PRINT BOOKMARK

Andrew is the head of Cyber Security at Atkins. He is a specialist advisor in security risk with over 25 years’ experience in the industry and has lead and delivered multiple security projects in the UK, Europe and the Far East. Andrew currently consults across UK Government and critical national infrastructure enterprises architecting business-driven security solutions.

Please complete the form below to contact Andrew Wall.

   
 
 
Captcha
 

MOST RECENT

Ford recently announced plans to develop high-volume, highly autonomous driverless vehicles, aiming to achieve SAE International’s level 4, enabling high system control of vehicles. News headlines over the last few years have highlighted the potential dangers to autonomous vehicles from cyber-attack or system failure. Major manufacturers have all reported issues and the well-tested Google car had its first crash in 2016 after several years of use. Experience tells us control software, and its decision-making logic, is not infallible. While incidents are rare, the potential remains for them to be catastrophic.

Automation at the levels envisaged by manufacturers is bordering on both the common place and science fiction. To me the SAE International levels are an Isaac Asimov-like ‘six laws of driving automation’; from no automation (level zero) through to full automation (level six) with various modes and capabilities being engaged across the driving range. For levels three to six, an increasingly bewildering range of technologies that make up vehicle systems could equate to the robotic ‘positronic brain’ in Asimov’s robots – the heart of autonomous decision-making for vehicle control, monitoring and performance.

Reading between the lines, no doubt Asimov’s robots were very heavily tested and the positronic brains put through their paces. It feels like the same may not be said for autonomous vehicles.

In technology terms alone, interconnectedness abounds both within and without the vehicle and the attack surface is staggering: infotainment systems, wireless sensors, diagnostic ports, infrared control, USB, Bluetooth, keyless entry and telematics services with in-car applications. Each of these systems is potentially complicated by various levels of product maturity and multivendor system solutions that in turn engage with other elements of a digital ecosystem.

While the core components in themselves may be robust, it is the link to other components outside the core elements that offer potential areas of weakness and vulnerability to cyber-attack from increasingly challenging threats. Should an attack or system failure occur, the impact is huge in terms of vehicle passengers and the manufacturer’s reputation. Securing these linkages across a diverse vendor base is a huge challenge. This patchwork build structure inevitably leads to weaknesses, many of which will be very familiar to veteran security hands:

  • Poor, or non-existent, product hardening including simple passwords or open communications
  • Lack of encryption across the vehicle network and through the telematics system
  • Poor segregation between components across the vehicle network.

These are security’s ‘grapes’, ripe for picking, followed by mayhem in the pressing shed. There is so much more that the manufacturers could do but at the moment they appear to choose not to.

While technology advances, bigger, more human-centric questions are raised. Trust is critical. Humans must believe that these autonomous systems will operate properly if the industry has a successful future. After all, just who would get into one if the destination could be changed and the doors locked to stop escape! Providing real assurance that a vehicle is safe and secure is paramount.

Also, its decision-making heart must also be able to make the same value judgements that humans make every day. Can it make decisions between life and death? What logic applies then? What humans do by reaction, wisdom or feeling needs replicating. We must have full confidence in the systems if we are to use them on our roads.

Just how do we provide this assurance? How happy do people need to be to give up their control?

The industry is confident it can overcome these challenges, but from a security perspective the way forward does not seem so assured. With a multitude of manufacturers and vendors each developing products in isolation or exclusive partnerships, this fragmentation hides potential vulnerabilities between systems and implementations. Over the last couple of years we’ve started to see some emerging security approaches beyond ISO 26262 but these don’t feel enough. Both the SAE and the IET have active groups exploring these issues so the problem is being worked on.

With all this new technology about, security needs to step back a bit and perhaps remember the 80-20 rule: As a starting point, implementing the 20% most important controls will likely manage 80% of the security risk. This basic approach can take security forward with a bit more pace – taking an overall look at vehicle cyber security through a framework model focused at increasing protection, resilience, awareness and confidence in the systems.

At the very least manufacturers and vendors could be prompted to assess the overall maturity of their cyber security within the operational systems of vehicles, the modules they plug in and how they then interact, including the information captured and its subsequent flow. These assessments can be used as a baseline to demonstrate what is being performed well, what security gaps exist and how these can be reduced to increase the overall security posture.

Taking things further through more regular reviews and updates of systems that include patching on the move, improvements in general and good housekeeping all go a long way to getting the 80-20 right and taking most vulnerabilities out of circulation. This can only lead to better human assurance that really builds confidence in these vehicles.

UK & Europe,

Business operations, and the technology that supports it, are increasing in complexity. Securing these operations is becoming more difficult, in no small part due to the continuing demand to create more modern, efficient and effective infrastructure.

What we therefore need is better design. Design that is undertaken up front and early in the process. We believe that existing industry approaches only go so far. As an organisation that designs and engineers some of the most complex infrastructure on the planet, we have some views on securing this – the security design challenge.

Technology and security professionals are used to designing technical approaches by using shapes on network maps and schematics - typically detailing many layers, boxes and connections. We adopt a different approach. Although we start with an idea and develop it into a detailed set of requirements, our approach is based on a different form, one which can address diverse levels of analysis, encompass an organisations strategy and objectives, and focus on the people, process and technology required to realise those objectives.

A fundamental aspect to this approach is our belief that security is probably misunderstood in many organisations. To us it is a process and not a product. It should exist to protect assets of value, meaning that it is a relative concept, it has no intrinsic meaning outside the asset view. As an asset changes then so does the security around it based on organisational risk approaches.

If security design is so important what can hinder it? In our experience the key elements are:

  • A misunderstanding of the threat as a fixed ‘thing’ when it has many components – sources, agents, motivation, capability, resources – any of which can change at any time.
  • Too much focus on technology that sits in organisational silos as the single solution to cyber. This inevitably leads to people and processes being overlooked, especially when most cyber incidents involve human error.
  • Little common language across organisations. Despite the fact that ‘security is everyone's responsibility’, every industry, sector and technology is different. Just think of the same and different needs of Information Technology and Operational Technology.
  • Cyber is borderless. It does not matter what country, organisational or functional boundaries exist, so security governance needs to span across these areas to avoid gaps in security posture.
  • We have an unbalanced workforce. Yes there is a cyber skills shortage, but it’s worse than that: the workforce is dominated by IT, yet we needs skills from across a business to provide for effective cyber e.g. business change, process analyst, human factors specialist; it’s not all about technology.
  • Over time the business and countermeasures lag behind technology and the threat. With this in mind we must ask ourselves ‘is this a battle we can win?’ This means organisations should decide what risk they are willing to accept.

 

 

 

So what does ‘good’ look like? Security needs to be built in at every stage of engineering design and fully aligned to business requirements. It is therefore about:

  • Understanding the business goals and objectives
  • Determining the assets and their criticality to the business
  • Understanding the threats, risks and opportunities related to the business operations and assets
  • Developing the strategies, processes, mechanisms, standards and tools that will underpin the goals and risks
  • Developing the governance, management, roles and responsibilities that will underpin the processes and mechanisms
  • Understanding the geographies, sites, business units and infrastructure where security needs to be implemented
  • Understanding the business time aspects, calendars, processing schedules and sequences.

This approach provides traceability from the business to the security requirements so that security controls exist to serve a specific business purpose.

Design though is not a one-off activity. We can’t pat ourselves on the back and walk away happy once it’s delivered. Technology evolves, threats adapt and business needs change. Our designs need to evolve with this and security needs to be lived and operated – it should be the oil in the cogs of your machine.

UK & Europe,