84% of automotive professionals have concerns that their organisational cybersecurity practices are failing to keep pace with evolving technologies, according to a new report by the Society of Automotive Engineers (SAE).
This is a major worry, and something of a disappointment, given it is nearly four years since the notorious Wired video in which hackers Charlie Miller and Chris Valasek remotely seized control of a Jeep Cherokee containing journalist Andy Greenberg:
“Seriously, it’s fucking dangerous,” he protested as they killed the engine while he was driving on a US highway.
These days, of course, there are millions more internet enabled ‘connected cars’ potentially susceptible to such attacks.
Despite this, the International Organization for Standardization (ISO) rules on cybersecurity engineering in relation to road vehicles are still “under development”.
Last year, the Cyber Security Body Of Knowledge (CyBOK) proposed a three-stage approach to tackling the issue: 1) Prevention; 2) Detection; and 3) Mitigation.
However, it warned: “Even with good techniques to prevent introduction of vulnerabilities in new code, or to detect vulnerabilities in existing code, there is bound to be a substantial amount of legacy code with vulnerabilities in active use for the foreseeable future.”
Just this month, Jaguar Land Rover suggested that fully driverless cars might need a billion lines of code, meaning a lot of scope for loopholes.
The good news is there’s a massive profit incentive for anyone coming up with a robust solution, so tech giants, vehicle manufacturers and start-ups are all on the case.
For example, the Innovate UK-funded 5StarS project brings together experts from Horiba Mira, Ricardo, Roke, Axillium and Thatcham.
Richard Billyeald, chief technical officer at Thatcham, said: “The 5StarS consortium aims to introduce a new system of star ratings for the security of autonomous cars against cyber-attacks, like Euro NCAP’s ratings for the crash safety of cars.”