Announcing its ongoing support for vehicle technology initiatives in the UK, together with the Centre for the Protection of National Infrastructure (CPNI) it recently published some key principles to ensure that inter-connected vehicles are secure from a range of cyber-related threats.
These are the eight security principles the Department for Transport (DfT) wants to bring to the heart of the connected car ecosystem:
- Principle 1 Organisational security is owned, governed and promoted at board level
- Principle 2 Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
- Principle 3 Organisations need product aftercare and incident response to ensure systems are secure over their lifetime
- Principle 4 All organisations, including sub-contractors, suppliers and potential third parties, work together to enhance the security of the system
- Principle 5 Systems are designed using a defence-in-depth approach
- Principle 6 The security of all software is managed throughout its lifetime
- Principle 7 The storage and transmission of data is secure and can be controlled
- Principle 8 The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.
Transport Minister Lord Callanan said in a statement: “Our cars are becoming smarter and self-driving technology will revolutionise the way we travel. Risks of people hacking into the technology might be low, but we must make sure the public is protected…..That’s why it’s essential all parties involved in the manufacturing and supply chain are provided with a consistent set of guidelines that support this global industry. Our key principles give advice on what organisations should do, from the board level down, as well as technical design and development considerations.”
Further details are in the published guidelines from the DfT. But from an industry viewpoint there was nothing really new in the announcement, over and above the work that is already ongoing.
The insurance industry – together with the software houses and data service partners – is already well-evolved in meeting its part of the connected vehicle value chain, not least through the massive work already ongoing with GDPR, the General Data Protection Regulations.
But it is to be welcomed that the government’s announcement will go some way to reassuring the public that the right safety principles are being put in place.
Data-sharing will power transportation
As vehicles get smarter, cyber security in the automotive industry is becoming a new area of risk. We have commented in a previous blog about how the global car makers are having to adapt to a new worldin which the development process is no longer linear and self-contained. Increasingly the auto manufacturers (OEMs) are having to collaborate and work with a lot more software-powered services, IT systems and new types of external partners.
This is a complete transformation away from the human-controlled, mechanical, internal-combustion powered cars – and the human-derived risk of motoring – that the world has lived with for the last 100 years.
In fact our recent developments with the LexisNexis® Telematics Exchange are helping to bring data standards and data normalization to the global inconsistencies that exist between vehicle and hardware types, bringing certainty and ease of deployment for the OEMs as well as for global insurers, in the risk management aspect.
Third party vendors are playing a game-changing role by providing applications that facilitate the data collection process. The LexisNexis Telematics Exchange, a device-agnostic end-to-end telematics solution, is a vital component in this effort.
The LexisNexis Telematics Exchange is helping to drive a new model of relationship between insurers, auto manufacturers (OEMs), third party vendors and technology providers.
Whether we’re turning cars into Wi-Fi connected hotspots or equipping them with millions of lines of code to create fully autonomous vehicles, cars are becoming vulnerable to new types of threats from hacking and data theft.
To the public, some of the recent exaggerated media headlines of smart cars and their vulnerability to hacking might be alarming. But if we compare how autopilot is already established as safe in the airline industry (since the first tests in the 1960s) we can expect the driverless vehicle to undergo an equally rigorous period of safety testing, identifying new types of risk rating and data sources.
On a 2.5 hour flight nowadays, autopilots and flight-management systems typically do about 95% of the work. There has been talk of the fully-autonomous passenger plane, although there are no active projects yet from the big plane makers.
All parties are agreed that everyone involved in the automotive supply chain, from designers and engineers, to insurers, software specialists, the dealer and repair networks, ride sharing specialists – at a senior executive level – are working with a consistent set of guidelines that support this global industry.
Connected world
Data sharing and fully compliant data standards will increasingly define the future of cars and transportation. Organisations such as the DfT and Transport for London collect statistics on traffic, while insurers, claims management firms and the police handle accident data, which is increasingly being transmitted electronically. Vehicle manufacturers are gathering more information than ever before, for battery and motor diagnostics and for learning more about what their customers’ post-sale needs (almost all of which is anonymized in respect of personal information).
By 2020 around 98% new cars will have telematics technology embedded and they will be connected through the Internet of Things, increasingly communicating with other vehicles and road infrastructure. By 2025 the share of connected new cars will have risen to 100%.
The data management or security uncertainties for the connected vehicle are not specific to insurance, which is traditionally very good at data governance and evolving large IT systems safely and slowly (in fact since the 1970s). The risks exist mainly because the smart car — and the whole Internet of Things — is not like a linear industry system, it is a very diverse system with new participants, and diverse hardware. From the telematics standpoint, the LexisNexis Telematics Exchange is designed to overcome these kinds of data matching, data management issues.
As soon as data enters the insurance world is highly regulated. It is the other parts of the IoT that operate outside of strict financial regulation. This is another reason insurance companies are well placed to take the lead on vehicle connectivity and the IoT, giving confidence to the public in a way that the hardware manufacturers, apps and start-ups cannot.
In the final analysis, it is public support and societal norms that will determine the rate of progress with autonomous and connected vehicles.
This article is care of Lexusnexis and the original article can be found here.
