June 2018 - Cybersecurity | Autonomous Driving | IoT

New Frontiers for Car Security: API Management

When it comes to driverless cars, most of the talk is about high-precision sensors and AI. But a host of other enabling IT services bring their own risks. Marco Comastri of CA Technologies argues for the need for a paradigm shift among OEMs: one that would make cyber and network security as much of a core competence as engine control, airbags, or brakes.

New Frontiers for Car Security: API Management

© Andrey Suslov | istockphoto.com

Security experts estimate that many original equipment manufacturers (OEMs) are lagging behind by up to three years when it comes to defense against cyber attacks – even if the delay may cost lives. The industry faces several quite specific security challenges. The established supply chain may be perfectly organized and well established, but it wasn’t designed with security features in mind. 

As a result, adapting it is a long-term business, given the huge number of processes and components that will need to change. In any case, cars are produced on a mass scale and have a long lifecycle. Even if we could just flip a switch tomorrow, earlier models would still be on the road for some time yet.

The connected car is actually a whole ecosystem of solutions that relies almost completely on a reliable and ubiquitous network that begins with basic entertainment and extends to navigation, mobile connectivity, diagnosis, and remote maintenance, but it doesn’t end there. To get there, OEMs will have to integrate reams of code with a multitude of interfaces (APIs) from manufacturing, servicing, insurance, government, and technology partners. 

The market is changing rapidly and in-car telematics are only in their infancy. We will see cars communicate with each other and their increasingly smart environment through technologies that fall under the general heading of Vehicle Infrastructure Integration. 

This means vehicles will not only communicate with their manufacturers, but also with the cars driving alongside them, the traffic lights, road signs, and street sensors. Cars will become authentic data centers and will have to be secured accordingly. 

API security for connected cars 

From a technical point of view, this will mean an explosion in the number of devices and APIs. But each opening to the outside world is also a potential entry point for hackers, and every API represents a security and privacy risk. The automotive industry faces an enormous task to tackle IT and network security and API protection issues which – outside of finance or retailing – it previously could ignore.

A connected car may be an unfamiliar type of data center, but the security implications are no different from those driving the cyber security measures taken by other industries to integrate and protect sensitive data at mobile endpoints. What is more, APIs are the building blocks of connectivity and the automotive industry must defend them against cyber attacks and hackers, without at the same time compromising fast and reliable access for authorized users. 

Communication with the web is achieved via REST-APIs. Their sheer number makes it a challenge just to keep track of them. And many of these APIs are built by third parties, are not sufficiently secured, and do not comply with the standards demanded by OEMs. Some of the difficulties are that the standards exist only in part, are not obligatory across the whole industry, and to some extent have to be borrowed from other sectors like finance. This brings the need for comprehensive API management increasingly front and center. Concerns include API key control, versioning and support, registry, securing developers and devices, as well as analysis and performance and scalability.

APIs play an important role in end-to-end encryption during authentication and data transfer. Many OEMs rely on hardware security modules (HSM) that provide randomly-generated individual keys to achieve authentication within a public key infrastructure. Alternatively, software can be pre-encrypted at manufacture and the data transfer keys physically stored in hardware isolated from the database. 

OEMs have travelled some way but there is still much to be done. Vendors are about to incorporate cyber security solutions into their product design and manufacturing. The first step in the journey towards greater security and privacy is the use of established protocols and security features like reliable authentication with 3-legged OAuth, OAuth 2.0, OpenID Connect, and Single Sign-On access to driving functions, as well as encryption. 

So, will progress occur as a matter of course? Sadly not. Just last year, one big OEM had to temporarily deactivate its entire mobile app program when security specialists discovered that one of the APIs could be used with no authentication to control driving functions worldwide. All it took was a VIN and a simple web request to gain control of the vehicle from any location. 

Risk assessment and cooperation

Of course, it won’t be possible to provide the same level of security for all features of a connected car. Risk assessments will be crucial. For instance, infotainment features don’t require the same protection against vulnerability as the autonomous driving system. Careful selection of security tools for each vehicle sub-system will be required to protect the APIs, and close cooperation will be invaluable.

Indeed, automotive security very much depends on the supply chain. Continuous dialog with the supplier industry and, above all, a strategic implementation plan with strict rules are absolutely essential for reducing security risk from the word go, as well as for facilitating patching. Over-the-Air (OTA) updates are only a part of the solution. They are often only available for parts of the vehicle and, although vital to increased security, their high complexity and cost impose practical limitations. Also, they have to be delivered in a highly secure channel.

Focus on security grows alongside with the market 

The connected car market is expected to grow to more than USD 100 billion within the next year. An expanding number of functions will need to be secured against vulnerabilities. But this will require a real paradigm shift among OEMs, to make cyber security and network security as much of a core competence as engine control, airbags, or brakes.

Marco joined CA Technologies in 2011 as President & General Manager, Europe Middle East and Africa. In this role, he is focused on helping customers to not only realize the business opportunities presented in the application economy, but also to deliver superior user experiences that engage customers and deliver on their brand promise. Marco has a thirty year track record within the ICT industry, advising leading global organizations in the private and public sector on how to drive transformation, productivity and sustainable growth.

Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.