Guest Article | EY: Cyber security and the connected car

Tim Best, EY Director, Cyber Security

We still refer to our mobiles as “phones,” even though making phone calls is the very least of their functions. In the same way, we are likely to continue calling connected vehicles “cars,” even though driving, as we understand it today, will soon be eclipsed by a myriad other capabilities.

The connected car will be able to drive itself, performing tasks such as dropping you at the airport before taking your children to school and collecting your shopping. During the day, while you are at work, you may be able to rent it to a taxi service provider. At weekends, you might choose to take the wheel again – for purely recreational reasons. The rest of the time, you can hand over responsibility to the car’s automated systems while you surf the net, watch a movie, work or sleep.

Living in networks

To take on all these new functions, the connected car has to “live” in multiple networks, interacting with systems including power grids, car manufacturers, traffic control, vehicle-to-vehicle communications, road tolls, home networks, technical services and government. “The connected car is a network of networks,” explained Tim Best, EY Director, Cyber Security, speaking at CODE_n. “That means it is only as secure as the networks in which it operates. All of these present possible ‘attack vectors’ for hackers.”

Like every other company, car manufacturers have to protect the cyber security of their whole ecosystem. But for other industries, the stakes are not so high: if your mobile phone is compromised, it is inconvenient but not usually life threatening. However, if a car is travelling at high speed down a motorway, a security breach could easily endanger life and limb.

Traditional security is no longer enough

Traditional safety measures focus on protecting a car’s individual electronic components, which control all its functions, from central locking to braking. But EY’s recommended approach is to protect the entire network, including not just the technology but the people and the processes. “The only way you can address cyber threats is by monitoring, detecting and alerting,” said Best.

You have to monitor networks, communications and transactions, and identify unexpected behavior. You have to understand potential attackers: who they are, what their motivations are and how they might attack you. Develop incident responses and procedures based on likelihood of attack. If a threat manifests, you then have an appropriate response to deal with it successfully.” Companies will also need to collaborate more with other organizations, for example by sharing threat intelligence and creating joint audit processes, he said.

Legal and ethical questions

Connected cars raise multiple legal and ethical questions. Who is to blame when accidents occur, as they inevitably will? The software programmer, the car manufacturer, the dealer who sold you the car? And what about decision-making – when the automated car has to make a split-second choice between running over a child or endangering the lives of its passengers?

There are no easy answers, said Best, and many issues remain to be explored. But there is no doubt that connected cars offer the most exciting revolution in driving since the invention of the internal combustion engine.