Meeting the security challenges of connected vehicles

IBM Distinguished Engineer, Chief Architect Internet of Things Security, IBM

“Security is paramount for the safe and reliable operation of IoT devices. It is, in fact, the foundational enabler of IoT.”

Connected vehicles are generating a lot of positive buzz around their potential safety and reliability benefits; however, there are also concerns that they are not as secure as they should be. In this Q&A with Tim Hahn, chief architect, Internet of Things security at IBM, he addresses the challenges facing automakers as this technology becomes more common.

What are some of the biggest security challenges for connected vehicles?

As vehicles become increasingly connected, manufacturers must adapt to emerging cybersecurity needs. Like any IT system, vehicle networks and devices are susceptible to manipulation, and risks range from vehicle safety to personal information exploitation. While the connected car offers vast benefits, including increased passenger safety and vehicle reliability, such access can also open the door to malicious software that could potentially disrupt a vehicle’s critical systems. Also, malware could remain unnoticed on a system and siphon personal information from linked devices. The new automotive landscape provides many challenges, but just as many opportunities. 

Adding to the challenge, automakers typically have a long list of suppliers, internal teams, partners and even the consumer sharing responsibility for keeping various elements safe and secure. The good news is that connected car security doesn’t require a revolutionary approach. The core techniques and technologies that have been honed over years of research and development can be applied and extended to address the unique requirements of the Internet of Things (IoT).

What are some important capabilities to consider?

Security at both the device and network level is critical to the safe and reliable operation of connected devices. Automakers can leverage key management technologies and best practices, such as encryption, authentication and authorization, to ensure sensitive information being exchanged between connected vehicles and the underlying infrastructure cannot be breached or compromised. They need reliable controls to help ensure communications are given proper priority. For example, a message to a vehicle’s emergency brake system is clearly more critical than to the entertainment systems.

In addition, many connected devices in the future may have highly constrained resources that can't be easily or cost-effectively upgraded. But they will need protection over a very long life span. This increases the importance of cloud-based security services—with resource-efficient, device-to-cloud interactions.

Will the industry’s move to more open platforms create additional security challenges? 

Just because a network or technology is considered to be closed or proprietary is not an indicator of the level of that environment's security. In the world of security, systems aren’t considered well-vetted until they are out in the open and subjected to public scrutiny. Exposing your environment to potential attack is actually a good thing because it allows you to identify and correct potential vulnerabilities that might not have been present at the time of original design. “Security by obscurity” isn't an effective strategy.

How is IBM helping automakers improve connected car security?

IBM has long been a leader in security innovation and investment. We’re working to embed security analysis capabilities directly in vehicles so that security-related issues can be detected and addressed closer to the source. We're also working with device and processor manufacturers on methods for securing IoT devices over their lifecycle, which starts with cryptographic material insertion in the IoT device processors and registering the processors in a secure registry at fabrication.

Security is related to safety, but it’s not the same. Safety keeps occupants safe from physical danger. Security deals with attacks and anything that may cause the vehicle to become unsafe. New attacks are always being discovered, so security is never done—it's ongoing. IBM is in it for the long haul.