UK Government Introduces Connected Car Security Guidance
The UK government has introduced comprehensive new guidelines designed to improve the cybersecurity of connected and autonomous vehicles.
The eight principles, drawn up by the Department of Transport and Centre for the Protection of National Infrastructure (CPNI), are intended to put Britain at the center of R&D for connected cars.
“Risks of people hacking into the technology might be low, but we must make sure the public is protected. Whether we’re turning vehicles into Wi-Fi connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks,” said transport minister, Lord Callanan.
“That’s why it’s essential all parties involved in the manufacturing and supply chain are provided with a consistent set of guidelines that support this global industry. Our key principles give advice on what organizations should do, from the board level down, as well as technical design and development considerations.”
The eight principles include mandates for security to be “owned” by the board; extended to the supply chain; maintained over the lifetime of systems; achieved using defence-in-depth strategies; and ensure systems can withstand hacking attempts and still function.
“The security of the car's network [is] paramount to the safety of the driver and those in the car's vicinity,” argued McAfee chief scientist, Raj Samani.
“Driverless vehicles must be secure by design, and the government's new guidelines will undoubtedly play a key role in ensuring that UK car manufacturers make that happen.”
The government said that these principles, which could in time be enshrined in law, come alongside provisions in the Autonomous and Electric Vehicles Bill that aim to create a new framework for self-driving vehicle insurance.
In March in the US, the Security and Privacy in Your Car (SPY Car) Act of 2017 was re-introduced by senators keen to regulate to improve baseline security and privacy in the industry.
It mandates things like separation of critical from non-critical systems, and requires all cars to be equipped to spot and flag hacking attempts.
Source: Information Security Magazine