Autonomous Driving: Cybersecurity important basis for broad acceptance
Surveys from TÜV Rheinland demonstrate: Approval for autonomous driving depends largely on IT security of systems and technology / Alliances for cybersecurity in autonomous vehicles as a task for the entire sector.
Beautiful new, mobile world: While the autonomously driving car glides over the streets as if by magic, the driver leans back in a relaxed manner, takes care of email correspondence using a tablet or mobile phone, watches a film or simply takes a nap.
The vast majority of Germans, Americans and Chinese trust the autopilot, but there are concerns about cybersecurity. And rightly so – cyberattacks on autonomous driving vehicles could have major consequences for passengers.
An experiment of a research team demonstrated that scientists could penetrate the electronics of a Jeep and were able to accelerate and brake the car remotely, as well as disable safety and protection systems such as airbags, ABS and door locks. To do this, they used a weak point in the software update function and hijacked the SUV via a mobile phone connection. As representative studies by TÜV Rheinland have shown, fear of cyberattacks is particularly pronounced in autonomous driving. Although three out of four drivers in Germany can imagine being chauffeured autonomously, around 60 percent are afraid that hackers will gain control of the vehicle. The decision-making behavior of autonomous vehicles in the selection of alternatives in the event of unavoidable accidents” plays just as decisive a role for motorists as the “controllability of complex traffic situations and the safeguarding of data. For the vast majority of respondents, it is also important that independent institutions such as TÜV Rheinland test autonomous vehicles and monitor data protection and security. Vehicle tests on the reliability of automation before delivery of autonomous cars are in first place (say more than 91 percent of the respondents).
Data protection has high priority according to studies
The same applies to the important markets of the USA and China. In order to trust autonomous vehicles in the future, car drivers want guaranteed data protection, protection from cyberattacks on the vehicle, and the ability to decide, at any time, whether to drive independently.
Most customers like the fact that the systems of future cars will be automatically updated on a regular basis to ensure safety in road traffic and against external attacks. In China, 80 percent of respondents are in favor of over-the-air updates, while 68 percent in the USA and 64 percent in Germany also favor over-the-air updates. In addition, protection against cyberattacks is so important to consumers in all three countries that the majority of respondents (Germany 66 percent, USA 61 percent, China 60 percent) would switch car brands based on known hacker attacks.
Autonomous driving is generally well received by the respondents. Nevertheless, they are aware of problems that may affect acceptance and constitute major barriers to the deployment of autonomous vehicles. The leading framework conditions of politics and industry is the possibility for Germans to drive themselves (53 percent), followed by the clarification of the legal situation (49 percent) and the guarantee of data protection (37 percent). Americans also give high priority (47 percent) to the possibility of taking over the tax themselves. The proof of functional safety through tests ranked second by a small margin (45 percent). Third place goes to securing the car against unauthorized access (43 percent). For the Chinese, securing personal data is particularly important (43 percent), even before guaranteeing data protection (40 percent) and securing the vehicle against unauthorized access (36 percent).
The cloud as a gateway for cyber pirates
“Interesting targets for cyber pirates are, for example, cloud services accessible from the Internet that communicate directly with vehicles, among other things. In theory, however, any externally available communication interface can be an entry point for an attacker. These can be the on-board WLAN, telematics services and infotainment, navigation and assistance systems,” says Dr. Benedikt Westermann, Lead Security Analyst at TÜV Rheinland.
The importance of cybersecurity has increased significantly in recent years. In addition, the impact of some prominent attacks shows how important the issue has become for our society and economy and highlights the vulnerability of personal data. This is also shown by the annually Cybersecurity Trend report from TÜV Rheinland. As early as April 2017, a series of hacking tools suspected of belonging to the US National Security Agency appeared via the previously anonymous group “Shadow Brokers”. In July 2017, attackers stole the data of 145 million people from the financial services provider Equifax. The Windows malware program WannaCry and the Trojan-based blackmail NotPetya followed and spread in over 150 countries. This led to ransom payments of more than two billion US dollars. The courier and logistics company FedEx attributed a loss of 300 million US dollars to the NotPetya attack alone. For some well-known automobile manufacturers, this even led to a production stop. These two infamous Ransomware attacks took advantage of the weak point leaked by Shadow Brokers. And the potential loopholes become more numerous with each interface.
It now seems easier than ever to buy blackmailer and pollutant programs on the black market or in Darknet and thus gain access to sensitive data. As businesses continue their digital transformation and users integrate “smart” devices into their daily lives, cybercrime is growing.
Growing threat to networked vehicles
As digitalization progresses, vehicles are also becoming increasingly networked. This increases the attack surface at the same time. From control panels to maintenance, repair and operations (MRO) programs with corresponding service management software to classic GPS, cars contain a considerable number of additional functions. Like other networked products, it can be assumed in the long term that the networked vehicle will also become the target of cyberattacks. Threats range from simple unauthorized data collection to more serious crimes such as vehicle or property theft and extortion.
For the exchange of data between the vehicle and the environment, TÜV Rheinland experts developed test methods to ensure functional safety and compliance with regulations. Only this creates trust and reliability for the forward-looking technology. TÜV Rheinland has the necessary expertise with references for the commissioning of autonomous shuttles, the application of safety concepts for test tracks for autonomous cars and the development of simulations, test scenarios and test environments for vehicles and their components.
TÜV Rheinland has also entered into a strategic partnership with Visual Threat to expand its services to prevent cyber attacks in vehicles and increase the safety of the next generation of vehicles. Based in California, Visual Threat is a leading provider of automotive cyber security testing and provides comprehensive vehicle security solutions for cyber attack defense. With test facilities, TÜV Rheinland’s experience and Visual Threat’s cybersecurity technology, the automotive industry and its suppliers have access to comprehensive test services that offer their products more protection against future cyber attacks and meet industry standards for secure operation.
Penetration tests for manufacturers and suppliers
Visual Threat’s Auto Cybersecurity Testing Lab provides penetration testing for manufacturers and suppliers and helps the automotive industry identify and address security vulnerabilities for the next generation of vehicles. The experts test the control devices, mobile apps for Android and iOS as well as the cloud services. The company’s laboratory enables an automatic cybersecurity test frame for motor vehicles. This includes more than 30 test points from the following categories: CAN bus probing, testing of individual ECUs as well as CAN communication testing for several ECUs. The tests can be performed either locally or in cloud-based modes. TÜV Rheinland’s portfolio also includes safety analyses of embedded systems (e.g. control units), product testing and robustness and vulnerability scans.
TISAX ensures information security
TÜV Rheinland is one of the world’s first authorized organizations to test information security according to TISAX, the Trusted Information Security Assessment Exchange. Service providers or suppliers to the automotive industry must prove at regular intervals whether they meet their customers’ high information security requirements. The basis is often the requirements catalogue of the Association of the German Automotive Industry (VDA) for Information Security Assessments (ISA). At the end of 2020, a trustworthy exchange mechanism was created for the new version of VDA ISA catalogue of requirements: TISAX serves as a cross-company recognition of information security assessments and analyses in the automotive industry based on a joint testing and exchange mechanism sponsored by the ENX Association, an association of European automotive manufacturers, suppliers and associations. Regular testing is carried out in accordance with industry-wide and internationally recognized standards and is carried out exclusively by accredited testing companies. This is intended to prevent service providers or suppliers from having to undergo identical inspections by customers at more or less short intervals.
UNECE Informal Working Group – Cybersecurity Taskforce
While manufacturers are steadily intensifying their security measures, they are working together with policymakers, industry and independent testing service providers on international cybersecurity regulations and standards for road vehicles, including in the UNECE Informal Working Group Taskforce Cybersecurity. This UN Cybersecurity regulation is set to become mandatory in the EU for new vehicle types from June 2022 and for all newly registered cars, trucks and buses from July 2024. “This regulation is another important step for safe driving. It obliges all manufacturers to consider the issue of cybersecurity throughout a vehicle’s lifecycle. In other words, from the development on the drawing board to the decommissioning of a vehicle,” explains Westermann.
Holistic testing in the automotive sector
In its long history of vehicle checks, TÜV Rheinland offers integrated inspections in the automotive sector. The TÜV Rheinland system is required for autonomous driving in particular. This applies in three ways: firstly for the classic homologation – i.e. road registration of new e-mobility vehicles -, secondly for the periodic general inspection – regardless of whether they are internal combustion engines or electronically powered vehicles – and thirdly for the topics of data protection and cybersecurity. For those who drive networked or autonomously driving vehicles, their movements are recorded. At the same time, possibilities open up for hacker attacks. For more than 20 years, TÜV Rheinland has been helping companies from numerous industries as well as public authorities and institutions to use innovative technologies securely.