ENISA report on cyber security of connected vehicles
December 2019 by Marc Jacob
ENISA recently released a report on the cybersecurity risks to connected cars and outlined best practice measures to help mitigate them. Following the release of this report, Rusty Carter, VP of Product Management has shared his thoughts:
“As ENISA has stated in its report, the automotive industry is undergoing significant change towards connected and autonomous vehicles, and vulnerabilities within the ecosystem of the vehicle present a threat to the safety of the vehicle, and the user’s information and privacy. Furthermore, the report shows critically that vulnerable systems within the vehicle can be compromised and co-opted to be used against backend systems and APIs. Following the good practices outlined and preventing damaging attacks ultimately requires protection of the systems and applications within the vehicle and between the user and the vehicle (such as mobile applications), while providing proof of integrity to back-end systems (and vice versa) so that one part of the system isn’t used against the other.
As connected vehicles are being designed and rolled out, there are a few areas of security that aren’t being addressed strongly enough. Notably, mobile applications that access and control systems, including access and operation, are lacking in protection needed to prevent the theft of intellectual property and data that if lost could result in vehicle theft. Also amiss is integrity and tampering protection (and reporting) of system applications that if modified could alter the behaviour of the vehicle.
One way to help combat the lack of security in these areas is through the use of threat analytics. Threat analytics, and the ability to detect and respond to vehicle threats and attacks, is fundamental to maintaining security. It is not enough to have a separate security system to watch over various vehicle systems, because that will invariably become the hottest attack target and a single point of failure. Ultimately, threat analytics that is built into the prevention and detection capabilities of the various apps and systems themselves will prevent removal or compromise, and lead to a long-lasting security posture for the vehicle and manufacturer.”