Cybersecurity and Securing Connected Cars
Vehicles abound in society and culture. These vary in age, color, manufacturer, and the amount of tire and brake wear. One topic which has been in the news and talked about recently has been securing these vehicles, especially the connected vehicles now and the future autonomous ones. Seemingly, there are many new articles with these as the story focus. With these vehicles, due to the other assets the vehicle connects to (e.g. V2X, V2I, V2V, V2G, etc.), a successful attack has the potential to have a really bad day.
Vehicles are becoming increasingly connected. At some point in the near future, the vehicles we have grown with will become autonomous. With all of these iterations with vehicle advancing in technology, one aspect becomes increasingly pertinent. The vehicles have to incorporate security into the vehicle’s infrastructure. The functionality requires it. As these vehicles control a greater extent of the operations, previously managed manually, the risk increases. When the vehicles are autonomous, the risk is rather significant. For instance, when the sensors are connected, the risk is for a false positive. If there is a tire pressure monitoring system (TPMS), the risk is for the equipment to read more or less than the actual air pressure reading in the tire. An attacker could successfully force the system to register an exceptionally low pressure reading forcing the driver to pull over to the side of the road.
With the advanced autonomous drive vehicle, the risk is magnified. This is due to the attacker having the opportunity to take full control of the vehicle. The auto could be re-routed to a totally different location or turn into traffic during rush hour. This series of use cases, illustrates the necessity and requirement for a secure vehicle infrastructure. These attacks absolutely do not have to be by someone located in or within a few feet of the car, or physically connected to it with a patch cord. These attacks may be done from anywhere across the globe with a fair internet connection. This makes the connected and autonomous drive vehicle even more potentially devastating. These attacks occur unfortunately with the present fleets. These may initially take the form of a proof of concept (PoC) at this point. The jump to a fully mature attack from this point is not that great of a stretch for the adequately trained attacker. These hypothesized compromises have been demonstrated by cybersecurity researchers on the Tesla, BMW, Nissan, Mitsubishi, FCA, and other manufacturer vehicles.
To address this growing germane issue, Mitsubishi Electric developed a cyber-defense system to defend vehicles. The new system incorporates multiple cybersecurity layers into one defense in depth tool. This works by improving the head unit’s (HU’s) ability to defend the vehicle. The vehicle’s connected function have allowed for an in depth attack vector and path to the vehicle’s crown jewels, or the attacker’s targets to exfiltrate.
As noted, there are multiple layers of defense. This acts much like an intrusion detection/protection system (IDS/IPS). This is intended to decrease the potential for a successful attack. The more difficult it would be for the attacker to succeed, the greater the chance the attacker will move onto the next target, looking for an easier target. The attackers would not spend weeks or months on a random target when they would be able to successfully compromise another vehicle in days or a week. This is simple economics and algorithm.
This works by identifying attempted attacks in the HU and modules controlling the vehicle. This detects attack methods for the vehicle. This was designed for a faster boot-up. This is estimated to take less than 10% of the time for a conventional boot-up process. For this cybersecurity system, the HU is the focus for the defensive operating system. This is an appropriate central point as the HU is attached to the internet, and the researchers analyzed the defense-in-depth used by critical infrastructure and applied the theory to the vehicle.
The new system verifies the software in the vehicle’s operations integrity during the boot up process. The system completes the task while not being overbearing on the processing time and power. The direct effect on the system is paramount. The vehicle’s cybersecurity has to be fully addressed prior to the more connected vehicles being placed on the road. The drivers across the freeways would rather not have a rogue vehicle careening through traffic during rush hour on a Tuesday morning.
This cybersecurity feature is a great first step. This tool addresses one vector for an attack. There are others which focus on the other aspects of the vehicle’s functions and communications to address in the future.
Resources
Green Cars Congress. (2019, January 22). Mitsubishi electric develops cyber defense technology for connected cars. Retrieved from https://www.greencarcongress.com/2019/01/20190122.html
Kovacs, E. (2019, January 22). Mitsubishi develops cybersecurity technology for cars. Retrieved from https://www.securyweek.com/mitsubishi-develops-cybersecurity-technology-cars
Market Watch. (2019, January 21). Mitsubishi electric develops cyber defense technology for connected cars. Retrieved from https://www.marketwatch.com/press-release/mitsubishi-electric-develops-cyber-defense-technology-for-connected-cars-2019-01-21
R., J. (2019, January 22). Mitsubishi electric develops auto cyber security. Retrieved from https://www.universitymitsubishi.com/mitsubishi-electric-develops-auto-cyber-security/
Rajan, P. (2019, January 23). Mitsubishi electric develops cybersecurity technology for connected cars. Retrieved from https://www.telematicswire.net/automotive-security/mitsubishi-electric-develops-cybersecurity-technology-for-connected-cars/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.