IBM is developing a security stack for connected cars as part of a wider strategy to secure vehicles against a growing range of hacking attacks.
Some describe modern cars as computers on wheels but for Martin Borrett, CTO IBM Security Europe the range of communication options (Bluetooth, 3G) and range of embedded computing technologies is turning vehicles into “small data centre on wheels”.
At this point the main threats come from white-hat researchers looking to test the security boundaries and looking for fame, as well as criminals who have harnessed technology to enable car theft by cloning entry systems or (potentially) hacking mobile phone apps to similar nefarious ends. These threats are likely to expand over time.
Connected cars are once again in the news following Chancellor George Osborne’s 2016 Budget announcement that driverless lorries will be trialled on UK roads this year, and driverless cars by 2017.
Connected vehicles offer advantages to car makers, such as the ability to proactively detect and respond to warranty and maintenance issues. Drivers get real-time traffic alerts, safety features and an increased range of in-vehicle entertainment options. However, along with these advances come the risks associated with system and vehicle security breaches, as well as concerns over data privacy.
Secure by design
Borrett told El Reg that car makers need to respond to these risks by using a secure-by-design methodology. Designing a secure vehicle needs to happen alongside creating a trusted supply chain, hardening a vehicle and creating a trusted maintenance ecosystem.
Multiple integrated levels of protection are needed. IBM's vehicle security stack features secure identities, secure data storage, secure access, secure communication, intrusion detection and protection, security intelligence and security of operations and execution.
IBM's vehicle security reference architecture
Public Key Infrastructure technologies underpin secure identity, communication and data storage. Big Blue teamed up with Giesecke & Devrient to develop a connected vehicle cryptographic security system. A crypto chip and key system for cars from the two firms was unveiled (auf Deutsch) at the International Automobile Fair in Frankfurt last September.
IBM has developed a prototype Intrusion Detection System which it has coupled to its well established security intelligence services. A lightweight agent on cars talks to back-end servers in the cloud that make sense of events and detect potential problems using Big Data analytic techniques.
Big Blue is talking to car manufacturers about its technologies. It’s yet to announce any reference customers. Borrett said car makers have a “heightened awareness” of infosec issues.
A recent presentation by Borrett on the security of connected cars, delivered at the mobile and cloud conference InterConnect 2016 in Las Vegas last month, can be found here. The talk was entitled Code is my co-pilot: Security & privacy in connected vehicles.
An IBM white-paper, Driving security: Cyber assurance for next-generation vehicles, can be found here (pdf). ®