Registered users can unlock up to five pieces of premium content each month.
U.K. Government Releases First Cybersecurity Standard for Driverless Vehicles |
NEWS |
This December, the U.K. Government published a standard for automotive cybersecurity, PAS 1885, outlying guidelines to improve and maintain driverless vehicle security and associate intelligent transport systems. The guidelines were developed in conjunction with Jaguar Land Rover, Ford, and Bentley, as well the National Cyber Security Centre, the British Standards Institution, and the Department for Transport.
Overall, the standard outlines the needs to apply a defense-in-depth approach, a means to asses software trustworthiness, and to critically manage the security of the vehicle and data over the lifetime of the vehicle. Critical differences between current vehicles and future autonomous vehicles will mean that new cybersecurity measures and approaches will be needed to achieve what is set out in this standard and in future standards set out by other countries. Consequently, this will bring a wave of new opportunities for hardware and software companies.
New Elements, New Architectures, and a Need to Actively Monitor Autonomous Vehicles |
IMPACT |
The current approach to automotive cybersecurity is to limit entry into the vehicle via key access points, using methods that include: hardware-based firewalls, application sandboxing, and Safety, Health, and Environmental (SHE) microprocessor specifications. However, the current approach will not be enough to secure future autonomous vehicles, nor does it critically provide any insight into the current status of vehicle security. High-level autonomy and fully-autonomous vehicles (robotaxis) provide several unique challenges from a cybersecurity perspective, as covered in an upcoming ABI Research report (AN-5000):
To meet the requirements and best practices set out by standards will require that OEMs and Tier Ones rethink current cybersecurity approaches. This will see new cybersecurity measures, both hardware and software, being applied to the vehicle, advancing the current state of cybersecurity, while also bringing new opportunities to vendors in these spaces.
Opportunities for Software Providers and Hardware Providers |
RECOMMENDATIONS |
The current approach toward vehicle security is very limited in its scope; however, with increasing autonomy, OEMs, backed by local standards, will likely look to develop a new approach to cybersecurity.
Any new approach to cybersecurity will likely center around cyber-software solutions, such as an Intrusion Detection System (IDS)/Intrusion Protection System (IPS), which can provide active insight into current network traffic inside the vehicle, be easily updated, and provide protection against sensor spoofing attacks. For robotaxi applications, the use of software, such as an IDS/IPS, to actively monitor the state of vehicle security will almost certainly be a requirement set out by standards like the upcoming joint International Organization for Standardization (ISO) and Society of Automotive Engineers (SAE) 21434 standard.
Although cyber software will form a key part of an OEM’s strategy toward providing cybersecurity, it is not a complete approach to cybersecurity; for instance, it provides little protection from physical tampering that will likely increase with robotaxi usage. Any cybersecurity approach will, therefore, require complementary security hardware to provide a complete end-to-end secure solution. Therefore, although software vendors may be tempted to push a complete software solution to OEM customers, working to provide software solutions that function with key complementary security hardware may be a more effective approach, providing a complete end-to-end solution, thereby providing a software provider the edge versus its competitors. The recent late-2018 announcement by vehicle cybersecurity software provider Karamba Security that it is partnering with semiconductor vendor ST Microelectronics to provide a secure telematics processing solution is a good example of how this can be achieved. This partnership will leverage Karamba’s Carwall cybersecurity software solution and STMicroelectronics’ processors to achieve tamper resistance and accelerated software execution.
Cybersecurity hardware providers, on the other hand, should be aware of the limitations of cybersecurity software and how hardware can fill those gaps left by cyber software, providing a complementary solution, rather than a competitive solution. Current secure hardware is almost exclusively limited to the implementation of specifications like SHE. Given the limitations of current SHE-based implementations, such as limited protection against physical tampering and limited support for cryptography functions, hardware providers should be aware of the possible opportunities available to provide more advanced secure solutions. For example, the Hardware Security Module (HSM) represents a suitable extension to SHE and, therefore, is likely to be favored by OEMs for use in domain controllers. Other security measures, such as Trusted Platform Modules (TPMs) and secure elements, can then be pitched as suitable additions for areas that require increased tamper-resistance and extra security in key areas like infotainment and Vehicle-to-Everything (V2X) features.
The PAS 1885 standard demonstrates how there is growing emphasis on cybersecurity in automotive applications with increasing vehicle software complexity and automation. With the ISO – SAE 21434 standard for vehicle security also in development and expected to be completed in 2020, there are now significant available opportunities for both hardware and software vendors, driven by standards. For cybersecurity software vendors, the need to actively monitor the cybersecurity status over the lifetime of the vehicle provides an obvious entry into the market. For hardware providers, the best strategies will evolve around providing tamper resistance and complementary solutions to cybersecurity software, or even partnering with the software providers themselves to provide a complete solution through collaboration.