Imagine driving down the road when suddenly your car goes haywire – the radio blares, the windshield wipers hit full speed, the steering wheel is controlled by an unseen force and the car starts pumping its own brakes. A ghost in the machine? Nope, just another day at the office for professional hackers hired by Wired Magazine to demonstrate the vulnerabilities of unsecured connected vehicles. More than just a media stunt, connected car security is a very serious concern that has lead to newly proposed legislation that would curb the threat of car hacks by establishing new federal standards for digital security.
The benefits of adding IP connectivity to things and machines are enormous – expanded productivity, time and cost savings, enriched services plus overall conveniences simplify our lives. But in our race to add IP connectivity to cars, homes and cities, digital security has often been overlooked. A survey by VDC Research showed that almost 70% of OEMs said security is important to design but only 30% indicated that they made changes in people, processes or tools to improve security. Fortunately, this trend is changing.
No one would ever consider building a home on the beach without a foundation. In the same way, carmakers, developers and OEMs are realizing the significance of starting connected device designs with intelligent security architecture as a foundation to enable trust - in the device, the data, the network and the ecosystem. Security by design enables trust in our connected world, and trust underpins a secure, sustainable and successful Internet of Things ecosystem.
The auto industry and industrial IoT developers need to approach connectivity with the same intelligence as IT system integrators and realize that the software running cars and devices is a source of potential threat just like hardware components. Fortunately, they can learn from sensitive industries such as banking and healthcare that have used digital security technologies successfully for decades. Proven best practices include:
Security by design
Security must be considered at the beginning of the development phase. It is fundamental to ongoing success and trust and has to be integrated in the hardware and software layers from the onset of design rather than as an afterthought.
Risk Evaluation
Developers need to know and understand all potential system vulnerabilities. An early comprehensive risk evaluation is critical to implement security architecture across the entire connected device ecosystem – from the hardware components that enable connectivity, to the software running the device, and out to the communication channels it uses. This helps to protect the device, the network and the data at rest and in motion.
End-to-End Trust Points and Countermeasures
Developers should follow a few guiding principles for implementing end-to-end trust points and countermeasure to mitigate threats:
- Protect the device with tamper-proof hardware and software. For example, embedded Secure Elements are implemented to add a layer of physical and digital protection against intrusion and to store credentials and data in a dedicated, secure platform
- Encrypt and sign the operating software to protect against attack. Encrypted software is useless without the keys and an electronic signature will ensure that only validated software is running on the IOT device!
- Implement strong authentication and encryption solutions to ensure only authorized people and applications are granted access to the IOT solution infrastructure.
- Securely manage encryption keys to protect data and manage access to connected systems
Lifecycle Management
Like laptops and PCs, connected car systems and IoT devices need to be protected from attack over the long life of cars and devices – that can be 10-15 years! Carmakers and developers need to design in an interoperable, dedicated platform to deploy security updates and launch new applications over the air without impacting other embedded software.
In an age where everything is connected and where cyber attacks are inevitable, trust is essential. The key to success is designing security architecture at the beginning of development projects and managing the entire trust ecosystem, from the edge to the core, protecting what matters, where it matters and when it matters.
Edited by
Ken Briodagh