The 21st Century OEM Imperative: Cybersecurity In EPS Steering Systems
Considerations regarding electric power steering (EPS) and steering systems are clearly an integral part of the innovation ecosystem of connected, semi-autonomous and autonomous vehicles. And the importance of connected or autonomous factors for OEMs continues to grow exponentially, especially when one considers the huge rise in EPS. Matthew Beecham is an expert in the global automotive components industry and he predicts that more than half of all trucks in Europe, Japan and the U.S. will have EPS systems in place. Growth in other vehicle classes will be just as dramatic.
Connected and autonomous vehicles are touted for their ability to make mobility safer and greener, as well as satisfy our insatiable need for progress and, equally, convenience. That’s all very well. But EPS and steering systems are essentially hardware. The reliance of that hardware in an era of connected and autonomous vehicles will be increasingly on software. Where there is software, there is hacking.
The cyberjacking of automotive software is real. In an era of the Internet of Things (IoT), more and more key vehicle functions, such as EPS and steering systems, must rely on software rather than hardware. Vehicles will increasingly run with software and embedded systems that are connected to each other, thereby making them a viable target for cyber criminals.
This will only be exacerbated by the “Vehicle to “Everything” (V2X) communications transport model which relies heavily on the ability of vehicles to communicate with each other, as well as with roadside technology, whilst providing real-time traffic data and safety alerts to pedestrians or cyclists. This is inevitable technology that will revolutionize our mobility - yet with cyber attack as its evil bride.
Incidents are happening
Eureka Magazine makes the valid assessment that automated driving is predicated on internet connectivity and vehicle-to-vehicle (V2V)/vehicle-to-infrastructure (V2X) communication; as such, “cyber secure steering technologies are becoming more critical.” Incidents involving these technologies create public anxiety. The media has certainly had a field day reporting on connected or autonomous cars having rather serious incidents. In 2016, two security researchers were able to easily hack Jeep’s digital system remotely via the Internet. The same researchers found vulnerabilities that were exploitable on a plethora of other vehicle brands which use the same entertainment system such as Dodge.
In 2017 USA Today reported that Chinese security researchers were able to hack a Tesla Model X, turning on the brakes remotely and getting the doors and trunk to open and close whilst jamming a host of other features on the car – and this was the second time they had managed this. The Chinese security researchers had achieved this by sending malicious software via the vehicle’s web browser, which enabled them to control the car’s brakes, doors, trunk, and lights over both Wi-Fi and cellular connections.
March 2018 was a bad month for autonomous vehicles after a woman was killed on a California highway when she failed to take action with the Autopilot feature in her Tesla SUV’s steering system, whilst a self-driving Volvo SUV operated by ride-hailing service Uber struck and killed a pedestrian in Arizona. None of these incidents provide succor for those wishing to be convinced of the cybersecurity or integrity of this technology.
Customers are concerned
OEMS should be well aware that there are grave reservations about connected and autonomous vehicles. Security specialist website Help Net Security provided analysis of the Global Connected Car Survey as undertaken in 2017 by Irdeto, a Dutch consultancy offering solutions and services to clients across a wide range of digital platforms. 8,354 consumers were surveyed across Canada, China, Germany, Japan, UK and US, 85% of whom stated that they believe that any connected car has the potential to be targeted by a cyberattack. Those in Canada and the UK were the most worried (90%) about the potential for connected vehicles to be targeted by hackers. 53% of respondents cited the car’s ability to protect itself from a cyberattack as something they would seriously research before buying connected cars.
Peter Lockhart, commercial director of Roke Manor Research, a UK-based electronics engineering and digital solutions consultancy, does note that some manufacturers (such as Tesla, Fiat Chrysler and GM) have started investing heavily in security systems in order to reduce the threat of cyber-attacks – much of it centered on connected and autonomous steering systems. Lockhart makes the chilling point that the spate of terrorist attacks in Europe using vehicles as weapons has only made the public even more weary of what carnage could be unleashed if terrorists were to take control of connected cars or, worse still, autonomous cars. And it is steering systems that are potentially most vulnerable to hacking.
The perception is undoubtedly that autonomous vehicles engender even more fears in the public than do connected cars, as shown in the Irdeto survey in which only 12% of respondents stated that they don’t have any cybersecurity concerns if considering an autonomous vehicle. Central to that perception regarding autonomous cars is that the tangible steering system may be non-existent. That clearly unnerves people with regard to potential cyber attacks on autonomous vehicles. The subliminal link in peoples’ minds is obvious – ‘give me a steering I can control, and I have some control of the vehicle – take that away, and I have no control’.
There are five main reasons as to why the cybersecurity of connected and autonomous automotive technology is so problematic:
- Firstly, the technology itself is innately problematic from a security standpoint. With connected and autonomous technology, protection of only the vehicle per se is not enough. The vehicles’ entire connected ecosystem must be protected, including securing V2X communications so that data transferred between the vehicle and devices is secure. This is far easier said than done. This is exacerbated by the fact that OEMs in the automotive industry are highly dependent on tiered supply chains; therefore, any changes in a vehicle would require corresponding actions from a number of different suppliers.
- Secondly, there is the issue of the cloud. Dr. Alan Mantooth of the University of Arkansas, who serves as Executive Director for the NSF Research Center on Grid-connected Advanced Power Electronic Systems (GRAPES) and the DoE Cybersecurity Center on Secure Evolvable Energy Delivery Systems (SEEDS), makes opines that processes that were formerly hydraulic or mechanical are increasingly electronic and networked, much of it in the cloud. The cloud itself is a network of networks.
- Thirdly, the way OEMs function today is also problematic. The modern business cost-cutting imperative and production systems in place create vulnerabilities whereby just-in-time manufacturing and shorter and shorter times to market mean that there is less time for product testing.
- Fourthly, OEMs suffer from a severe shortage of skilled cybersecurity professionals. According to German automotive engineering company ESG, nearly half of organizations polled in 2016 claimed that they have a “problematic shortage” of cybersecurity skills, a sharp rise from 28% in 2015. ESG found that Security Operations Centre (SOC) teams within organizations are struggling to build cybersecurity teams with the right balance of expertise and experience.
- The fifth reason why cybersecurity is so problematic for OEMs may be the most worrying one: basically, most OEMs don’t seem bothered by the issue and that includes with regard to steering systems. A 2017 study undertaken by the Michigan-based research group, the Ponemon Institute, and released by Colorado-based software company, Rogue Wave, was most revealing. 500 automotive developers, engineers and executives were surveyed and the message from developers was especially alarming: Developers in the survey overwhelmingly didn’t believe that their companies are taking security seriously enough. Perhaps most chilling of all is that only 19% of the automotive software developers surveyed believed it is even possible to make a car “nearly hack proof.”
Rogue Wave made the rather damning assessment that, “Contrary to public statements by the automakers, the Ponemon survey shows that OEMs and their suppliers do not yet have the desire, skills, tools or processes to make a secure car.” That is a hugely sobering assessment for any OEM.
So what are OEMs to do since t’s clear that cybersecurity concerns are immense for EPS and steering systems, as well as connected and autonomous vehicles generally? Possible solutions offered here are by means of the prevailing literature on this issue:
- Understand the threats: Trend Micro is a Japanese multinational cyber security and defense company and it believes that cybersecurity for connected vehicles has five distinct threats, all of which need to be addressed at all times: threat intelligence, hardware security, software security, network security and automotive Ethernet. Trend Micro believes that developers can use the exact same reverse engineering logic used by hackers in order to protect systems, e.g. by sending proprietary messages to an engine control unit (ECU) under attack and ordering it to take action, or even to completely reboot the ECU.
- The defense in depth principle: Considered one of the core pillars of cybersecurity today, this principle stipulates a multi-layered security response to any threat to a connected or autonomous vehicle’s steering system. Eureka Magazine reports how Michigan-based automotive parts company Nexteer has integrated multi-layer cybersecurity for its steering systems. This approach consists of specifically designed hardware modules at the semiconductor level, as well as a multi-layered cryptographic software structure. The latter identifies and authorises information and command flow between the steering system and other in-vehicle or external controllers. With that, security become multi-faceted and stronger.
- Security by design: This is when security is duly accounted for at every step of a vehicle’s development, from specifications to validation. This should encompass management, operations, maintenance and all third parties within an OEM’s sphere. A ‘built-in’ security mindset must exist from the very conception of the design of the car system, which differs significantly to a ‘built-on’ security process whereby security is added on piecemeal and incrementally where needed. This is backed by a report by Bordonali, Ferraresi & Richter for McKinsey & Company, in which they stress the need to address specific cyber security solutions throughout the design and development of a product, as well as its maintenance and response architecture. South African automotive engineer Peter Els has written on how significantly secure EPS systems are today and refers to the work done by Japanese automotive components manufacturer Denso, with its emphasis on security by design. Els states how, “[Denso’s] new fail-safe EPS system has been designed from the ground up, featuring a back-up system which operates continuously, in the event of failure, to ensure that the driver retains control of the vehicle.
- Change the development structure: Cybersecurity should not be chiefly the domain of an OEM’s IT department. The security needs to also be involved – perhaps more so. Shai Morag, CEO and co-founder of SECDO, a US-Israeli cybersecurity incident response consultancy, makes the assessment that most OEMs make this mistake. Morag argues that cybersecurity should be cross-organisational and that it is crucial that an entire organization be able to contain a cyber threat immediately before IT can intervene.
- Empower developers: As shown by a survey previously discussed in this paper, automotive software developers feel ignored, under-skilled and compromised in their work. Development teams need to be fully empowered and fully supported with their cybersecurity initiatives – after all they’re the ones tasked with creating secure code.
For EPS and steering systems, the customer’s security needs must come first. Bruce Schneier is an American cryptographer and computer security professional who states that, “Security is a hard-to-evaluate feature against a possible future threat, and consumers have long rewarded companies that provide easy-to-compare features and a quick time-to-market at its expense.” OEMs need to remember that when considering the importance of cybersecurity regarding their EPS and steering systems.
Steven Zimmerman, Product Marketing Manager for Black Duck, a Boston-based software development security company, makes the assertion that, “Safety Is Priority One for OEMs”. That is wrong. Outlandish as it may seem to suggest otherwise, it is security and, in particular, cybersecurity that must be at the forefront of OEM strategic and operational risk management today. Safety is a given – but is cybersecurity?
In a world of connected and autonomous EPS and steering systems, safety must be within the context of security. The original concept of security in the automotive industry was basically about making a car hard to steal. New Mobility has taken security into another, far more complex realm. Without secure cybersecurity there is no safety with this technology. Security must become all-dominant in the way OEMs work. Just as safety was paramount to OEMs in the 20th century, so security must be paramount in the 21st.
- Beecham, Matthew. Research Snapshot: Steering tomorrow’s car. Just Auto. https://www.just-auto.com/analysis/research-snapshot-steering-tomorrows-car_id176526.aspx [Retrieved 19 April 2018]
- Bordonali, Corrado, Ferraresi, Simone & Richter, Wolf. Shifting gears in cyber security for connected cars. McKinsey & Company. < https://www.mckinsey.com/~/media/mckinsey/industries/automotive%20and%20assembly/our%20insights/shifting%20gears%20in%20cybersecurity%20for%20connected%20cars/shifting-gears-in-cyber-security-for-connected-cars.ashx> [Retrieved 6 April 2018]
- Els, Peter. Electric power steering systems (EPS) have never been safer. Automotive IQ. https://www.automotive-iq.com/chassis-systems/articles/electric-power-steering-systems-eps-have-never-been-safer [Retrieved April 19 2018]
- Eureka! As cars become more autonomous steering wheels will become obsolete. http://www.eurekamagazine.co.uk/design-engineering-features/technology/as-cars-become-more-autonomous-steering-wheels-will-become-obsolete/170523/ [Retrieved April 6 2018]
- Help Net Security. Cybersecurity concerns may stop consumers from purchasing a connected car. https://www.helpnetsecurity.com/2017/12/04/cybersecurity-concerns-purchasing-connected-car/ [Retrieved online April 6 2018]
- Irdeto. Consumers in China Want Connected Cars but Lack Cybersecurity Awareness. https://irdeto.com/news/consumers-in-china-want-connected-cars-but-lack-cybersecurity-awareness.html [Retrieved online April 5 2018]
- Lockhart, Pete. The future of connected cars: overcoming the cyber-security threat. SC Media. https://www.scmagazineuk.com/the-future-of-connected-cars-overcoming-the-cyber-security-threat/article/671546/ [Retrieved online April 5 2018]
- Mantooth, Alan. How connected cars introduce new cybersecurity challenges. IoTnews. https://www.iottechnews.com/news/2017/sep/20/how-connected-cars-introduce-new-cybersecurity-challenges/ [Retrieved online April 5 2018]
- Oltsik, Jon. Cybersecurity Job Fatigue. ESG Global. http://www.esg-global.com/blog/topic/cybersecurity-skills-shortage [Retrieved April 19 2018]
- Rogue Wave. Car Cybersecurity: What do the automakers really think? https://www.roguewave.com/sites/rw/files/attachments/RW-SI-automakers-survey2015-FNL.pdf [Retrieved April 5 2018]
- Trend Micro. Cybersecurity Solutions for Connected Vehicles. https://www.trendmicro.com/us/iot-security/content/main/document/IoT%20Security%20for%20Auto%20Whitepaper.pdf [Retrieved April 5 2018]
- Zimmerman, Steven. 3 Takeaways from the Automotive Cybersecurity Summit. Black Duck. https://blog.blackducksoftware.com/3-takeaways-automotive-cybersecurity-fall-summit [Retrieved April 5 2018]