As our cars become more connected and our society moves closer to wide spread autonomous driving, researchers and companies alike are calling for national standards to help secure connected vehicles.
BlackBerry recently released a whitepaper highlighting what it calls a 7-Pillar Recommendation or list of seven recommendations to help reduce vulnerabilities in vehicles thereby lessening the chances of a threat actor exploiting them for mischievous purposes.
The seven recommendations include securing the supply chain, using trusted components, isolating critical systems, the use of in-field health checks, rapid incident response networks, lifecycle management systems, and building safety and security into the culture. BlackBerry argued these principles could also be adopted by other IoT devices as well to ensure safer products in other industries.
The recommendations were also offered as guidelines for legislators to adopt a minimum set of requirements similar to the NHTSA (National Highway and Traffic Safety Administration) 5-Star scoring system.
“We feel that NHTSA and DOT can mandate a minimum set of requirements, such as the 7-pillars, with certain criteria to be met to achieve a certain score,” the company said in the report. “A 5- Star scoring system can be used to initially educate consumers and later to make their score a differentiator for their automobiles.”
Scoring would be set based on how many of the recommended requirements are followed and how many objective criteria are met with tests. BlackBerry argued that the implementations shouldn't be mandated, but left to the automakers to differentiate their offerings.
Acalvio Chief Security Architect Chris Roberts told SC Media that this is one area where the government has been ahead of the industry. As an example he cited proposals made earlier this year to have safety and security standards for IoT devices, particularly those used in government.
“The challenge in any of this is simply getting the manufacturers and companies that are developing all of these solutions to collaborate and build more secure devices,” Roberts said. “Therefore, you have to marshal “most” of Silicon Valley, change the philosophy of “build it cheap/fast” to one of “build it secure/safe” and then have that propagated to countries such as China, India etc…”
He added that other companies have been calling for similar initiatives and that BlackBerry is not leading the way in this but added that more companies like BlackBerry are needed to join the efforts to provide a baseline of what security and safety should be.
While many vulnerabilities and attack scenarios have been well documented for connected cars, some researchers warn the threats posed by connected trucks could pose much more imminent threats as more harm can be done with trucks, Jeffrey Carr, a consultant and founder of the Suits and Spooks cybersecurity conference series told Trucks.com.
Last month, Tesla unveiled its electric semi-truck and many companies are already following suit with their own versions, all of which are prime targets for cybercriminals looking to attacks use GPS-spoofing to redirect trucks along with the valuable loads they haul. These attacks can be carried out for as little as $10,000 which could be a drop in the bucket compared to the amount of damage they could cause.
“They won't waste that on an individual vehicle,” Carr told the publication. “It has to be a high-value target. Giant rigs moving down the highway under the control of computerized navigation systems utilizing GPS — you have a high-value target.”
Trucks are also more vulnerable to these attacks as they use a common protocol making it easier to compromise a fleet of trucks, Argus Cyber Security researcher Monique Lance told Trucks.com.
“There's a common communications standard in trucks called J 1939 that makes it possible to craft one attack that fits all,” Lance said. “An attack that accesses one truck will potentially access most trucks.”
Although many of these attacks are still in proof of concept stages, researchers are urging manufactures to start preparing for the increasing threat landscape now before its too late.
