It wasn’t long ago that the advent of computers in cars prompted jokes about cars being hacked or enduring a blue screen of death, but hackers tinkering with our trucks is now a reality, and it means every link in the automotive supply chain needs to think about their role in security.
The tipping point was when connectivity was added to vehicles, Steve Grobman, president of Intel’s Automotive Security Review Board (SRB), told EBN in a recent telephone interview. “If you an have embedded system that has a vulnerability, but it is air gapped and isolated, it doesn't pose a risk.” But when these systems become connected, a latent vulnerability becomes exploitable, he said.
It’s just not network connectivity that makes automobiles less secure, but the ability to plug other devices into a vehicle through other means such as USB creates opportunities to hack what used to be otherwise isolated, embedded components.
The formation of the SRB, that includes Intel Security, IBM, Rambus and others, is one of the first steps in addressing the multifaceted objectives of improving security in vehicles without creating barriers by understand what reference architectures are required to support enhanced integration to external networks and capabilities.
Grobman said that rather than looking vulnerabilities in existing automotive systems, the focus of the SRB will be forward thinking to so it can get in front of threats and foster the development of more resilient platforms by defining reference architectures and their implementations. He said it’s really difficult to quantify how many players in the supply chain are involved, as different automotive manufacturers take different approaches. “Some have greater flexibility to design from the ground up.”
One of the biggest challenges, he said, it not just having security at an embedded component level, but having it an overall system level. “Architectures never assumed rogue communications on the buses of automobiles. The assumption was all nodes would be well behaved.” Grobman said a component on its own might be free from risk, but combined with others in a system it could be exploited.
Automotive manufacturers can longer just thing in terms of liability when it comes to components, but also reliability and security. “They need to detect both failure and compromises.” Another challenge, he said, is making sure components in the field are easily upgradable and repaired without becoming an obvious vector of attack.
The SRB is in its early stages, said Grobman, but said transparency and information sharing will be the foundation for the initiative to support the creation of more resilient architectures. In the short term, it is looking at what areas the SRB can focus on that are complementary to other forums in the industry.