Combatting the transport hackers

Over the last five years we have seen an explosion in the use of connected devices and services across the transport sector.

The development of in-vehicle apps is one example; everyone is used to apps on their smartphones and now expect to have access to the same apps when they’re in their car.

They expect to be able to stream media over the internet, from music to games and films for passengers. We’re also starting to see increased adoption of features such as smartphone-based vehicle unlocking.

Last year, NCC Group’s Transport Cyber Security Practice demonstrated how a connected car’s infotainment system can be wirelessly attacked via its DAB radio. Depending on the configuration of the vehicle platform, this can result in access to other connected “cyber-physical” systems that electronically control braking, steering or acceleration functions. This clearly shows the importance of cyber security and how it can directly affect the safety of vehicle occupants and other road users.

FOT_NCC_2

There are many areas driving developments in the automotive sector, including the insurance industry, which uses telematics data for premiums, and breakdown companies using location information to pinpoint where vehicles are.

We’re even seeing the concept of just-in-time parts-ordering emerge, where a connected car can alert a local dealership if a particular component is wearing out and the dealership can ensure it has one in stock before contacting the customer.

But cars are not the only form of transport using connected technologies. Aviation has seen significant advances, to the extent where passengers can watch content mid-flight using their own devices rather than via the traditional seat-back screen.

And passengers even have the ability to make phone calls, and send texts and e-mails through mobile devices while in the air. Such connectivity opens up the possibility of online ordering, so customers can make in-flight purchases of duty-free products and pick them up at their destination, meaning airlines can offer a wider range and don’t need to have items stored on the aeroplane.

Trains have similar infotainment systems to those seen on planes, including wi-fi access. They also have additional connectivity for the European Rail Transport Management System, which controls signalling and manages the location of trains throughout Europe.

Yet with this growing use of connected technology comes the threat of attack, either from cyber criminals or those intent on causing disruption. Much of this applies to all modes of transport.

GPS, for instance, provides both location data upon which autonomous vehicles rely for safe driving, and accurate date and time information used to manage timetables and schedules. New concepts such as truck-platooning, where trucks drive close together to conserve fuel, also rely heavily on GPS, so anyone tampering with information could cause chaos and even deaths.

Cyber attacks are a growing concern. Organised criminal gangs are expected to be the first to target vehicles as a means of making money through ransomware attacks or stealing financial data. Another major concern is the storage of payment card details and personally identifiable information on such devices.

Intellectual property is at risk too. Some of these vehicle systems contain sensitive algorithms, which manufacturers have spent millions of pounds on developing, and these could be the target of an industrial espionage attack.

Andy Davis NCC Group

Andy Davis
NCC Group

For manufacturers, the problem is that many embedded devices were originally developed as standalone units, with no intention of them one day being connected to other devices or networks, so they often do not employ the same security practices as a connected system would have. With the rising demand for external connectivity of vehicles, these older embedded systems are being exposed as weak links from a cyber-security perspective.

The solution to this is two-fold. It takes a long time to build a new vehicle platform so manufacturers need to understand how to add connected functionality within existing legacy systems securely. But for next-generation platforms, makers need to design in security at the outset and think about how this needs to be applied at each stage of the product’s life.

This secure development life cycle goes all the way from design, development and implementation through to ensuring you have an incident-response plan in place. If your system does get attacked, or someone talks at a hacker conference about a vulnerability they have found without disclosing it to you first, an incident-response plan will help you to manage the information flow to customers.

From a preventative perspective, at NCC Group we also use security assurance concepts, such as threat modelling, where you can look at all the different entry points from the perspective of a hacker and understand what you would potentially be able to achieve by attacking these points.

NCC Group has a dedicated Transport Cyber Security Practice that regularly provides assurance to clients in this sector across the globe. The practice focuses on five main areas: automotive, maritime, aviation, rail and space. The potential for commercial space flights in the years ahead, along with the growing use of satellite technology means there is already demand for cyber security in this area.

The message to manufacturers and developers is clear. It’s never a cost-effective or efficient approach to add a security solution as a bolt-on to a finished product. Such measures need to be designed in from day one, helping manufacturers create products that can better withstand cyber attacks, and to give customers peace of mind when using connected devices, regardless of the mode of transport they are using.

For more information about how NCC Group can help your business please visit www.nccgroup.trust