By Joe Robertson , Director of Information Security and EMEA CISO at Fortinet
The digital automotive experience is revving up for some big changes, from online vehicle shopping, to configuring auto systems, to maintenance, manufacturing, and shipping. The advent and availability of 5G can help assure the required high-speed digital links for autonomous and semi-autonomous vehicles. But that’s not all. 5G is also creating a revolution in industrial automotive systems, as today’s vehicles can be manufactured and shipped faster and more easily than ever. However, the growing number of sensors, actuators, probes, machine connectivity, and the high density of connections (including robots)—all connected through 5G—opens new attack surfaces that need to be addressed.
These new attack vectors are partially a result of the complex ecosystem of vendors and partners that supply the software and systems that build connected smart cars. At the same time, the real-time nature of driving also means that the computing required to manage on-board systems and interoperate with GPS, smart transportation systems, or other cars on the road, will happen both at the edge (meaning, in the car itself) and in the cloud. This simply widens the scope of the risk of interference and intrusion that needs to be accounted for.
Autonomous and connected vehicles are the perfect example of the compute edge in action. And given the safety issues for passengers in the connected vehicle as well as in the vehicles around it, the need for connected car security at the edge—that can function at 5G speeds—should be the first and foremost consideration. Securing the smart car and all its data, while also providing reliable and secure connectivity from the car to the cloud, is critical. Without security and connectivity working together as an integrated system, automotive companies are open to significant brand reputational risk. And worse, customers could even be putting their lives on the line.
First Gear: Connectivity with an Autonomous Vehicle
To start, the production and manufacturing of vehicles needs to be protected, especially as operational technology (OT) and information technology (IT) convergence becomes the norm. The challenge is that many legacy OT systems cannot afford any downtime and are highly sensitive to any sort of disruption; many systems are irregularly and infrequently patched. As a result, OT systems often lack consistent protection or single-lens visibility. Inconsistent corporate security policy implementation and governance only adds to the problem. In this environment, being able to protect every integration point across IT and OT to boost connected car security, even as interconnectedness increases, is a challenge.
Fortunately, the way auto manufacturers deal with their original equipment manufacturers (OEMs) is evolving. Traditionally, the manufacturer would turn to suppliers to design whole systems: brakes by one, the transmission by another, satellite nav systems by yet another. All these systems were farmed out to subcontractors, and the manufacturer took responsibility for assembling the pieces. However, with this piecemeal approach, the systems that operate the vehicle, engine, transmission, system gauges, fuel and safety systems, cameras, radar and more, might all run on different operating systems. This resulted in disparate and disconnected systems that were not able to efficiently collaborate or communicate with one another and are more challenging to secure.
Over the last decade we have seen a change. Auto manufacturers see value for the customer when all of these solutions work together, creating a truly integrated experience. Software is the critical component and requires building connectivity and security directly into the system from the start, in the development, testing, and production phases, rather than a bolt-on solution applied at the end of the process.
Second Gear: Data with an Autonomous Vehicle
Once these connected and autonomous vehicles are on the road, manufacturers need to continuously gather information from these “rolling data centers.” Vehicle data is collected and poured into a giant data lake, which the manufacturer uses to identify issues before they become critical. Since these autonomous vehicles run on compute power, they bring with them all the challenges of enterprise data systems— such as bandwidth, reliability, visibility, and, of course, cyberthreats, whether from malicious criminals or industrial espionage. Today, given current security trends, holding a vehicle for ransom is not out of the question.
Reliable, secure connectivity back to the cloud is critical to protecting customers, delivering the best user experiences, and protecting revenue streams. These cloud connections are crucial. This data is the only way to truly understand how vehicles are used, which leads to new insights and the development of premium customer experiences. Automotive manufacturers need to establish their own cloud platforms for data collection, processing, and provisioning. By keeping the in-car experience within their control, while protecting connected cars and their data, they can leverage car telemetry data to monetize and provide a differentiated, premium in-car experience.
But none of this will work without security. So, what is the best approach to ensure effective connected car security? The first step is integrating systems and software. This requires steering disparate vendors and solutions into a unified and broadly deployed platform that weaves security, connectivity, and networking into a single solution.
Third Gear: Unification with an Autonomous Vehicle
In the connected-car industry, as elsewhere, software systems are now core to the business. Reliable connectivity and security of vehicles is important. It is possible to achieve powerful connectivity and integration between the vehicles that create the data, the cloud that processes it, and the applications that leverage it, resulting in continuous improvement and optimum user experience. In this scenario, automation, visibility, and an open integration platform are essential for providing the required agility and flexibility across all major public and private cloud providers and technologies. Without vendor lock-in, auto manufacturers can get what they need from proprietary technology while leveraging third-party tools, allowing their technology strategy to continually evolve as their business needs change.
To unlock the true potential of the connected car, automotive manufacturers need to not only own the in-car experience but all the software and systems as well – from the backend to the front bumper. And because nearly every component of these autonomous vehicles will be connected to an in-car network as well as the cloud, the entire system is at risk if a vehicle is compromised. Thus, securing the car and its data while providing secure connections from the car to the cloud is critical to drive the connected car experience.