Page 52 - Cyber Defense eMagazine - November 2017
P. 52

not  be  automatically  trusted.  These  should  likewise  be  tested.  The  other  party’s  idea  and
               definition of security may be a bit different than the standard, accepted version.

               This is required by necessity. Without this in place and actively used, there is a rather direct
               potential  positive  correlation  with  the  user’s  being  in  hazard’s  way  due  to  a  lack  of  properly
               applied security. If the vehicle’s systems are not secure from an attack and compromise, the
               vehicle could be directed to brake during heavily traffic, make a sharp right turn while on the
               expressway during rush hour and other malicious driving patterns the vehicle would normally
               not complete.

               This is not an easy task. The vehicle is a rather complex machine. Mechanically, there are many
               different systems interacting and communicating within the vehicle. The electronics present a
               separate and distinct set of security parameters. The attack points, physical and wireless, are
               massive in number in a vehicle. To test every point repeatedly would require a large amount of
               time.

               On another point, the security surrounding the vehicle is not static. The red teams may test a
               module or vehicle, recommend remediation for any issues, and once implemented believe the
               subject is secure. As time passes however, there may be more insecure areas and attack points
               that are present. This moving target makes security ever-changing and interesting.

               Solution

               With the complexity involved, any security function needs to be fully integrated throughout the
               modules, guarding the process and embedded devices. The best alternative is to maintain a
               quality  research  implementation  from  the  design  stage  forward.  Too  many  times,  security  is
               thought  of  within  the  last  stage  prior  to  production,  and  the  interested  parties  then  are
               substantially rushed. At this point also, any changes may need to be implemented with the next
               iteration  of  the  part  or  module,  which  allows  for  the  end  users  to  have  their  vehicle  open  to
               compromise until the change or patch is applied to their vehicle’s application.

               This  does  deserve  more  attention  and  focus  from  manufacturers  at  all  levels.  Until  this  is
               implemented in the appropriate manner, there will continue to be the extra costs for recalls and
               too many patches being uploaded.



               About the Author

               DRP is a Cybersecurity Lab Engineer focused on securing the world for the users one module
               at a time. DRP’s interests include the intersection AI & ML and automotive cybersecurity.













                   52    Cyber Defense eMagazine – November 2017 Edition
                         Copyright © 2017, Cyber Defense Magazine,  All rights reserved worldwide.
   47   48   49   50   51   52   53   54   55   56   57