Hackers and developers are locked in a perpetual duel. One attacking; the other parrying their lunge. It is a fight that is moving into the automotive domain as cars become more connected and technologically advanced. Adopting appropriate controls alongside the technology is essential to protect drivers of the future from cyber threats.
Greater connectivity gives hackers more targets to attack. Jammers can disrupt wireless or Bluetooth networks today, but only in a small area. Connected cars will interact with the road, other vehicles, and road-signs over a 4G network, which opens them up to a cyber-attack from a remote internet platform. Hackers taking over your car as you zoom down the motorway sounds like a Hollywood plotline. In reality the theft of data is a greater motive for hackers than mass disruption or carnage.
Once the public is convinced the technology is safe, fears around privacy and the unauthorised access to users’ personal information is likely to be the greatest barrier to adoption. This could range from location services data being logged for insurance purposes to theft of account and payment information similar to several high-profile attacks on large retailers.
The industry can overcome the challenge, but it does require careful management. Telecoms companies are already looking to provide extra levels of security. We know that people’s personal data is most exposed while it exists in the Cloud or on public networks where processing is performed extensively by third parties. So providing effective security in the supply chain for example, could prove to be a differentiator when carmakers are choosing between IT suppliers to partner with or in marketing these services to consumers.
We also need the right rules and regulations. Any new technology that becomes mainstream needs to exist in a legal and regulatory framework. This is especially true where public safety is concerned. But this framework does not currently exist. In an ideal world, government regulation would head off any security issues, but experience teaches us that regulatory controls and guidance are more likely to come in reaction to an incident than as a far-sighted and proactive measure.
Manufacturers and software developers also need to learn security lessons from the past. They should take on board the example of insecure web browsers and unpatched vendor software causing untold business impact as more and more businesses have gone online, opening the door to hackers.
Designing security into products from the start and developing adequate layered defences should help prevent or at least limit unauthorised access to data. As in the aviation industry, safety functions such as braking or steering will have to be based on consistent and universal standards. They should be separated from other connected features – effectively unplugging them from the internet.
While none of this may reassure a nervous public, it is worth stressing one important point: whatever the cyber threat, it will still be safer to let the car drive itself than let a human behind the wheel. The safety records of semi-autonomous trains and aeroplanes have already proved the point.
Road vehicles are far from unique in their vulnerability to cyber-attack. A whole raft of industrial operations, IT environments and other consumer devices are potential targets yet we still use them. Rather than switching off and stopping to use them, we must make ourselves aware of the dangers and remain vigilant in protecting ourselves.
This article represents the views of the author only, and does not necessarily represent the views or professional advice of KPMG in the UK.