Security Strategies

ATIS: Connected Car Security an Industry-Wide Issue

ATIS is weighing in on the heavy topic of securing connected cars, issuing a whitepaper intended to further promote collaboration between the communications sector and the automobile industry.

The whitepaper, "Improving Vehicle Cybersecurity: ICT Industry Experience & Perspectives," is just the latest step in efforts to make sure the software framework of connected cars is properly established to enable tight security in a complex multi-connection future for automobiles.

The Alliance for Telecommunications Industry Solutions (ATIS) is already a strategic partner of the Auto ISAC, or Information Sharing and Analysis Center, an industry organization that allows car manufacturers to share best practices and information on problems that arise, notes Tom Gage, CEO and managing director of Marconi Pacific and chair of ATIS' Connected Car Cybersecurity Ad Hoc Group.

"Connected car is arguably the biggest area of IoT where there is a high risk or certainly one of them," he says in an interview. "There is a high risk to software downloads and uploads, there is a high risk ultimately to vehicle control, there is high risk to a whole class of vehicles or a set of makes and models winding up with malware intrusion because of structure of software or their security firewalls work."

ATIS membership includes the wireless operators, who are already heavily engaged with the automotive industry already as well as the chip makers, software developers and others engaged in the connected car sector as well, so the organization's interest in seeing security well-established in this sector is strong, Gage notes. Each of those industry players is expected to be engaged in establishing a secure software framework for connected cars.

And while much of concern has been on how network connections into a car might increase vehicle vulnerability, there is also the possibility that a connected car becomes a vector in an attack on the network, says Jim McEachern, senior technology consultant for ATIS.

Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event -- a free breakfast collocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

One of the near-term goals of the white paper and collaboration effort is to establish a better set of best practices for securing connected cars, Gage says, but longer term, ATIS is hoping to "determine what the best structure is for securing the vehicles and securing the delivery of network functionality to those vehicles' communications paths," he says. "So we have innumerated the communication paths to the vehicle and we have recognized that there are a bunch of initiatives that we could undertake together."

Those are being proposed as discussion points, not in an effort to dictate outcomes, he says, but to raise things that need to be considered.

One example Gage and McEachern cite is the car that is connected via one mobile operator but might be carrying people connected via Bluetooth to the car but using other mobile networks and moving through locations where there are WiFi connections using still other network operators.

If any one of those connections is not properly secured -- including the car's own connection firewall -- then all are at risk, McEachern notes. That's why it's not enough to just secure the car itself, and why an industry-wide approach is required.

ATIS has been in conversation with the Auto ISAC for a year and is hoping the white paper focuses future discussions both with that group and with individual automakers, Gage says.

— Carol Wilson, Editor-at-Large, Light Reading

kq4ym 8/23/2017 | 5:15:35 PM
Re: Complacency - Still I wonder if there's already some coordination among those in the aviation industry to protect data and increase security of the avionics and digital devices in aircraft. If so, I would guess there could be some lessons learned from that group that would also apply to cars and land vehicles.
mendyk 8/10/2017 | 5:41:57 PM
Re: Complacency - Still There are lots of different aspects to "connected car" beyond the self-driving thing. But even just focusing on that, human error happens in isolated incidents. Security breaches have the potential to happen on a massive scale. We need to understand and accept that as we move into this brave new world -- just as we have to accept that no digital system will ever be 100% secure.
Carol Wilson 8/10/2017 | 5:33:08 PM
Re: Complacency - Still Well it could be argued that bad drivers kill more people than cyber-criminals on a regular basis. So self-driving cars that are secured to the best of the industry's abilities might still reduce the loss of human life. 
mendyk 8/10/2017 | 4:18:37 PM
Re: Complacency - Still In an age where we all pretty much can be frightened out of our wits by bad guys doing bad things on a massive scale, it's both reassuring and flat-out terrifying to know that we're still in eager pursuit of systems and technologies that would allow even worse things to happen. Gotta love the human race.
Carol Wilson 8/10/2017 | 2:08:05 PM
Re: Complacency - Still Good point Patrick, and one of the intentions of this initiative from ATIS is to look at the software architecture itself. It sounds like there are folks within the automobile industry acknowledging the issues and seeking solutions, but whether their voices will be heard at the top of their own companies might still be an issue. 
HardenStance 8/10/2017 | 1:26:51 PM
Complacency - Still  

Important article, Carol.

The extent to which insecure devices are filling up our homes is well understood. The ongoing deployment of insecure "things" in many enterprise uses cases is also well undesrtood.

The volume of flaws that are being revealed in connected car solutions by security testing is not so well understood, I don't think.

Some test results aren't just showing that a connected car solution vendor needs to go back and fix this and that but that, actually, their entire architecture needs be re-thought from the ground up from a security perspective.

That shouldn't be alarming from a safety perspective -  reputable car makers will ensure that insecure products never make it to the assembly line.

But it is sobering from an ICT ecosystem perspective in that it means that even in the case of  connected cars - which eveyone knows very well require bullet-proof security -  too many vendors still aren't living by the 'security first' mantra to a high enough standard.

Sign In