Having recently been in Maranello to see the unveiling of the new Ferrari F1 racing car, I want to return to the automotive theme for this post. Because coming up there’s a new chapter in the ~250-year history of the automobile. It’s a biggie in itself, but there’s a security aspect of this new chapter that’s even bigger. But I’m getting ahead of myself. Time to engage reverse, and go over this biggie first…
Of late, the headlines have been pretty interesting regarding the modern automobile– plus what one will look like in a few years to come. Examples: California will legalize the testing of self-driving cars on public roads, Swedish gravel trucks will load up, drive for miles and unload with no driver at the wheel, and KAMAZ has come up with a driver-less electric mini-bus. Google, Yandex, Baidu, and who knows how many other companies from different spheres and countries are developing driverless projects. Of course, some of the headlines go against the grain, but these are mere exceptions it seems.
And just recently I was at the food processing plant of Barilla (our client, btw) in Italy, and saw more automation than you can shake a spatula at: the automated conveyor delivers up tons of spaghetti; robots take it, package it, and place it into boxes; and driverless electric cars take it to and load it into trucks – which aren’t yet automated but soon will be…
So, self-controlled/self-driving vehicles – they’re here already, in some places. Tomorrow, they’ll be everywhere. And without a trace of sarcasm, let me tell you that this is just awesome. Why? Because a transportation system based on self-driving vehicles that operate strictly to a set of rules, has a little chance of degradation of productivity. Therefore, cars won’t only travel within the prescribed speed limits, they’ll do so faster, safely, comfortably, and of course – automatically. At first there’ll be special roads only for driverless vehicles, later – whole cities, then countries will be driverless. Can you imagine the prospects for the upgrade market for old driver-driven cars?
That out the way, now comes the interesting bit – the reason for so many words in this here blogpost. Let’s go!…
Actually, I think we all understand how bright the driverless future is. Here though, I’d like to look further than the horizon – and also under the hood. Automatic automobiles – that is, true automobiles – are just one aspect of the approaching industrial revolution. Everything becoming automated will affect the whole paradigm of personal transportation, including approaches to ownership and usage, associated standards, traffic rules, and, of course, cybersecurity.
‘Smartmobiles’ (a meme is born!) will create the biggest industrial network – V2X – Vehicle to Everything – in the world. Through this network smartmobiles will be able to communicate with one another to help each other out: If an ambulance is speeding along with its siren blaring – cars will get out of the way in good time so the ambulance can get to where it’s going and save people as fast as possible. Looking for a parking space (as well as the actual parking of the car) will become routine automation. Bumps or potholes in the road – cars will warn each other about the need to brake. Traffic jams will lessen due to certain cars being sent along alternative routes, and so on.
The development of driverless technologies and carsharing (CaaS – Car as a Service) could – within decades – turn the automotive world upside-down. Owning a car will become for many old-fashioned and unnecessary (for others it may remain a status symbol). But that’s natural when you see the alternative: when you can call up a car to arrive at your doorstop when you want, with all personal settings already set up (music, seat position, temperature, etc.), which will drive you along the optimal route in the shortest time (and you don’t have to buy the car itself, there’s no servicing to pay for, etc., etc). The car will turn into a peripheral device of the mobile phone!
Indeed one could go on fantasizing on this theme for ages. If you want to share your ideas on this – please let me hear about them in the comments…
But I’ll now turn this discussion in a different direction – as you’ve probably guessed already – a cybersecurity direction…
I’m sure that while reading this post there’ll be many among you thinking: ‘But it’s all unsecure!’, ‘it’ll be hacked before you know it!, or even ‘there’s no way I’m getting in a car like that!’. And you’d be right once, twice, three times a lady. Just look, for example, at the market of IoT devices: in the race for ever-improved functionality, manufacturers ignore security. But with IoT devices cybersecurity negligence can lead to loss of data, privacy violations, bricking of devices. With driverless cars it can lead to loss of life.
Regarding the latter, at least car manufacturers understand this – and it’s why our cars still haven’t become fully ‘smart’ yet. Manufacturers make awesome kit, but cybersecurity isn’t their thing. Most car makers limit themselves to ‘sandboxes’ to isolate cars’ electronics blocks – much like they do with applications in iOS. But to get totally effective and awesome protection there’s no way of getting round specialization, aka – seeking out folks who do cybersecurity for a living and who do it reeeaaally well.
But there’s some resistance been shown on the part of manufacturers. I know of cases where a security researcher contacts a car manufacturer to offer his services to address a problem he’s identified, but the manufacturer says there’s no problem, thanks anyway. So the researcher demonstrates a few simple scenarios leading to a total hack of the computer system of a car (!) – while it’s moving (!!), from the car running beside it (!!!). Only then does the manufacturer take the researcher seriously. But this is the way it is with security of so-called smart cars: it’s so weak as to be a gift to hackers:
So yeah – you get it. To have superior cybersecurity for smart cars manufacturers need to work with others. Some understand this, which is encouraging; but some go one further – they work with others on joint development of technologies to come up with real solutions. Example: our joint project with AVL to create the Secure Communication Unit (SCU)), which protects communications between car components and the computer that’s controlling them all.
In simple terms, the SCU is a module controlled by our Secure OS that protects a car from hackers and malware. In it there are several interesting patented inventions (three patent applications in the U.S. (US16/120,762; US16/058,469; US16/005,158), and three in Europe (EP18194672.4, EP18199533.3, EP18182892.2)), which cover a special gateway that gets imbedded in the computer system of the car. The gateway analyses data about the operation of the electronic blocks and also network activity, and indicates any anomalies it finds that could be a sign of a cyberattack, unsanctioned intervention, or technical fault. The analysis uses a database of rules that describe different attack scenarios, plus plenty of machine learning technologies. So yes – in short, it’s a smart hardware filter, customized for smart cars.
The filtration rules are developed together with the auto-maker, and if the rules are triggered the gateway can block dangerous actions and send a notification to the owner. Thus, should the Miller-Valasek hack have been attempted on a protected car, it simply wouldn’t have worked – and Fiat Chrysler wouldn’t have had to recall 1.4 million Jeeps! (I can’t begin to think how much financial and reputational damage that did to the company.)
But there’s more: just supposing a sophisticated cyberattack were to get round our protection (there’s no such thing as 100% protection, remember?), the manufacturer would be able – within hours, or a day, tops – to quickly patch the vulnerability via the SCU, without needing to wait for a new patch for the car. And such quick applying of a solution on all vulnerable cars – from Alaska to Zimbabwe – remotely: this is almost as important as the initial protection which should not normally ever even be gotten around.
I mentioned use of machine learning. Well, it’s constantly going on in the background, taking note of the telemetry in the electronic blocks and analyzing it with machine learning algorithms in the cloud in order to uncover unknown cyberattacks. But there’s a bonus; actually – several: this journal can be used as a recorder of events for wider application. For example, folks buying second-hand cars will be able to look at the true ‘medical history’ of a car. Or, in case of a crash, drivers will have evidence as to what really happened. Car parts being replaced and repair works – they can be monitored too, and so on and so forth. In a nutshell, it’s always nice knowing what’s happened under the hood of your car.
Sceptics might ask what happens if the bad guys rip out the SCU and reprogram it. After all, tampering with the mileage shown on the clock still goes on. Come on, please. We’re a cybersecurity company! That’s the first thing we thought about. Tampering with the SCU is simply impossible given the secure architecture. And proven mathematically…
Data is signed with technology that’s in some ways similar to blockchain: each new block of data is encrypted with a key with dynamic meta-blocks (date, time, etc.) and hereditary characteristics from the signatures and key of the previous block. In the simplest arrangement, restoring the chain of keys is possible only by knowing the very first key, which is generated by a trusted ‘black box’ and is installed by the automaker. In other words, it guarantees the authenticity of data, and that data can be used, for example, for monitoring manufacturer guarantee conditions, ecology readings, or the sleep and rest of professional drivers, or for calculating insurance premiums on the basis of how well a driver drives. The data it collects could even be used as evidence in court.
So, you now see we’re big into automotive security. However, it’s not only protecting vehicles into which we’ve diversified in recent years. In fact, there’s now no other traditional competitor of ours who has gone so deep into solutions outside traditional antivirus. We protect critical infrastructure, embedded systems and IoT, and provide a wide range of threat intelligence services; and that’s in addition to our own secure OS, mentioned above, which, btw, isn’t a mere cosmetic adaptation of a desktop antivirus (like… hmmm – best not point fingers:), it’s a specialized technology that was created from the ground up with specific spheres of application in mind. No wonder that this market is growing faster than any for us: in 2018 our non-endpoint sales rose 55%. Indeed, I’m sure that the future lies in creating scalable multi-dimension ecosystems of cybersecurity technologies for building a truly cybersecure world. Ecosystems that will move us from the paradigm of ‘cybersecurity’ to one of ‘cyber-immunity’: to treat the causes – not the symptoms.