We have grown accustomed to driving cars with computerized engine controls plus added stuff like air bag systems that sense if someone is in the passenger seat, delayed lights shut off and back-up sensors. But with the rapid proliferation of computerized features, and integration between them, we will soon be transported in what amounts to a computer system on wheels. With these systems comes increasing security risks and thus the need for cyber security.
Wikipedia tell us that computer security, also known as cyber security, is the protection of computer systems from the theft or damage to the hardware, software or the information on them, as well as from disruption or misdirection of the services they provide.
The last part of that definition is critical - "as well as from disruption or misdirection of the services they provide". Think of hackers gaining access to your car's computer while you are driving and shutting down the braking and steering systems. Does that seem farfetched? This scenario actually happened several years ago, in a controlled test, to prove that the Jeep Grand Cherokee's software was vulnerable. The Jeep wound up in a ditch - the vulnerability has been fixed.
But the scale of integrated systems in vehicles several years ago was miniscule compared to what it will be several years from now. Systems are now being designed to allow for remote software updates similar to those you receive for your phone. In this brave new world we are entering how will computer security be maintained, during manufacturing, during those updates on the fly and then again during repair and maintenance operations?
If those questions aren't baffling enough, who will have the skills to work on these cars? Most automotive technicians today don't have the knowledge and few training programs are teaching the necessary skills. Training curriculums must be overhauled to include more computer skills including cyber security. And, in order to attract qualified people, the image of the repair industry must be changed from that of the proverbial grease monkey to one reflecting our evolution into a challenging, complex business model.
These were the topics of discussion at a recent industry conference at the Anaheim Convention Center. The comments from the various speakers emphasize where we are and where we need to go.
All cars made since the 1980's have a standardized diagnostic connector under the dash board that allows repair facilities to access the on-board computer for diagnostic purposes. More recently, some insurance companies began offering discounts to clients who agree to the installation of a "dongle" in the diagnostic connector which transmits data to the company regarding driving habits. Other companies offer dongles that will transmit info to your smart phone regarding trouble codes and performance factors.
But Josh Meyer, chief innovation officer for Bosch USA, said "All insurance, diagnostic code readers and other under dash dongles can be hacked. I have a large collection of dongles. Each has security risks, each is an attack vector to critical vehicle data.”
Two other experts that spoke: Craig Smith is author of the Car Hacker's Handbook and a specializes as a "white hat" hacker (he hacks to expose vulnerabilities so they can be fixed); and Mahbubul Alam, Chief Technology Officer of Movimento Group, works with automotive firms to defend against and prevent hacking.
"Attackers only have to be right once, whereas defenders have to be right all the time", explained Smith. That doesn't mean hacking is easy, but it does show how enormous the task of defending is for the automotive industry. Modern cars typically have 100 million lines of software code embedded. Connected, self-driving cars in the next decade will have 500 million lines of software code. that's a lot to defend."
"That helps explain why cyber security must be built-in from the beginning, and be continually maintained and upgraded thereafter", replied Alam. "We need a mentality that the vehicle's security is never completely done. This concept of 'never done' is new to the auto industry. But with software being pervasive - it will soon represent 60 percent of the value in a vehicle - we need to have 'loopback' methodology when launching security solutions that requires us to keep testing defensibility long after a vehicle is built and sold."
The issue of who will have the skills to work on these cars has so far only affected automakers, but it will soon impact the service and repair industry. Recruitment of new talent as always been a challenge, but connected technology and associated security concerns have compounded the problem. "But redirecting inertia is problematic", said Jeff Peevy, president of the Automotive Management Institute. "As an industry, we need to shift recruitment, student education and aftermarket training from an Industrial Age mindset to a Technological Age mindset. No longer can we leave it to default or archaic practices."
Trish Serratore is the Automotive Service Excellence (ASE) vice president responsible for the National Automotive Technicians Education Foundation (NATEF) and Automotive Youth Educational Systems (AYES) programs. "To attract the students the industry needs today, we need to do a better job of approaching them face-to-face with a compelling message: Automotive education is the original science, technology, engineering and mathematics (STEM) program, and we need students who can tame the challenges our industry faces." Amen.
By Allen L Phillips
Source: Motor Magazine eNewsletter, November 2016.