Cybersecurity must catch up with automotive technology

Most people are familiar with the software update process on their computer and cell phone, but computer components and cybersecurity are not limited to computers and smartphones.

Today’s automobile is a highly sophisticated and intelligent device. A modern car typically has over 100 microprocessors, 50 electronic control units, and 100 million lines of software code. To put this sophistication into perspective, it’s 50 times more lines of code than the F-22 Raptor, one of the most high-tech military aircraft currently in use.

Newer models of automobiles are also connected devices: Bluetooth connects the car to cell phones, and many cars have built-in cellular and Wi-Fi communication capabilities. This connectivity enables remote start and many other features and will increase with the addition of intelligent infrastructure in which the road, signals and other components communicate with the vehicle and the wider adoption of autonomous vehicles.

This technology and connectively also makes cars targets for hackers who could potentially compromise a vehicle’s control and security systems. Features like automatic braking and remote start would take on a very different character if they were under the control of an opponent from a distance.

Although there has never been a confirmed malicious attack on an automobile, hackers have proven that automobiles are vulnerable to cyberattacks. Most hackers believe it’s not if, but when hackers will exploit cyber vulnerabilities to gain remote access to connected vehicles. It’s a frightening possibility in which thousands of cars could be cyberattacked simultaneously, causing chaos on the country’s highways.

This reality has made cybersecurity a major concern for the automotive industry as well as for the government, including the Cyber ​​Physical Systems Security (CPSSEC) project of the Cybersecurity Division (CSD) of the Science and Technology Directorate. internal security (S&T).

Project goals include working with automakers and leading researchers to increase vehicle cybersecurity, funding research projects to improve automotive cybersecurity, and preparing the federal government fleet for an important upcoming deadline.

“The advancements we have made in automotive technology require solutions that ensure cybersecurity and security in this indispensable part of our lives,” said Dr. Daniel Massey, CPSSEC Program Director at S&T. “Our goal is to identify the main cybersecurity challenges and find solutions that will reduce the risk of cyber attacks. “

Among his work is a joint research project with New York University (NYU), the University of Michigan Transportation Research Institute (UMTRI) and the Southwest Research Institute (SwRI) to secure updates. vehicle software update. Like computers and mobile phones, vehicle software requires updates to correct errors in security-critical systems or remove vulnerabilities that could allow hackers to remotely affect vehicle systems.

The ability to update vehicle software is critical to both safety and security, but it could also be a key attack vector for adversaries. If attackers can gain access to the software update system, they can insert malicious code. Attackers exploited loopholes in the software update processes of traditional computer systems (eg, applications, operating systems) and mobile phones to insert malware. This CPSSEC project aims to ensure that these flaws do not repeat themselves in vehicle software updates.

Teams from NYU, UMTRI and SwRI have created a volunteer group that includes more than 40 leading automotive-related companies – from original equipment manufacturers and Tier 1 suppliers to start-ups – with vehicle technology. relevant. The team is making rapid progress on a design document and benchmark implementation that will help ensure that vehicle software update systems are safe and secure.

In addition, a team led by HRL Laboratories is using a new secondary channel approach to improve vehicle cybersecurity both during updates and normal operations. Without modifying the vehicle, the “secondary channel” observation can potentially identify malicious behavior. For example, the activity of the vehicle generates noise and heat. While attackers can change the code in a vehicle, they cannot prevent physical actions from generating noise or heat as a result of the code being changed. If we understand the normal secondary channel patterns, we could potentially identify and neutralize a hack.

DHS S&T also works to protect the federal government’s vast fleet of vehicles from cyber threats. Telematics systems, which are required in government vehicles by March 2017, track location, performance, and other behaviors and can improve government fleet management by reducing fuel costs, emissions of carbon and the identification of maintenance problems. However, if telematics is not implemented securely, an adversary could exploit these same advantages. For example, we don’t want an adversary to know the location of every government vehicle, so the race is on to ensure the government fleet is not cyber vulnerable.

This multi-pronged approach to tackling vehicle cybersecurity in the public and government sectors keeps the CPSSEC team busy. But it also puts them at the forefront of a very important mission that dovetails with the overall mission of the Department of Homeland Security: to secure the homeland.

Source: Directorate of Homeland Security Science and Technology