Carhacking: How the automotive industry can learn from process control security
Security vulnerabilities in cars have been hitting the headlines in recent weeks with General Motors, Fiat Chrysler, Ferrari, Maserati, Pontiac, and Porsche brands all identified as susceptible to cyberattack.
Security weaknesses in cars are not new, BMW having been identified earlier in 2015, and there are no doubt others out there that have not yet been discovered or reported.
From what has been reported on automotive security vulnerabilities, anyone involved in process control systems security will see mirrored all the same weaknesses we work to fix in industrial control systems (ICS) and Operational Technology (OT) within the energy industries and critical national infrastructure operators.
Understanding the threats to Operational Technology (OT)
Common themes within the automotive security vulnerabilities exposed include:
- a lack of network segregation, with attacks on the infotainment systems giving hackers access the cars’ control systems,
- a lack of authentication or robust encryption processes to protect remote access, and
- connections to the cellular networks further opening the cars’ systems up to cyberattack.
These themes are not new to us. On the face of it, it appears the automotive industry has learnt nothing from the experience of securing industrial control systems in other industries. Lessons which are easy to find as they are embodied in the numerous industrial control systems’ security guidelines and standards. The stock answer from the automotive industry seems to be “we’re spending lots of money on it” as if that will make it alright.
There is an explosion of making physical things, including cars, “smart” and connected - the Internet of Things. Connected fridges, kettles, washing machines, surgical robots, lights. And the list goes on. Security researchers are discovering that many, if not most, of these devices have serious security weaknesses.
The energy industries have been connecting their operational technology (OT) to their IT environment for many years and have learnt quite a few things along the way. So what can the automotive industry learn from the energy industries to help secure their control systems?
Traditional IT Security cannot just be “bolted on” to OT
Safety and reliability are the primary priorities for industrial control systems and the same is true for a car’s systems. Any remote access to a control system must be especially carefully controlled and protected. Any system which is remotely accessible over the cellular networks and has any connection to a system whose failure can have safety consequences presents a risk. Access controls, using secure communications protocols and authentication are vital to protect critical systems.
It’s one thing to have a vulnerability that allows hackers to hack into the infotainment system, it’s a much bigger problem when through this they are able to hack into the cars’ control systems, such as happened with Fiat Chrysler. There they found a vulnerability which allowed the attacker to disable the vehicle’s brakes, and in some situations, take control of the steering.
Security shouldn’t be an afterthought
Cyber attacks are on the increase, and are growing in sophistication in every industry, and security of OT, whether in a car, insulin pump, power station or oil and gas platform should not be an afterthought, but needs to be included throughout the whole system lifecycle.
Some cars can already make autonomous decisions to apply the brakes if they detect a collision is imminent and they react faster than we can, which is potentially much safer. But this can also have a major negative safety impact if these systems can be hacked to override those controls and either apply the brakes when not required or they don’t work when needed.
Will it take a serious incident before manufacturers of connected devices, start designing in, implementing and continually improving the security of their products? Let’s hope not.