This post is also available in: עברית (Hebrew)
The United Kingdom has recently published a set of cyber security regulations, “Key principles of vehicle cyber security for connected and automated vehicles”. The set’s target is to outline how auto-makers need to behave if they want computerised cars to be approved by Britain and reach the road.
According to the British site, The Register, the set was written by the UK’s Department for Transport, with help from the Centre for the Protection of National Infrastructure, and launched by transport minister Lord Callanan. the principles suggest all participants in the auto industry’s long supply chains must work together on security both in the design process and for years after vehicles hit the roads.
The principles, among others, include – governing and promoting organizational security as well as securing all software all along its lifetime.
Other particularly important principles include the expectation that “security risks specific to, and/or encompassing, supply chains, sub-contractors and service providers are identified and managed through design, specification and procurement practices.”
One of the principles may raise eyebrows as it suggests “Organisations ensure their systems are able to support data forensics and the recovery of forensically robust, uniquely identifiable data. This may be used to identify the cause of any cyber, or other, incident.” The combination of “uniquely identifiable” and “other incident” isn’t spelt out, but suggests all manner of avenues to investigate driver behaviour.
Another principle suggests “Remote and back-end systems, including cloud based servers, which might provide access to a system have appropriate levels of protection and monitoring in place to prevent unauthorised access.”
One of the rule sets out how a car should respond to malicious hacking attempts, by stating “The system must be able to withstand receiving corrupt, invalid or malicious data or commands via its external and internal interfaces while remaining available for primary use. This includes sensor jamming or spoofing.”
Regarding operations security, the principles call for “Design controls to mediate transactions across trust boundaries, must be in place throughout the system. These include the least access principle, one-way data controls, full disk encryption and minimising shared data storage.”