicles sold in 2015 had Internet connectivity through embedded cellular modems and/or smartphone interface, and by 2020, more than three-quarters of new vehicles will have such connectivity. The average new vehicle in 2015 contained 31 microprocessors, a number which will continue to rise in coming years but be partially offset by consolidation of multiple functions into individual processors. Fewer than 2% of in-vehicle microprocessors employed hardware security features in 2014, but VDC expects that portion to rise to 11% by IoT cloud services for the automotive market will rise from $1.1B in 2014 to $12.4B in 2020, presenting strong opportunity for cloud vendors and technology suppliers with expertise in both security and the automotive market.

3 1 The Automotive Market & Internet Connectivity According to figures from the Organisation Internationale des Constructeurs d Automobiles [International Organization of Motor Vehicle Manufacturers], the industry churned out 89.7 million cars, trucks, and buses in , and there are approximately 1.2 billion motor vehicles in use worldwide 2. Although there are cybersecurity risks from attackers who gain physical access to vehicles, such as through the OBD II (On-Board Diagnostics II) port present in all cars and light trucks built since 1996, by far the greater concern is from wireless remote hacking over the Internet. It s just plain scary to think that someone at a keyboard thousands of miles away could wrest control of a vehicle away from a driver at the steering wheel. Increasingly, vehicle manufacturers are including Internet connectivity for all the usual IoT benefits (usage data, system diagnostics, etc.) as well as telematics services (GPS, navigation, traffic information) and personal information and entertainment (text messaging, , streaming music, etc.). Many new vehicles contain embedded cellular modems for these functions. VDC estimates that approximately 19% of new motor vehicles sold in 2015 year have Internet connectivity via embedded cellular modem, and approximately 17% have Internet capability through cellular connectivity in the user s smartphone. Combined, 31% of new vehicles in 2015 have Internet connectivity by one or both methods. (The two types of connectivity are not mutually exclusive, as vehicles may have, for example, embedded connectivity for the carmaker to monitor and communicate vehicle system data and updates, while user infotainment content comes through the smartphone connection.) Today, these technologies are more prevalent in luxury cars and commercial vehicles, but we expect that each of these types of connectivity will trickle down to be included in more than half of all new cars by 2020, and altogether, more three-quarters of new vehicles in 2020 will include at least one of these technologies to have Internet connectivity For this forecast, VDC does not count vehicles that will have connectivity only via the European ecall emergency calling feature mandated for all new passenger cars sold in the region beginning April The ecall system will be dormant except in the event of a severe collision or by manual activation from the driver in the event of an emergency.

4 2 Exhibit 1: Percent of New Vehicles with Internet Connectivity, by Connection Type

5 3 Automotive Security is Less Than the Sum of its Parts In the case of automotive electronics, today s vehicles contain dozens of embedded microprocessors (MCUs, CPUs, and SoCs 4 ), as shown in Exhibit 2. Specific numbers per vehicle vary widely, and luxury cars tend to have the most. (One independent site estimates that a 2014 Tesla Model S electric car contains 64 microprocessors 5 not including sensors, more than double the industry average.) Exhibit 2: Average Number of Embedded Microprocessors per New Vehicle The number of electronic functions in vehicles is rising even faster than the number of microprocessors, but that functional rise is being partially offset by consolidation of multiple functions into individual processors, to contain costs not only for the processors but also for wiring, harnesses, connectors, and the like. Security Implications of Tiered Supply Chain One overarching challenge for vehicle manufacturers is due to the tiered supply chain of the automotive 4 MCU=Microcontroller Unit; CPU=Central Processing Unit; SoC=System on a Chip (An SoC is typically a CPU plus wireless radio, such as Bluetooth, Wi-Fi, or cellular modem.) 5

6 4 industry. Consumers tend to think of cars as being made by GM, Toyota, etc. In practice, the OEM carmaker is the lead designer and assembler of the final product, but not the actual manufacturer of most of the parts. The majority of parts are provided by contractors (Tier 1 suppliers), and the subcontractors to the contractors (Tier 2), and the subcontractors to those subcontractors (Tier 3). Each electronics supplier may (or may not) have designed its own subsystems to be secure based on certain common assumptions such as protocol standards and expectations of sensor inputs or embedded communications during normal vehicle functions. But vulnerabilities can slip into the cracks between the subsystems, and hackers don t necessarily abide by common assumptions. Only the vehicle OEM has the potential to observe in advance of production how the numerous electronic subsystems function in concert with one another, and how the overall system responds to many security threats. As VDC often puts it, to be secure, an embedded system not only has to do what it s supposed to do, it has to not do what it isn t supposed to do. That s much more difficult to accomplish when so many subsystems are interconnected with each other and by extension in connected vehicles, to the Internet. Long before the infamous Jeep hack of , which brought automotive cyber-threats to widespread public attention, this overall system-level security problem was documented by technology researchers from the University of California at San Diego and the University of Washington, who jointly established the Center for Automotive Embedded Systems Security (CAESS). Back in 2010, the group published a report 7 detailing how it successfully hacked numerous subsystems of a pair of test cars, including the ability to over a wireless link engage brakes as well as prevent braking while a vehicle was in motion. These hacks were highly involved to perform, and required extensive research and extended physical access to test multiple subsystems and later install connections to the OBD II port. Nevertheless, the group proved it could be done. The next year, CAESS published a follow-up report 8 describing additional hacks, noting in its analysis:...while each supplier does unit testing (according to the specification) it is difficult for the manufacturer to evaluate security vulnerabilities that emerge at the integration stage. Traditional kinds of automated analysis and code reviews cannot be applied and assumptions not embodied in the specifications are difficult to unravel. And those CAESS white hat hacks were before vehicles had built-in Internet connectivity. With the addition of such connectivity, the complexity of embedded systems, the security challenges, and the potential attack vectors rise dramatically. 6 Hackers Remotely Kill a Jeep on the Highway With Me in It, Andy Greenberg, Wired, July 21, Experimental Security Analysis of a Modern Automobile, Koscher et al., Comprehensive Experimental Analyses of Automotive Attack Surfaces, Checkoway et al., 2011.

7 5 Securing Functional Safety In a general sense, functional safety ensures that in order to reduce the chances of human injury a safetycritical system will operate properly and/or in a safe manner, even when confronted with adverse conditions, conflicting signals, or partial failure of hardware or software. In motor vehicles, functional safety can include redundant systems to take over in case of primary system failure, as well as fail-safe limp home modes, and intelligent implementations (e.g. power windows systems that will stop going up if they encounter resistance, and processing systems that detect spoofed inputs). The term can apply to the workings of any functional component, such as the engine, brakes, steering, airbags, door locks, etc. The functional safety of most electrical and electronic automotive systems today comes under the ISO standard, which encompasses not only the finished product (the vehicle and its subsystems), but the processes by which the systems are designed, developed, produced, and serviced. However, ISO does little to address security of functional systems. Although some of the principles and best practices contained in the standard will have the effect of reducing security risks, ISO is not intended to directly address resistance to willful attempts to circumvent safety measures. As such, a vehicle that is compliant with ISO is not necessarily secure. In other words, functional safety does not equal security. The concepts and procedures for designing security into functional automotive systems are not materially different than for other product categories, but their implementations are more complex (and their consequences are greater). They imply rejection of external attempts to adversely influence functional safety, while not themselves compromising that safety.

8 6 Securing Personal Data The task of securing functional automotive systems is largely a technological challenge, as is securing data while its internal to the vehicle. However, securing data once it s external of the vehicle is both a technical challenge as well as a significant business challenge. The technical challenge encompasses the prevention of hackers from accessing and misusing personal data. Just as smartphones have become treasure chests of personal information including many financial transactions, connected vehicles will take on similar characteristics. Cars can conceivably communicate credit card or other payment data to content providers, toll systems, parking lots, gas pumps or electric chargers, etc., making vehicle data potential targets of organized and sophisticated groups of financially motivated hackers. The significant business challenge arises because OEMs have an ulterior motive, namely a cut of revenue that can be generated from vehicle data by offering authorized access to third parties. By doing so, the OEMs have the responsibility of maintaining data privacy, not only by anonymizing it and securing it from unauthorized access, but also by ensuring that parties authorized to access it don t misuse it for unauthorized purposes. (Which parties can do what with user data is a frequent topic for discussion among IoT providers. For more on the topic, see a previously published VDC View document entitled, Beyond Who Owns the Data? 9 ) Regulators also need to ensure that data privacy technologies don t prevent independent repair shops from accessing relevant data about the performance or status of vehicle systems. (In the US and some other countries, such access is required by so-called Right to Repair laws.) However, distinguishing between legitimate repair shops and hacker storefronts is not necessarily a simple task. Much of the access to personal data from vehicles will occur in the cloud, secured by the same types of technologies developed to protect cloud and conventional enterprise/it databases. In that VDC sees opportunity for cloud respect, the automotive market is not unique, although VDC sees services vendors to develop platforms optimized for the opportunity for cloud services vendors to develop platforms optimized needs of the automotive market. for the needs of the automotive market, including designated levels of data access, dashboards, and analytics for OEMs, Tier suppliers, dealerships, and vehicle owners. Covisint and Elektrobit are examples of vendors offering this type of cloud platform for the automotive market. 9 Beyond Who Owns the Data? is available for free download from VDC Research (registration required)

9 7 Conclusion Because much of automotive security is software-based, the supply chain is more complicated and interwoven than the supply chain for physical parts, although the Tier 1 parts suppliers still play a crucial role. Opportunities for startups are often limited by regulatory and performance requirements, as well as the need to have their technologies accepted across the ecosystem. Established vendors from other vertical markets seeking to grow their presence in the automotive industry often face hurdles (albeit surmountable ones) in the form of entrenched partnerships and business relationships. Nevertheless, new ideas and technologies can succeed if they offer solutions to existent or commonly anticipated problems. Everyone in the automotive ecosystem carmakers, suppliers, dealers, and users needs to understand the importance of cybersecurity for the sake of both vehicle safety and data privacy. Ultimately, the carmakers must take the leadership role in steering the industry toward improved security, but the elements of security have to be taken into account at every step of the design and production processes, requiring a wellorganized and ongoing approach that continues long after vehicles are driven off the lot.

10 8 VDC Research About the Authors Steve Hoffenberg is a leading industry analyst and market research professional for Internet of Things technology. He has more than two decades of experience in market research Contact Steve: and product management for technology products and shoffenberg@vdcresearch.com services. Prior to joining VDC, he spent 10 years as Director of Consumer Imaging and Consumer Electronics Research at the firm Lyra Research, where he led industry advisory services providing extensive market research on consumer technology trends, user adoption, market sizing, marketing strategy, and competitive analysis for major consumer electronics manufacturers. Previously, he worked in product management for electronic design companies that developed and licensed embedded digital imaging and audio products. Steve holds an M.S. degree from the Rochester Institute of Technology and a B.A. degree from the University of Vermont. Chris Rommel is responsible for syndicated research and consulting engagements focused on development and deployment solutions for intelligent systems. He has helped a wide variety of clients respond to and capitalize on the leading trends impacting next-generation device markets, such as security, the Internet of Things, and M2M connectivity, as well as the growing need for system-level lifecycle management solutions. Chris has also led a range of proprietary consulting projects, including competitive analyses, strategic marketing initiative support, ecosystem development strategies, and vertical market opportunity assessments. Chris holds a B.A. in Business Economics and a B.A. in Public and Private Sector Organization from Brown University. About VDC Research Founded in 1971, VDC Research provides in-depth insights to technology vendors, end users, and investors across the globe. As a market research and consulting firm, VDC s coverage of AutoID, enterprise mobility, industrial automation, and IoT and embedded technologies is among the most advanced in the industry, helping our clients make critical decisions with confidence. Offering syndicated reports and custom consultation, our methodologies consistently provide accurate forecasts and unmatched thought leadership for deeply technical markets. Located in Natick, Massachusetts, VDC prides itself on its close personal relationships with clients, delivering an attention to detail and a unique perspective that is second to none.