1 year ago


connected cars DRIVING

connected cars DRIVING INTO THE UNKNOWN TACKLING THE MANY CYBERSECURITY AND OTHER SAFETY ISSUES AROUND CONNECTED CARS HAS BECOME AN IMPERATIVE Connected cars are a reality; most modern vehicles on the road nowadays have some form of connectivity to the open world. This raises important challenges on multiple software integration and cybersecurity. To address this challenge, Thales, through its German company Sysgo, along with Vector, the Stuttgart-based specialist for automotive embedded electronics, founded a joint venture to address the critical issue of multiple software managing multiple, often safety-critical, functions. The volume and complexity of software used to manage virtually every aspect of a connected or autonomous vehicle, both mechanic and electronic, could bear a potential risk to people's safety. Each software presents a potential attack surface for security breaches, which could affect the overall reliability of the vehicle. The aim of this partnership is to co-develop an integrated software platform for improved performance and cybersecurity. Through this joint-venture, Thales and Vector will combine their respective embedded systems expertise in aviation safety and in automotive software according to ISO 26262 to offer a single platform to run the car's software and applications. By simplifying the vehicle's control systems, they aim to strengthen its cyber-protection, while ensuring the isolation of individual applications. SINGLE SOURCE SOLUTION To achieve this, the two experts will look to co-develop the new platform by combining two pre-existing products: MICROSAR, Vector's AUTOSAR* Adaptive basic software, and PikeOS, Sysgo's real-time operating system. Through this integration, coupled with further co-development, the two companies are aiming to provide the automotive industry with a single-source solution. "Cybersecurity and Safety Critical Systems are part of the Thales DNA. For us, this joint initiative with Vector and Sysgo is a natural step beyond what we already do for the automotive industry in cybersecurity services and consulting", says Laurent Maury, vice-president, Critical Information Systems and Cybersecurity, Thales. Designed for the new generation of highperformance Electronic Control Units (ECUs), based on the AUTOSAR Adaptive standard, a release of the joint solution for prototype applications is planned later this year and series releases for safety-relevant control units are expected in 2019. Meanwhile, Ansys, which develops and markets engineering simulation software, states that, while connected car technology is a "bonus and a pleasure for car buyers", it poses unprecedented new engineering challenges regarding reliability, safety and security for car manufacturers. In its report on connected technology, 'Ensuring Reliability and Safety of Connected Car Technology', it comments: "As we rely more and more on connectivity of cars, many potential problems could emerge from faulty connected car technology, including simple connection interruptions, display malfunctions, signal interference, and expensive failure of sensitive electronic hardware under heat and harsh conditions within vehicles. "Imagine being lost while driving in an unknown city, due to GPS signal loss, or the frustration of being unable to operate the air conditioner on a hot day, because the car's touch screen interface has difficulty recognising the touch of sweaty fingers. Connected car technology also opens doors to much more serious, unprecedented problems, such as cyber security holes and software bugs that could lead to potentially fatal safety issues." Such problems can quickly lead to consumer dissatisfaction and brand depreciation. And there can be even more serious consequences, if, for instance, remote hackers use the connectivity to 32 computing security March/April 2018 @CSMagAndAwards

connected cars therefore trade off the desired level of effectiveness (and the systems that can be updated) against the costs. That calls for a deep understanding of the architectures and peculiarities of these systems." Embedded software is in the focus of the joint venture between Vector and SYSGO for autonomous driving. Image rights: Vector Informatik GmbH exploit security holes for theft or to jeopardise passenger safety, it adds. COMPLEX WORLD According to global management consulting firm McKinsey&Company, automotive products are becoming more complex, with an increasing number of electronic control units and lines of code. "Connectivity is burgeoning, with dangers at every turn. The supply chain is quite fragmented, so policing security is hard. And the integration of automotive systems can also serve to compromise any specific countermeasure. Adds McKinsey&Company: "We believe that the sector needs a holistic, two-front approach to cybersecurity. On the first front, solutions ought to address the design of the product, the way it's developed, and the maintenance-and-response architecture. "On the second, OEMs should focus more effectively on the automotive environment at the sector level (for instance, by cooperating among themselves), on the concerns of regulatory bodies and on the mind-sets of final users, who must actively protect their cars." A secure design, while necessary, won't guarantee full security over time. Solutions are effective only if they are implemented consistently, and high-quality components-software and hardware alikeimplement the design. "This requirement calls for a sound and managed development process, including reinforced collaboration between productsecurity teams and corporate IT-security teams. OEMs must thus create and enforce strict guidelines to minimise the chances of bugs and software-security gaps and to make modifying or patching systems easier. "That's why over-the-air (OTA) updates - which have recently become available for some cars, though often for limited parts of software - are clearly essential for connected systems: they help OEMs to counter attacks quickly and to eliminate specific vulnerabilities before malefactors can exploit them." DEEP UNDERSTANDING However, these benefits have a price, McKinsey&Company concedes, in that implementing support for OTA updates is quite complex and expensive, both for cars and the back-end infrastructure. "OEMs must OEMs, which exclusively control the relationship with customers and are usually the final system integrators, bear the ultimate responsibility for integration risk and for ensuring that secure stand-alone systems aren't vulnerable when connected, it insists. "These companies must ascertain that security practices have been implemented consistently throughout the full value chain, including suppliers. Procurement executives must therefore learn to negotiate over the cybersecurity features of components as rigorously as they do anything else. OEMs should also play an active role in shaping the sector's future standards-both regulations and best-practice guidelines." McKinsey&Company points to how in many sectors, including oil and gas, financial services and aviation, alliances help companies to deal with regulators and to share intelligence on threats and vulnerabilities, both internally (among OEMs and suppliers) and externally (with regulatory bodies and the media). "Such alliances also facilitate prompt responses to novel threats. Some automotive companies are already creating alliances; other OEMs and suppliers should consider joining them." Automotive OEMs face a unique challenge, it adds, so they must complement their own efforts to develop security strategies by taking action on a higher level: the sector as a whole must secure its products across the entire supply chain by developing new ways to collaborate and interact. "If it doesn't, cybersecurity problems could irritate customers or even generate regulatory burdens that might well upend the cars of the future before they hit the road." *AUTOSAR (Automotive Open System Architecture) is a worldwide partnership, which develops the standardised software framework for intelligent mobility. @CSMagAndAwards March/April 2018 computing security 33