How to Deal with Cyber and Information Security in a Connected Car

Connectivity plays a critical role in the future world of mobility and security is increasingly becoming a major concern for businesses and customers, especially in connected vehicles as security acts as a foundational requirement. In our interview with Tim Best, Director of EMEIA Advisory Center and an IT & Cyber Security subject matter lead and Monika Menz, Senior Manager, IP & IT Data Privacy subject matter lead of a Management Consulting Firm explains the main challenges associated with cyber- and information security and how to overcome these challenges.

What are the characteristics of a connected car?

The connected car is a manifestation of the Internet of Things (IoT), albeit a far more complex and connected one than many other IoT devices, such as a fitness tracker or a smart meter, which commonly have a single connection.

The connected car has multiple connections which can be thought of as networks. Therefore, the connected car lives and operates in a network of networks.

Why is cyber- and information security an issue with connected cars?

The connected car is only as secure as the network in which it operates and given that it operates in so many networks, for example, infotainment, road toll systems, local government services, navigation, technical services, insurance vendors, etc., it has a large attack surface creating multiple entry routes into the network and the car as part of network of networks. The attack surface is extremely difficult to protect from a cyber security perspective.

What are the main challenges in dealing with cyber- and information security?

To date, cyber security has been built into the connected car through complexity. Each Electronic Control Unit (ECU), which controls a function of the car, is typically designed and built to be unique as compared with other ECUs in the car.

This is done under the assumption that if one ECU is compromised by a successful attack, the same attack will not work on other ECUs. However, each ECU has its own supply chain for its components and a lead time of many years from design to production.

New cyber security vulnerabilities and exploits emerge on a daily basis in complete contrast to the development lead time of the ECU. The lead time also means that OEMs (Original Equipment Manufacturers) are unable to innovate as freely as they would like.

Are there legal barriers or limitations to deal with data in connected cars? What does the legal framework look like?

The legal framework looks like a patchwork with quite a few pieces missing for the time being. For the applicable legal framework the first relevant distinction is whether personal data are collected and processed in connected cars or not.

The definition of personal data within the EU is much broader than one would expect: if a person might be identifiable by such data they are deemed as personal data. If the data in connected cars are qualified as personal data, the European legal framework limits the possibilities to deal with data in connected cars.

In short, the use of personal data (within the EU) in connected cars will require for most purposes the consent of the individual. If no personal data are collected the legal limitations derive from another uncertainty: the concept of data ownership is not generally accepted in various jurisdictions.

Therefore, a clear statutory guidance is missing. For the time being, contractual relations between the car owner (or driver) and the provider of connected car services are used for answers.

What barriers need to be overcome in society?

In order to secure the network of networks, OEMs, suppliers and customers must collaborate far more than they do today. A trust model is necessary, in which levels of trust are earned and established between entities in the network(s) and this trust is then shared with other entities.

What rules do we need for cyber- and information security?

Businesses need to establish very early a solid legal understanding of data ownership and data protection policies. Issues around data protection do not have a uniform answer yet and requires more work from the angle of cybersecurity.

How can those rules be implemented? Who can (or should) implement them?

The concept of Collaborative Security can address this. As the organizations look beyond their borders, they will necessarily start to share security-related information with their partners and even with their competitors in a particular market.

Everybody needs to see that “an attack on one of the participants is an attack on all,“. . Sharing information, establishing joint monitoring and auditing of the networks and forging common standards are urgent areas to work on.

As we are more connected than ever in our cars, do you think automakers are doing their part to ensure the safety and privacy of our personal data? Share your opinion in our comment section.

Please note that this article expresses the opinions of the author and does not reflect the views of Move Forward.