New Government guidance aimed at protecting connected company cars and vans from hackers has been welcomed by cyber security experts. However, they are calling for more detailed guidelines and urged manufacturers to review their use of open source components.
Furthermore, fleet operators are also being urged to ensure that fleet management software matches increased levels of data security.
Yoni Heilbronn, CMO at Argus Cyber Security, told Fleet News: “The reality we face today is that as vehicles become increasingly connected they are becoming increasingly vulnerable to malicious attacks.
“The Government’s new guidelines requiring automakers to put automotive cyber security protections in place from vehicle development are certainly a positive step. This move, as well as recent legislative developments in the US Congress, signal to original equipment manufacturers (OEMs) that they need to take action.”
Black Duck Software, which helps firms secure the open source code elements that make up much of today’s software applications, says the principles detailed in the new guidelines follow “good security practices”. They include the principle of board-level support, risk assessments both internally and through the supply chain, and a plan for addressing vulnerabilities as they arise.
The Department for Transport (DfT) guidelines also insist the security of software is managed by manufacturers throughout its lifetime.
Mike Pittenger, vice president of security strategy at Black Duck Software, said: “A growing set of open source components is making its way into motor vehicles, channelled through countless supply chains in every part of the automotive ecosystem.”
Black Duck’s research shows open source components are present in 23% of automotive applications. “While this accelerates development, these components, like all software, are also subject to security vulnerabilities,” he said.
“When a supplier or auto OEM is not aware all the open source in use in its product’s software, it can’t defend against attacks targeting vulnerabilities in those open source components.
“As open source use continues to increase in the auto industry, effective management of open source security and licence compliance risk will become increasingly important.”
Ilia Kolochenko, CEO of web security company High-Tech Bridge, added: “We need much more detailed practical guidelines with contribution from leading cybersecurity experts, practitioners and researchers, not just a set of generalised best practices.
“Moreover, a violation of the guidelines must be severely sanctioned otherwise car vendors, and especially their suppliers, will likely ignore them.”
Next generation fleet software will also have to adapt to the increased levels of data security required by connected cars and vans.
Ashley Sowerby, managing direction of Chevin, said: “There are many important factors businesses need to consider when managing their fleet information, the first of which should be whether their software system is adequately secure.”
Official accreditations, such as ISO 27100, formally acknowledge that providers are committed to data protection issues.
“Software companies should also be striving to achieve these accreditations if they do not already have them in place,” said Sowerby.
“Hierarchical user permissions within a system are also essential in order to control who has access to certain levels of data.
“Drivers, for example, will not need access to the same level of intelligence as fleet managers, and authorisation should depend on job role versus data sensitivity.”
Meanwhile, the Institute of the Motor Industry (IMI) is urging lawmakers to focus on the technicians that work on the vehicles, too.
Research conducted by the IMI earlier this year suggested many drivers and passengers are unaware of the security risks of today’s connected vehicles. Half of the people it surveyed said they were not aware that their car is open to cyber-attacks, much like a home computer, and that it could be controlled and stolen using Wi-Fi to access the on-board computer systems.
Steve Nash, IMI chief executive, said: “Computer diagnostics, vehicle programming and software updates are commonplace in the motor industry. However, with the sector currently unregulated and no national standards in place it’s not always possible to track the people who may have access to our personal information.
“We are working hard to get the Government to address this area as well as the creation of systems at the manufacturing stage, so motorists have confidence they are not at risk.”