Hackers Aim to Exploit Vulnerabilities in CVs, Pushing Security to the Forefront
Commercial vehicles are coming into the sights of hackers who have succeeded in attacking governments and corporations. Cyber-criminals hope to exploit vulnerabilities in connected trucks and off-highway vehicles with the aim of wreaking havoc or extorting funds from vehicle owners or equipment makers.
Now that most commercial vehicles are connected, protecting them from attackers with multiple layers to provide defense in depth is becoming a necessity. On the bright side, system developers and OEMs who haven’t had to worry about cyber attacks until recently can leverage the efforts of industries that have been battling hackers for years.
Those efforts are widespread. SAE International focused on best practices in its SAE J3061 standard. Groups like the National Science Foundation have sponsored a number of projects. Microsoft recently joined other companies calling for the U.S. to establish a single national cybersecurity agency.
These efforts are augmented by security-related developments from a diverse group of companies including Harman, Blackberry and Argus Cyber Security, which was purchased by Continental last year.
Most experts note that security needs to be designed in at every level, from semiconductors up to complete vehicles. That will provide defense in depth, which helps prevent hackers from penetrating deeply enough to take control of a system or vehicle.
“Security is a supply chain problem,” said Peter Brown, Chief Automotive Architect at Wind River Systems. “Companies have to have a layered architecture. If somebody breaks through one layer, they find that they have to break through another, then another.”
Those layers span a range of technologies. Most experts feel that security needs to be designed in from the start of a project. It’s more difficult to add complex, multifaceted security techniques to existing vehicle designs. That’s because many hardware and software layers come from a range of suppliers, addressing many levels of vehicle design.
“Attacks must be prevented by strong encryption technology in the communication links,” said Jose Ogara, Product Manager at TTControl. “Additionally, connections should not transverse public internet using private access point names. At the vehicle level the gateway should never open ports or services to the internet, and a firewall should always be present. Security is an architectural issue at the vehicle level, and additional measures such as signed codes should also be considered.”
Many security specialists note that the need for a broad-based security architecture requires support from the CEO level down through design and manufacturing personnel. If not, security’s likely to be pushed aside when harried developers try to avoid cost overruns or missed deadlines.
“Leadership must lead,” said Bryson Bort, CEO at Scythe, a data-security startup. “If there’s not a focus on security coming from the top of the company, nothing’s going to change.”
Some connected vehicles have been protected because connections were largely proprietary, so hackers ignored them to attack easier targets. But the shift to join the Internet of Things and leverage existing communications tools and technologies has changed that. Connected vehicles usually have hardware and software produced by a range of Tier 1s and other suppliers, so open architectures are becoming the norm.
“We see the need for open platforms,” said Sanjay Ravi, Managing Director Automotive at Microsoft Cloud Services. “Open application programming interfaces make it possible to include several players, from startups to very large automotive companies.”
The move toward openness extends to development tools. Many design teams gravitate toward open source software like Linux. Software modules found in these libraries have been tested by scores of engineers, so many of their vulnerabilities have been discovered and fixed.
“Open source initiatives could give a positive contribution to security thanks to a shared collaborative framework and wide-open review process,” said Maddelena Brattoli, Software Design Manager at STMicroelectronics. “Platform security is generally designed independently from the operating system. This approach guarantees the availability of the fundamental hardware building blocks like true random number generators, cryptographic hardware, physical isolation, secure boot process that customers can leverage in the operating system or application with a limited effort and via standard API."
Once all these plans have been put in place, equipment operators may be asked to join in the security effort. Owners can decide if they want to use passwords or other schemes that identify who’s logging in. This step prevents unauthorized use and lets companies set different levels of access for operators and maintenance technicians.
“Who can access the data and how they access the data are important,” said Jason Hurdis, Global Market Professional, Caterpillar Inc. “VisionLink software allows password log-in and provides secure access to the customer.”