U.K. government guidelines to reduce the hacking risk of Internet-connected cars don’t go far enough, the Institute of the Motor Industry says.
The institute, the professional association for individuals working in the motor industry, wants newly announced guidelines for makers of Internet-connected cars to focus equally on the people who work on the vehicles.
Transport Minister Lord Callanan says the new generation of Internet-connected cars will have to be better protected from hackers under proposed tough new guidelines that mean manufacturers will have to design out cybersecurity threats as part of their development work.
“Risks of people hacking into the technology might be low, but we must make sure the public is protected,” he says in a statement. “Whether we’re turning vehicles into Wi-Fi connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyberattacks.”
Lord Callanan says this is why it’s essential all parties in the manufacturing and supply chain have a consistent set of guidelines.
“Our key principles give advice on what organizations should do, from the board level down, as well as technical design and development considerations,” he says.
The eight principles in the guidance set out how the automotive sector can ensure cybersecurity is properly considered at every level, from designers and engineers through to suppliers and senior-level executives.
The principles:
- Organizational security is owned, governed and promoted at board level.
- Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain.
- Organizations need product aftercare and incident response to ensure systems are secure over their lifetime.
- All organizations, including sub-contractors, suppliers and potential third parties, work together to enhance the security of the system.
- Systems are designed using a defense-in-depth approach.
- The security of all software is managed throughout its lifetime.
- The storage and transmission of data is secure and can be controlled.
- The system is designed to be resilient to attacks and respond appropriately when its defenses or sensors fail.
Society of Motor Manufacturers and Traders CEO Mike Hawes says he’s pleased government is championing cybersecurity and sharing best practices at an international level.
“A consistent set of guidelines is an important step towards ensuring the U.K. can be among the first – and safest – of international markets to grasp the benefits of this exciting new technology,” he says in a statement.
The Institute of the Motor Industry says a key factor in ensuring the security of automotive data is knowing technicians working on a vehicle are properly qualified and adhere to a professional standard.
But the government has not addressed this issue in its latest guidelines, even though 86% of people surveyed by the IMI believe vehicle technicians should be qualified and regulated to carry out repairs.
In an IMI study last year, Jim Saker of Loughborough University in Leicestershire – ranked highly for engineering and technology – found that while vehicle technicians have access to all the car operating systems and data-communication portals, there is no registration of technicians, no security checks and no tests of competence.
