folienfeuer - Fotolia

UK calls for smart car cyber protection

A new generation of internet-connected cars will have to be better protected from cyber attackers, under tough new UK government guidance

As vehicles continue to become smarter and increasingly common on British roads, the UK government says it is crucial that manufacturers take the correct steps to make them cyber secure.

The Department for Transport, in conjunction with Centre for the Protection of National Infrastructure (CPNI), has issued guidance that includes eight principles for use throughout the automotive sector for connected and autonomous vehicles, intelligent transport systems, and their supply chains.

“While smart cars and vans offer new services for drivers, it is feared would-be hackers could target them to access personal data, steal cars that use keyless entry, or even take control of technology for malicious reasons,” the guidelines state.

The eight principles set out how vehicle manufacturers can make sure cyber security is properly considered at every level, from designers and engineers, through to suppliers and senior-level executives.

The measures are aimed at ensuring engineers developing smart vehicles toughen up cyber protections and design out cyber security risks.

In announcing the guidelines, the government highlighted the “broader programme of work” announced in the Queen’s speech in June 2017 under the Autonomous and Electric Vehicles Bill that aims to create a new framework for self-driving vehicle insurance.

The legislation, the government said, will put the UK at the centre of the new technological developments in smart and autonomous vehicles, while ensuring safety and consumer protection remain at the heart of the emerging industry.

The measures to be put before Parliament, the government said, mean that insuring modern vehicles will provide protection for consumers if technologies fail.

The government said measures, alongside the guidelines for manufacturers to make smart cars cyber secure, are aimed at making the UK a world-leading location for research and development for the next generation of vehicles. This forms part of the government’s drive to ensure the UK harnesses the economic and job-creating potential of new tech industries.

Key principles of vehicle cyber security

  1. Organisational security is owned, governed and promoted at board level.
  2. Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain.
  3. Organisations need product aftercare and incident response to ensure systems are secure over their lifetime.
  4. All organisations, including sub-contractors, suppliers and potential third parties, work together to enhance the security of the system.
  5. Systems are designed using a defence-in-depth approach.
  6. The security of all software is managed throughout its lifetime.
  7. The storage and transmission of data is secure and can be controlled.
  8. The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.

Transport minister Martin Callanan said it is important that smarter and self-driving technologies are protected against cyber attacks.

“That’s why it’s essential all parties involved in the manufacturing and supply chain are provided with a consistent set of guidelines that support this global industry. Our key principles give advice on what organisations should do, from the board level down, as well as technical design and development considerations,” he said.

Mike Hawes, chief executive of the Society of Motor Manufacturers and Traders, welcomed the government initiative: “We’re pleased that government is taking action now to ensure a seamless transition to fully connected and autonomous cars in the future and, given this shift will take place globally, that it is championing cyber security and shared best practice at an international level.”

Hawes said autonomous vehicles promise to reduce road accidents dramatically and save thousands of lives. “A consistent set of guidelines is an important step towards ensuring the UK can be among the first – and safest – of international markets to grasp the benefits of this exciting new technology,” he said.

Read more about self-driving vehicles

The government said it will continue to support and work collaboratively with industry to make sure vehicles are protected from cyber attacks, and that the guidance principles will form a key part of these discussions.

In July 2015, the government announced a £20m fund to research and develop driverless car technology in the UK, launched a joint policy team to co-ordinate cross-departmental work, and established a non-statutory code of practice to help ensure public safety.

Raj Samani, chief scientist and fellow at cyber security firm McAfee, said that with the UK’s strong manufacturing heritage, it’s unsurprising that the government has high hopes for the UK to be a global leader in driverless car technology. 

“The new cyber security guidelines will be a key step in achieving this goal, with the security of the car’s network paramount to the safety of the driver and those in the car’s vicinity.

“Driverless vehicles must be secure by design, and the government’s new guidelines will undoubtedly play a key role in ensuring that UK car manufacturers make that happen,” he said.

Read more on Hackers and cybercrime prevention