OnBoard Security’s Chief Technology Officer, Dr. William Whyte, has been involved in Vehicle-to-Everything (V2X) communications security for nearly 20 years. He is the editor of the IEEE 1609.2 security standard and has consulted for numerous automaker, the US Dept. of Transportation (DOT) and transportation organizations around the world. He is frequently asked to explain V2X security and give insights on potential vulnerabilities in the system.
Q: Is there any part of the complex connected vehicle system that you feel is the most vulnerable to cyber threats?
WW: I would first focus on the security of back-office systems that sign infrastructure messages like MAP (intersection geometry) and TIM (Traveler Information Messages, such as evacuation warnings). These are hard to secure and accessible over a public network, and usually are distributed from legacy data centers that often don't have the best physical access security.
From the point of view of Onboard Units (OBUs) and Roadside Units (RSUs), I think that the testing community is good at evaluating communications security -- i.e. interfaces -- but hasn't yet got a good program in place for testing operating system security -- secure boot, secure upgrade, proper application sandboxing, etc. However, what we've seen in the Pilot Deployments is that a lot of vendors are self-certifying that they're meeting these device requirements, so it seems that the supplier community is ahead of the testing community here.
Q: Why is it so hard to protect vehicles from cyber-threats?
WW: For the same reason that IoT devices in general are poorly protected -- there's a tension between allowing logical access to vehicles to get the benefits of information sharing, and preventing logical access so we don't get hacked. The people who are excited about providing access don't always think to talk to the people who know about security. Technically it's difficult because there are so many different software subsystems on a vehicle and they are typically implemented separately and can't all undergo proper security testing. Remember that a vehicle is a big systems integration effort, and what we saw from the Autosec paper "Experimental Security Analysis of a Modern Automobile" is that the vulnerabilities were often in the code that glued the components together.
Q: What have we learned from the IT industry to make the job easier?
WW: The key takeaways are developer awareness and management commitment to designing security in from the start. Doing things securely isn't hard, it just takes patience, discipline and a systems approach. Secure coding takes longer than doing things insecurely, but so does writing quality, durable code that will operate in a vehicle for thirty years, and automotive OEMs already know how to do that.
It's exciting to see the increase in a commitment to security from OEMs. For example, during a recent engagement we were asked to use formal analysis tools to ensure that a cryptographic protocol that an OEM was using was correctly designed. That shows a level of sophistication and commitment on the part of the OEMs to state-of-the-art security practices that's very promising for the future.
Q: V2X is said to be the most secure transportation mechanism ever to be deployed. Is this true and if so, how and why?
WW: The most secure transportation mechanism is having no transportation mechanism! But V2X has the advantage that security is being built in from the ground up and there has been consistent buy-in to doing security correctly from all the stakeholders – US DOT, Crash Avoidance Metrics Partnership (CAMP), individual OEMs, and suppliers. Another helpful factor has been the long lead time, allowing us time to work on the security standards and ensure they meet all the requirements.
Q: What have Federal Highways and the National Highway Traffic Safety Administration (NHTSA) Researchers accomplished in vehicle cybersecurity to date?
WW: They have done great work in raising cyber-security awareness and conducting some interesting research in hacking individual cars. A significant indirect contribution has been the creation of a culture wherein the automotive community is more comfortable discussing security challenges.
Q: What is OnBoard Security’s plan for future research?
WW: Intrusion detection, secure software platforms, and efficient and scalable key provisioning and management are the low hanging fruit in vehicular cybersecurity -- there's lots of work that can be done relatively cheaply yet have a high impact. This is where we are focusing our effort.
Q: Where does the automotive community come together to ensure the public remains secure within their vehicles?
WW: There are lots of great initiatives underway. The Auto-ISAC (Information Sharing and Analysis center) enables the coordination and dissemination of information on automotive security. SAE J3061 is an automotive standard for cybersecurity best practices and SAE J3101 is a standard for in-vehicle hardware security. And the SCMS (Security Credential Management Systems) have documented requirements for software and Operating System security.
A major new phenomenon is the clear sense of urgency and commitment on the part of the automotive management teams to seeing these initiatives through to production. We're witnessing growing cyber security awareness, however, and we're not looking to criticize the community here, this remains an area where there could be even more focus on driving secure systems methodology and best practices into production systems in parallel with the increased vehicle connectivity that has characterized the industry over the last few years.