As vehicles become increasingly dependent on embedded computers for functions such as engine timing, acceleration, braking, and in-vehicle infotainment (IVI), the risk of cyber attacks on cars is growing dramatically. With this in mind, Southwest Research Institute has formed the Automotive Consortium for Embedded Security (ACES), which will have an informal initial meeting on Oct. 23.
“A successful attack of an automobile could compromise safety and damage an automaker’s reputation,” notes Southwest Research Institute (SWRI) in its announcement.
Imagine the catastrophic damage to a car, its occupants, or those in its path from an exploit that turns up the IVI system’s volume to an excruciating level, suddenly accelerates or brakes, or abruptly steers into oncoming traffic or off the road.
Some automotive cyber risk sources
(click images to enlarge; source: see footnote)
“Embedded systems are processors designed for a specific function within a larger system, such as the whole automobile,” explains Mark Brooks, a senior research engineer at SWRI. “They typically handle a specific task and have been optimized to reduce size and cost and increase reliability and performance.”
Brooks also notes that today’s vehicles typically have “dozens of embedded computer systems” in them, and that they are networked with each other through various on-board paths including CAN bus. Putting this together with the fact that smartphones, tablets, and IVI systems have increasingly brought Internet connectivity into the vehicle, the potential for cyber attacks on cars has now become a major concern.
ACES will be chartered to track new trends in automotive embedded systems and develop methods and technologies for protecting automotive systems from malicious cyber attacks. Key priorities will include “identifying system bugs that might be on the computers, and also protecting the intellectual property associated with control system software on those computers,” says Brooks.
ACES objectives currently listed on the organization’s preliminary web page include:
- Performing high-risk/high-reward pre-competitive and non-competitive research and development
- Serving as an independent verification and validation entity
- Developing an understanding of industry problems and associated risk
- Monitoring and sharing threats and industry research
- Keeping abreast of and providing input for emerging safety and security regulations and standards
- Providing members with relevant solutions and actionable results
SWRI says ACES will also “pursue patent applications for technology developed by the ACES program.”
A short YouTube introduction to the new consortium’s purposes and goals is available below.
Introducing the Automotive Consortium for Embedded Security
ACES membership will be open to manufacturers and other businesses affiliated with the automotive industry, with annual membership fees running $90,000. An informal meeting for prospective participants will occur on Oct. 23, to be followed by a formal “kickoff” meeting in January or February. Further information is available at SWRI’s ACES initiative website.
Note: the two cyber risk illustrations in this post are from an interesting whitepaper on “Paradigm Change of Vehicle Cyber Security,” which is available for download from the NATO Cooperative Cyber Defence Centre of Excellence website, here (PDF file).