When it comes to cyber security, there is no guarantee that you will never be hacked. Ultimately, it is impossible to create an exclusive system that will protect a connected vehicle or device entirely from any external threats. In order to overcome this issue, especially within the vehicle, there needs to be a holistic approach where the software is constantly updated to keep passengers as safe as possible, but there also needs to be an understanding of allowing compromise, with the modern-day-hacker capable of breaking into anything. Due to this, providers must create systems that are difficult to exploit, constantly monitoring systems to identify a threat early on and, most importantly, respond as quick as possible in order to ensure the safety of the driver and passengers. Speaking to Monique Lance, Argus’s Marketing Director, I get a better understanding as to how the automotive industry can tackle cyber threats and prevent them from getting in the way of connected car development. “In order to effectively protect against cyber-attacks, the industry needs to adopt a holistic approach that integrates cyber security into every stage of the vehicle’s lifecycle – from the concept and design stage right through to production and rollout,” she says.
Argus provides end-to-end solutions and services to car manufacturers and suppliers along the entire development process. Argus is involved from the concept stage through risk assessments and design reviews, as well as in the production stage with penetration testing to identify vulnerabilities, and through the integration of multi-layered in-vehicle cyber security solutions. Once the vehicle is on the road, Argus provides OEM and fleet managers with the ability to monitor the vehicle’s status, analyse potential attacks and emerging threats, and deliver security updates over-the-air (OTA) to immunise the fleet.
Cyber security has become a top priority in future mobility, with governments around the world setting new laws to protect consumers, through detection systems and layered defences. “Government legislation regulating automotive cyber security is increasing in both the US and the UK,” says Lance. “The US House of Representatives recently passed the SELF DRIVE Act (Bill H.R. 3388) which stipulates that any even partially automated vehicles sold, imported, or exhibited in the US must include intrusion detection and prevention systems and must be able to address ongoing threats.” Lance also tells me that, back in September, the National Highway Traffic Safety Administration (NHTSA) published its Vision for Safety, which calls for cyber security and instructs OEMs to incorporate the best practices and design principles published by NIST, NHTSA, SAE, Auto Alliance, ISAC and other relevant organisations. In addition, the European Automobile Manufacturers Association released its principles for automobile cyber security in October, which included the need for intrusion detection systems, incident response mechanisms, and a multi-layered defence.
“The bottom line is that in order to stay ahead of cyber threats both now and in the future, OEMs must be proactive; they need to take the wheel and work toward designing vehicle architecture with cyber security embedded at the onset,” stresses Lance.
In recent years, there has been a growing need for over-the-air software updates, which have the potential to overcome some of the biggest issues found within the development of the connected car. Lance says that as vehicles become increasingly connected and reliant on software to enable new innovations, there will be an increasing need to find cost-effective ways of keeping it up to date. “It is imperative that OEMs are equipped with the ability to close security gaps over-the-air and prepare for future cyber-attacks as hackers continuously become more sophisticated. The threats that we will face in the future are currently unimaginable – yet our vehicles must be prepared to defend against them.” Unlike the technology industry, which now sees product life cycles as low as a year, the automotive sector is used to manufacturing products that are used for almost 12 years on average. Because of this, OTA updates will allow these OEMs to secure the vehicle over its product lifecycle, protecting and updating it against new evolving cyber threats - and other problems such as glitches - without having to issue costly and time-consuming recalls.
The increased use of OTA updates in non-infotainment systems allows carmakers and software providers the ability to enhance the performance of vehicles and easily repair any issues found with the technology, which saves customers’ time and prevents the typical issues found within a mass recall. These constant security updates can rapidly solve security issues and mitigate the damage of potential attacks, whilst offering manufacturers the chance to add features and enhancements after the vehicle has left the factory, maintaining customer satisfaction and preventing the model from falling behind new technology. However, above all, developers must ensure that their software is completely safe before releasing it, which could delay the development of these innovations. Thus, it is so important to find a balance that allows a quick, yet safe, roll out. “When it comes to customer and public safety, cyber security is key and must be factored into production timelines,” says Lance. “However, with Argus’ help our customers are able to focus on their innovations and meet their project delivery dates while remaining vigilant about their cyber security. Through a suite of tailored consulting services, Argus helps integrate cyber security practices and processes into the entire product lifecycle.” Through this approach, customers can better understand the cyber threat landscape, significantly strengthen their cyber posture, and reduce their short and long-term exposure to cyber threats.
With the influx of information and technology entering the market, it is important for automotive companies to change their way of thinking and create environments where the technology can flourish in a safe and secure manner. By creating a standard, such as car-to-cloud data, vehicle security can be strengthened through a new ecosystem. “Car-to-cloud data standardisation will facilitate the off-line analysis of security events in response to incidents. However, standardisation will also make the relevant ECUs, TCUs and communication channel more vulnerable to attacks. Argus’ comprehensive solutions address these potential vulnerabilities, protecting the ECUs with Argus ECU Protection and the TCUs with Argus Connectivity Protection, and monitoring the entire in-vehicle network with Argus In-Vehicle Network Protection.”
There has already been a number of cyber-attacks on OEMs’ infotainment systems and, although you can accept that there will be some hiccups during initial testing, OEMs cannot justify putting consumers at risk. Unfortunately, Lance tells me, there is no silver bullet in cyber security. “Cyber security is new to the automotive industry and vehicles on the road today were not designed with cyber security in mind,” she adds. “To ensure that vehicles are protected against cyber-attacks, OEMs need a holistic three-tiered approach. First, Argus helps OEMs prevent attacks with multi-layered solutions, making it as hard as possible for attackers to penetrate the vehicle. Secondly, Argus enables the manufacturers to understand attacks with solutions that remotely monitor the cyber health of their vehicles and identify if a car is being hacked. Thirdly, it enables OEMs to respond to cyber-attacks by immunising the fleet and mitigating the damage within hours via OTA software updates.”
There needs to be an assumption from software specialists like Argus that a hacker will eventually penetrate a vehicle, and it’s not only infotainment systems that are vulnerable – attacks can penetrate the in-vehicle network through the OBD port, supply chain attacks and more. Argus has already demonstrated its ability to manipulate and even stop a moving vehicle via a third-party dongle made by Bosch, and both the Jeep and the Tesla hacks have shown that hackers are able to attack critical ECUs to stop vehicles in motion. “Our primary concern is protecting drivers and their vehicles, which is why we recommend that OEMs embed cyber security from the most initial stages of vehicle design,” adds Lance.
The automotive and technology industries have interlinked over the last few years and we are starting to see multiple joint-ventures between OEMs and software developers. Inevitably, these two industries will complement each other and bring mutual benefits for the parties involved in this shift. Technology is quickly moving towards the forefront of the modern-day vehicle, with the demand for software and infotainment systems overshadowing the efficiency of the vehicle. Lance explains that software is becoming one of the biggest enablers of innovation and autonomous mobility. “To remain competitive, traditional OEMs are becoming increasingly software-savvy and are opening up to non-traditional third-party software vendors that offer in-vehicle connectivity features, from vision technology and infotainment networks to cyber security,” she says. Argus is working with OEMs around the world to incorporate its cyber security solutions, which are based on dozens of granted and pending patents, allowing a seamless integration between the two companies.
This will drive further development in the connected car space, significantly improving infotainment and security within the vehicle and creating a new ecosystem for consumers to thrive in. Although there is much more to expect, we are experiencing a revolutionary shift into a new world of automation, whether that is autonomous software or general connectivity, so it is vital that all of these innovations are safe and secure. “I think that when it comes to automotive cyber security, the future is already here,” Lance believes. “Regardless of the level of connectivity, once a vehicle is connected it is vulnerable to cyber-attacks and an attack is potentially dangerous whether there is a driver or not.” Argus aims to provide protection throughout the lifespan of the vehicle and offer security to future vehicles through solutions that identify and block attacks, enable remote monitoring and analysis and offer the ability to deliver security and software updates. “Argus was founded with a vision to protect all vehicles against cyber-attacks and today we are working with major OEMs and suppliers around the world to make that vision a reality,” confirms Lance.