Connected car cybersecurity has been one of the hottest automotive topics for a decade now, with increasingly frequent and sophisticated attacks met by ever more advanced defences – and it is pivotal to trust in self-driving too.
The issue went mainstream in 2015 when tech website Wired released footage of hackers Charlie Miller and Chris Valasek remotely seizing control of a Jeep containing journalist Andy Greenberg. “Seriously, it’s f*cking dangerous,” he protested as they shut off the engine while he was driving at 70mph.
Although the number of connected cars was still relatively small, the industry was worried. In 2018, the Society of Automotive Engineers (SAE) found that 84% of automotive professionals had concerns that cybersecurity was failing to keep pace with evolving technologies.
The International Organization for Standardization rules on vehicle cybersecurity engineering were still under development, and the ‘prevention, detection and mitigation’ mantra was getting a lot of attention.
Increasing cyber threats
Fast forward to 2023 and the challenge has escalated. According to data analytics provider Upstream, the number of automotive and smart mobility app-related incidents increased by a staggering 380% in 2022, with ‘black-hat actors’ – the bad guys – behind 63% of them.
The top three attack vectors were: telematics and application servers (35% of all attacks); remote keyless entry systems (18%); and electronic control units (14%). The main threats, therefore, are safety compromise and theft, either of the car itself or, more likely, data.
Statista predicts that the global connected car market will be worth US$121bn by 2025, by which time there will be over 400m connected cars worldwide, up from 237m in 2021.
From a UK perspective, this represents a huge commercial opportunity. Several of our universities consistently rank among the top 10 in the world for cybersecurity courses, sparking a plethora of exciting start-ups.
A leading light amongst them is Belfast-based Angoka, with its hardware solution to what is generally considered a software problem. In layman’s terms, it creates unique identities to enable trusted data exchange. Established in 2019, it graduated from the National Cyber Security Centre’s prestigious Accelerator programme, and now employs 45 people.
Richard Barrington, Director of Smart Cities & Land Mobility at Angoka, said: “My first car was an Austin A35. I’m not sure I locked it much and the term cyber didn’t exist. Today, my plug-in hybrid tells me when it needs servicing, it’s always locked, and the risk of a software fault disabling the vehicle has increased exponentially.
“Level4 automation is around the corner and billions are being spent by companies aiming to be part of the value chain. Some are spinouts from academia, others have been created within the exascale computing companies, and more within the automotive sector itself.
“While significant investment has gone into safety cases, nowhere near enough has been invested in understanding and protecting against the risks associated with cyberattack.
“The digitisation of the vehicle, drive-by-wire, electronic control systems, and the systems that manage transport at scale are all vulnerable, as are over-the-air (OTA) updates and even the EV charging infrastructure.
“Numerous attacks have taken place, or been demonstrated, setting alarm bells ringing throughout the industry. So much so that standards are being mandated, with companies trying to retrofit what should have been built-in from the start.
“One approach is a fortress mentality – encrypt everything, regardless of need. But this doesn’t work in the complex world of connected and automated mobility (CAM). There are too many cracks for bad actors to gain entry.
“With the hundreds of devices that make up a modern vehicle – sensors, actuators, controllers, infotainment – coupled with the range of connectivity options needed to transmit, receive and share data, a new model is needed.
“Our solution is built from the ground up, secure by design. It starts at an electronic component or subsystem level, so that each device has an immutable identity. It can then safely exchange data with other trusted devices, with encryption applied when needed. It gives us a real opportunity to get ahead of the hackers.”
Self-driving trust award
They call it safeguarding critical machine-to-machine communications, and it could be a gamechanger, hence Angoka’s victory at the recent Self-driving Industry Awards.
The #sdia23 judges said: “In the Trust category, we were looking for examples of exceptional service promoting public acceptance. This was the most challenging category to judge, with strong claims by an array of very different entrants. In the end, we decided that the ultimate facilitator of trust is effective cyber-security.
“We were delighted, therefore, to present our inaugural Self-driving Industry Trust Award to Angoka. Their hardware-based approach to assuring machine-to-machine communications starts at an electronic component or subsystem level. Giving each device a unique digital fingerprint enables it to safely exchange data with other trusted devices, making life much more difficult for hackers.”
Please note: a version of this article was first published in the Institute of the Motor Industry’s MotorPro magazine.