As vehicles get smarter, cyber security in the automotive industry is becoming an increasing concern. Whether we’re turning cars into wifi connected hotspots or equipping them with millions of lines of code to create fully autonomous vehicles, cars are more vulnerable than ever to hacking and data theft.
The Department for Transport and Centre for the Protection of National Infrastructure have issued joint guidance setting out how the automotive sector can make sure cyber security is properly considered at every level, from designers and engineers, through to suppliers and senior level executives.
The key principles of vehicle cyber security for connected and automated vehicles – some of which apply to many other businesses and industries – include: that security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain; that the security of all software is managed throughout its lifetime; and that the storage and transmission of data is secure and can be controlled.
The eight principles are:
Principle 1 – organisational security is owned, governed and promoted at board level
Principle 2 – security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
Principle 3 – organisations need product aftercare and incident response to ensure systems are secure over their lifetime
Principle 4 – all organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system
Principle 5 – systems are designed using a defence-in-depth approach
Principle 6 – the security of all software is managed throughout its lifetime
Principle 7 – the storage and transmission of data is secure and can be controlled
Principle 8 – the system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail
From an incident response perspective, principles 3.1 to 3.4 are particularly pertinent and relevant to Cyber Security Helpdesk’s work responding to Cyber and Data breaches.
Principle 3.1 – Organisations plan for how to maintain security over the lifetime of their systems, including any necessary after-sales support services.
Principle 3.2 – Incident response plans are in place. Organisations plan for how to respond to potential compromise of safety critical assets, non-safety critical assets, and system malfunctions, and how to return affected systems to a safe and secure state.
Principle 3.3 – There is an active programme in place to identify critical vulnerabilities and appropriate systems in place to mitigate them in a proportionate manner.
Principle 3.4 – Organisations ensure their systems are able to support data forensics and the recovery of forensically robust, uniquely identifiable data. This may be used to identify the cause of any cyber, or other, incident.
The full text can be found at this URL: https://www.gov.uk/government/publications/principles-of-cyber-security-for-connected-and-automated-vehicles/the-key-principles-of-vehicle-cyber-security-for-connected-and-automated-vehicles