Get started Bring yourself up to speed with our introductory content.

Driving forces accelerating and decelerating connected car security

Although the automotive industry isn’t particularly new to data or telematics, competitive forces are placing huge pressure on manufacturers to figure out how to actually use all these data. What’s new is the imperative for manufacturers to, in real-time and even predictively, analyze data and leverage it meaningfully and in ways that drive value.

Driving force #1: The pace of innovation

The pace of innovation is moving faster than automotive industry can handle.
The reality is vehicle manufacturers are finding themselves caught in a conundrum of lagging innovation and never-ending disruption. Automotive manufacturers have traditionally operated on a five-year cycle of innovation, but in the world of networked technology and services, five years is a lifetime. The result is that the pace of technological innovation is barreling along while auto manufacturers struggle to stay competitive today, never mind tomorrow. In-car infotainment systems are one area of intense competition today, where manufacturers once saw this real-estate as differentiating, the speed of innovation and the ability to push out software updates and new features driven by mobile giants far outpaces most auto OEMs.

Driving force #2: Technological innovation begets more innovation … and risk

Forces driving secure and effective adoption transcend OEMs themselves. Standards play a central role in the ability for cars to “talk” to each other (never mind to outside service providers), whether to exchange position, location data, speed or other information in real-time. While technological standards remain fragmented, many governments (particularly in Europe) are beginning to embrace the potential safety benefits of connected cars. Already subject to heightened regulatory requirements, this industry will either benefit or suffer from governments’ and related agencies’ alignment, openness or rejection of the rules, investment and communications infrastructure necessary for a connected or autonomous car environment. This, in addition to increasing LTE, wireless and low-power connectivity infrastructures, will accelerate adoption-friendly environments.

Meanwhile, existing and emerging technology companies — namely Google, Apple, and Tesla — symbolize traditional automotive manufacturers’ greatest competitive threats. These companies are leveraging world-class mobile, hardware-software design and more rapid R&D sensibilities to [potentially] leapfrog traditional auto OEMs. Who will dominate the in-car app ecosystem? Manufacturers, ISVs, third parties? While partnerships and alliances in other venues suggest the need for such collaboration in automotive, can each of these entities ensure adequate security across the ecosystem?


Connected car security

Introducing new technology often begets more technology. Such is the case for identity management within a vehicle. Connecting components, software, applications and other services doesn’t just create [the potential for] value and risk, but to actualize and secure such a network requires each takes on its own identity. The identity of the user, of the car, of the connectivity mechanisms, of the apps and other devices becomes central to security so that only those authenticated can control the car, communicate with it or from it, and make changes to any part of the system. Herein emerges more friction. For instance, cars often have more than one driver. Passengers (e.g., a child interacting with the infotainment system) may require their own identity management mechanisms. The second-hand market requires a distinct set of identity needs (e.g., wiping user identity but not car component identity). And so we see the emergence of identity management platforms to address a poorly understood, but critical requirement in the connected car security story.

The roles each of these forces plays across connected car security, privacy, and safety are critical — not only for improving the functionality and driving experience, but to address adoption concerns as well.

Driving force #3: The driver’s experience

Across all industries, the human-machine relationship is evolving — this complex, cultural and curious behavioral adaptation is only magnified in the automotive sector. While consumers have embraced mobile technology rapidly and pervasively, data suggests we may value different elements in a driving context. A recent Telefonica study found that consumers are less interested in typical personal computing activities such as social networking and downloading applications while driving, and place greater value on safety and utilitarian features such as accident avoidance, navigation, diagnostic testing and maintenance alerts. But while convenience appeals, half of consumers surveyed by Veracode still express significant concerns related to the security of driver-aided applications like adaptive cruise control, self-parking and cars sharing data with other cars.

A second area of interest is which party takes responsibility when security-related issues arise. Enter the question of liability — a question of uncharted legal territory and precedent not only because data ownership norms are poorly understood, developed or standardized, but because — regardless of legality — security introduces a wide range of potential nightmares from a brand and PR standpoint. Today, 30% of drivers feel that if they download an app that poses a security threat to the vehicle system, they should not be liable (i.e., it should either be the manufacturer, app developer or app store who is liable).

Driving force # 4: Interoperability

Another important dynamic in this story is that of interoperability and how end user experience design introduces new security risks. The most seamless connected experiences are those which are integrated and interoperable across multiple devices, apps, environments and scenarios — from parking the car to automating home lighting to leveraging a mobile device to sending an alert to work, back to the car and so on.

OEMs like Ford and Mercedes are partnering with connected home device manufacturers and platforms to measure energy efficiency by integrating appliances with electric vehicles. A company called Aricent offers drivers the ability to control their homes remotely from the car by connecting the car’s network to the home network via LTE. The very utility of emerging “value-added apps” relies on interoperability, from smart parking to real-time/geo-based services to personal or municipal notifications.

Connected car data transfer

End user experience, and thus adoption, relies on this integrated structure to extract the greatest value and convenience. Put simply, a seamless user experience is a function of a seamless data transfer requiring as few apps as possible. Interoperability is important for OEMs and technology suppliers to understand in a security context for a number of reasons:

  1. Interoperability expands the system: Suddenly the “system” of the car expands — into the home, across devices, work, municipal, never mind third-party service providers. For manufacturers, these non-proprietary apps spell increased vulnerability and potential liability
  2. Interoperability introduces strange bedfellows: The imperative for interoperability means automotive OEMs must forge partnerships, alliances and/or collaborations across ecosystem constituencies previously irrelevant
  3. Interoperability often requires new business models: Interoperability means data flows freely across previously “closed-off” boundaries. Ecosystem interactions based on such data exchange require OEMs shift from a purely product-centric business model to one driven by ongoing service enhancements and new value creations leveraging new stakeholders

Although on their face these impacts may seem irrelevant to the security, privacy and safety of a connected car, the reality is that each translates to a wider security threat surface and thus more security threats, actors, stakeholders and risks.

Driving force #5: Security solution landscape is highly fragmented

Today, security solutions providers vary widely in approach, coverage and size. For widespread adoption of “smart” vehicles to occur, connected technologies require security solutions that simultaneously and cooperatively address the broad and diverse layers of any IoT architecture. Across vehicles, devices, networks and applications, solutions will take different forms. Different companies take different approaches. Argus Cybersecurity, for instance, addresses automobile security by providing a suite of security solutions that address new and after-market needs. Towersec exemplifies another approach of providing unique firewall protections based on system, focusing on mission critical systems, telematics systems and infotainment systems. Meanwhile, a host of security or safety-focused start-ups like SmartDrive, Lytx and Navdy add a new angle to the competitive story, not only because they address driving safety, but because some sell directly to driver, not manufacturer.

Security management is becoming increasingly important for connected cars to minimize potential hacking threats. According to Harbor Research, ADAS suppliers are embedding security measures and driving the overall security management applications revenue from $2.0 billion in 2015 to $8.8 billion in 2020.

Regardless, the obligation rests on OEMs to arm vehicles and devices with the proper technology to best safeguard all endpoints as much as possible. This includes ensuring proper authentication and authorization (for networks, devices, etc.), as well as transferring security parameters to allow for trusted operation. Network security mechanisms are central in order to ensure entrusted operations and prevent attackers from endangering or modifying the expected operation of networked things or accessing secure data. Beyond the architecture for connectivity, the dizzying array of “value-added applications” also require security through tools that guarantee only trusted instances of applications are running and communicating with each other. Across all of this, security solutions must coordinate with each other in order to constantly mitigate risk and vulnerability across the entire system.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.