The future of connected and autonomous vehicles (CAVs) depends on a number of factors, and one of the most vital ones is cyber-security.
Protecting the vehicles, the highways and the infrastructure that support them is now seen as one of the key elements to accelerating the technologies. One emerging technology that will inevitably have an impact on vehicle-to-everything (V2X) communications is cellular-vehicle-to-everything (C2X), which the GSMA explains is “designed to connect vehicles to each other, to roadside infrastructure, to other road-users and to cloud-based services”. The aim is to enable intelligent transport, which also needs be secured.
So, what are the cyber-risks that could impact V2X communications and infrastructure, as well as the safety of connected and autonomous vehicles? Well, according to Jaeson Yoo, Chief Security Officer at Autocrypt, the line between cyber-risks and human safety “are becoming increasingly blurred every year”. Cyber-risks can impact on the safety of CAVs directly, and a hacking event could in the worst case scenario lead to an accident causing loss of life.
Yoo explains: “After all, if data transmissions can be manipulated by hackers, this can undermine real-life safety. Successful attacks on communications infrastructure can affect all endpoints, including vehicles. Simply put, the costs of cyber-security negligence can no longer be tolerated. Unlike the past, cyber-attacks are no longer limited to embarrassment, loss of brand reputation, or even financial loss. In V2X communications and infrastructure, this could mean the life of not just the driver but so many more lives become highly vulnerable.”
Network node dangers
Moshe Shlisel, CEO of GuardKnox Cyber Technologies takes a look at it from an electric vehicle perspective, highlighting that connected and autonomous vehicles are going to be the most important nodes within the wider network of the automotive Internet of Things (IoT). He warns: “If you can hack a car, you can hack every car or infrastructure that is connected to the car. From the charging station you can connect to the grid, and then to the power plant, which becomes a national risk. Nobody is taking responsibility for mitigating this risk – worldwide.
“Secondly, all the pieces of infrastructure such as traffic lights can be controlled by V2V or V2X, and hackers can remotely control the traffic lights and control the traffic in the city. The fact that the car is being connected to the city infrastructure, and the car itself is not protected, can jeopardise the daily life of a city.”
Shlisel points out that that even Hollywood has known about this potential risk for quite a while. In the Batman film, The Dark Knight, traffic is being controlled remotely. So, if you have a vehicle connected to mine, to the car around me and to the infrastructure, there is a significant risk of cyber-attack and of an adverse event taking place, including a crash, if they aren’t sufficiently protected. The hacker could hop from car to car too, making the situation far worse.
He cites scenes in the movie Fast and Furious 8 as an example of what could occur. “It may look like science fiction but it is reality and it looks like a Doomsday approach,” he adds while claiming that the infrastructure that is being created to support V2X communications and CAVs themselves is inherently unstable and insecure.
He explains why: “A vehicle, or even a logistics transportation company, may be hacked by someone who wants to gain an economic advantage over competitors. Most importantly, if someone hacks the vehicles, it becomes a huge risk for the entire economy because the vehicles are acting as network nodes.”
Consider security seriously
Dr Ehsan Torieni, assistant professor in the department of computer science at Durham University, thinks that the cyber-security of V2X communications platforms isn’t been considered seriously enough. So, how can V2X communications be secured to ensure that cyber-criminals don’t cause injury, death or financial hard to anyone – noting that ransomware could be one of the risks?
I answer to this question, he said: “You can’t make communication of this nature bullet proof but you can make sure they follow the secure design principles. Careful implementation of the protocols will definitely ensure a reduction of the risks, and the adoption of verifiability mechanisms such as formal methods are always great help to discover shortcomings and vulnerabilities.”
Ransomware, according to Yoo, also represents a potentially significant risk. A car owner, a driver, or a service provider, a local authority, or an infrastructure provider could be held hostage by cyber-criminals who lock systems and data with the aim of extorting them for a ransom. A ransomware attack could halt V2X communications, for example, altogether.
He explains what the likely impact of such an attack could be: “Not having V2X communications available could mean a significant decrease in traffic safety, so in a V2X environment, it is absolutely critical that trustworthy data is being transmitted on a continual basis. Cybersecurity, furthermore, is the key foundation by which these transmissions can be trusted by everyone on the road.”
Need for standardization
Shlisel says V2X communications and CAVs themselves should therefore be developed by using the secure-by-design methodology: “I believe we need to create some kind of NCAP test for cyber-security, and that drivers will know the level of security the vehicle provides – whether it is safe for its passengers.”
With increase public visibility of cyber-security, and by allowing consumers to say, ‘Well, that’s not secure, I’m not buying it!’, there will be an impetus to take cyber-security more seriously. “The vehicle is the densest area in the world where loved ones gather and this area should be safe and secure,” he emphasizes.
To tighten cyber-security, including for V2X communications, he argues that there needs to be an adoption of uniform standards when designing anything to do with connected and autonomous vehicles. “Self-regulation is not enough and automakers must learn from other industries – requiring a huge paradigm shift in the automotive industry as everything is connected and can be remotely controlled,” he said. Connectivity is going to increase and so the time is to act now. “With 5G, and one day 6G, the main issue will be whether it is secured or not,” he claims.
Focus on the endpoints
Meanwhile, Yoo says there is a need to first of all focus on the endpoints, including on the vehicles, because they need to be trusted by the infrastructure via PKI authentication and vice versa. His reasoning is that it, “ensures that the only software module reading a certain message is specifically authorized to do so”.
“Second, all transmissions between entities needs to be encrypted not only to preserve the integrity of the data being sent back and forth, but also to promote privacy protection. Third, all infrastructure and endpoints need defense mechanisms that are resistant to cyber-attacks.”
Despite the risks, Torieni is confident that the future of V2X cyber-security is going be much better than it is now: “The device2device communications has been evolving very rapidly and security is a serious concern. Of course, the attack methods and tactics will always evolve for more complicated scenarios, but if the cryptography and protocol design have been developed and implemented carefully, then the chances of a widespread attack is limited.”
Yoo concludes that cars are getting better at recognizing their immediate environment, and he claims that roads are getting much smarter too. “For example, roadside infrastructure today can be used as a way to transmit important traffic safety information through V2X technology,” he points out. He predicts the modules on both vehicles and infrastructure will continue to get smarter, as they will be able increasingly make important decisions independently.
To reduce the cyber-security risks of V2X and of the vehicles themselves, he suggests that any V2X technological improvements “will certainly have legal and policy consequences in every part of the world that uses them”. Yet there is a need to implement cyber-security solutions before any connections are made. The modules will need constantly updating too for optimal security to frustrate the cyber-criminals.
by Graham Jarvis