How do I select an automotive IoT security solution?

As the automotive industry rapidly evolves and cars become smarter, cybercriminals are becoming more sophisticated too, constantly finding new ways to compromise connected vehicles.

Other than the possibility of being stolen, there is an even greater threat, which implies the vehicle being controlled by hackers thus putting human lives at risk.

To select a suitable automotive IoT security solution, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.

Asaf Ashkenazi, President and COO, Verimatrix

A modern vehicle is no longer an independent system, but a component of a much larger connected ecosystem. This ecosystem includes smartphones that are connected to the car for infotainment and remote management purposes, autonomous driving infrastructure and cloud services.

This big ecosystem runs millions of lines of code provided by numerous different software suppliers. Like any software, these millions of lines of code contain many vulnerabilities waiting to be exploited.

Discovering and eliminating all of these vulnerabilities is not realistic. Therefore, the main goal should be to minimize hackers’ ability to find these vulnerabilities and prevent them from building exploits in case they manage to discover a vulnerability, and detect hackers’ attempts so that a fix can be deployed before damage is done. This can be achieved by shielding the code that runs vehicles, but also the code that runs the connected ecosystem.

The code itself is always assumed to have vulnerabilities. Auto manufacturers must not rely on their code suppliers to provide vulnerability-free code. Instead, they must take matters into their own hands and shield the code that runs the car and connected smartphone apps.

Grant Courville, VP, Products & Strategy, BlackBerry QNX

A best practice for vehicle cybersecurity is an approach initially conceived by the NSA called “defense in depth,” which uses multiple layers of security to defend against potential hacks. This is essential for the growing numbers of connected and electric vehicles given the sheer number of systems and connections they utilize – starting with home and public charging stations, to connected dashboard electronics and telematics and GPS communicating with external data sources.

As connected and electric vehicles become more widespread, it will be important for automakers, their supply chain and key cybersecurity organizations to work collaboratively on holistic approaches and aligning with emerging safety and security standards like WP.29 to address the ever-changing threat landscape.

The swift and pervasive deployment of EVs as envisioned by many governments today, must involve a resolute focus on security at the outset – for both vehicles and infrastructure, or we risk making our electrical infrastructure, and the vehicles connecting to it, an even more compelling target for those who wish to do us, our society and economy harm.

We firmly believe that security cannot be an afterthought. For automakers and the entire automotive supply chain, security should be inherent in the entire product lifecycle.

Moshe Shlisel, CEO, GuardKnox

Increasing vehicle connectivity poses the biggest cybersecurity challenge in the industry. Yet rapidly evolving consumer demands and emerging technologies require this increased connectivity to power better in-vehicle experiences. This means OEMs and tier-1 suppliers face a major challenge- to meet market expectations, they must integrate platforms that enable high-performance capabilities, added services, and amenities, while, most importantly, ensuring they are safe and secure.

When selecting an automotive IoT security solution, it’s essential to ensure that solution is secure by design. A deterministic and secure-by-design approach to cybersecurity at the safety critical level is essential for both passenger and vehicle safety. Here, we cannot rely on the post-event remediation methods of IT cybersecurity. False positives and false negatives are not an option when lives are at stake.

Deterministic security demands that all potential operating permutations must be modeled comprehensively and that any communication or process execution is unable to take the subsystem out of the realm of acceptable behavior. The security mechanism’s threat-agnosticism means that attacks of any type (foreseen or not) and from any source cannot compromise any safety-critical ECU or communication.

Security can never and should never be an afterthought. Secure by design solutions enable OEMs to provide an advanced driver experience without compromising on automotive cybersecurity.