Most big automotive brands have been around since the time “before connected cars.” Since automobiles are typically built incrementally through a complex supply chain, combining existing and new technologies developing at different speeds, it is difficult to ensure that a vehicle is entirely connected. This includes being accessible for over the air software updates as well and being protected against security breaches, while protecting a driver’s privacy – all at the same time.
With the increase in connected cars on the roads, and an industry disruptor in the name of Tesla, many in the automotive industry are looking for ways to secure their products. There are some key similarities between the auto industry’s current situation, and what payment companies had to consider with the advent and wider adoption of payment cards.
First, it’s critical for manufacturers to employ encryption best practices since encryption and a trusted, secure Root of Trust is the only surefire way to guard sensitive data. When applied correctly, encryption provides a near-bulletproof barrier, ensuring that only those permitted to view the content are allowed to. True encryption begins with proper key management, examines what data or communications needs protection and ensures the encryption protection keeps all these details private and available only to the right parties. This includes considering how data could be moved to the cloud.
Along with implementing powerful tools such as encryption, it’s also important to develop at least a de-facto industry standard to act as a baseline for manufacturing, design, software systems. In the financial services industry, where by nature high value assets are at stake, the Payment card industry (PCI) compliance was an essential standard to enable smooth and secure user identification and data transitions. This regulation involved a specific set of security standards developed to protect card information during and after a financial transaction. PCI compliance is required by all card brands, so it sets a baseline that ensures payments are secure. In the auto industry, similar standards are needed to make sure connected cars – which are only growing in number by the day - remain safe to drive.
The industry standard for the automotive industry should also require a system for authenticating communication amongst multiple entities, such as messages sent vehicle-to-vehicle and from a vehicle to an automotive dealership. In order to achieve this, not only the electronic control unit (ECU) of different parts need to have an identity so that can be addressed, authenticated and potentially communicate with each other, but also the vehicle itself needs an identity, as well as any person or diagnostic system, software or event driving data request that wants to be granted access. Chips or ECUs that hold an identity can be added during production process and initiated to a so called Public Key Infrastructure, which is a system that allows issuing certificates necessary for cars, clients and code to be authenticated. When a car is activated, it sends the certificate out to validate communication channels between different areas of the car, such as the tire pressure gauge or the break system. It can authenticate communications between parts within the car, and can authenticate a car’s identity to another vehicle or an automotive dealership where the car is taken for service.
With these kind of complex systems that need to be put in place, of course security cannot come as an afterthought, but an important part of the design and manufacturing process from the beginning. An established Root of Trust, combined with industry standards like those adopted by the payments industry – but not just for payment transactions within a car - and ongoing dialogues among leaders in the field, will ensure the automotive industry stays ahead of security risks associated with connected vehicles and other emerging threats.