European security agency Enisa has released a new report designed to identify industry best practices in securing smart cars against cyber threats.
The detailed 84-page report, Cyber Security and Resilience of smart cars, covers passenger cars and commercial vehicles including lorries, but not autonomous vehicles.
It positions car security as an essential “matter of national and European interest” given the repercussions of a successful connected vehicle hack – the like of which has been demonstrated multiple times by researchers over the past few years.
The report outlines where the key vulnerabilities are in connected car systems as well as the threats, attack scenarios and mitigation factors/security measures manufacturers should consider.
There are recommendations not only for car manufacturers but also the ecosystem of “aftermarket vendors” and insurance providers
Best practice is outlined in three sections: policy and standards; organizational measures and security functions.
Specifically, the report urges manufacturers to improve in-car security, cross-industry information sharing and exchanges with third party security experts.
There also needs to be improved industry efforts on clarifying liability for security, as well as standardized best practices and a third party evaluation scheme, it claimed.
"We need to bring together all European automotive industry actors to secure smart cars today, for safer autonomous cars tomorrow,” said Enisa executive director, Udo Helmbrecht, in a statement.
The security challenges surrounding smart cars are myriad, and have been identified in several key pieces of research over the years.
Most notably, Miller and Valasek demonstrated in 2015 how a Jeep Cherokee could be remotely hacked and the firmware reflashed so that attackers could brake and interfere with the steering.
In September, Tesla was forced to issue an update after Chinese researchers showed how to remotely apply a targeted car’s brakes by exploiting a chain of flaws.
Back in July, experts urged the UK government to include cybersecurity risks in its consultation on self-driving technologies.