Maintaining Proper Fleet Cybersecurity Balance

Editor's note: Read on to learn about typical fleet security issues and how to address them. Turn to ScienceSoft’s fleet management services to set up a proactive approach to connected and automated vehicle security.

The last few years showcased how vulnerable we are in the age of digital transformation.

The recent survey conducted among the senior executives by Robert Walters and Jobsite suggests that in the coming year, demand for cybersecurity professionals is going to surge. According to the findings, 54% of respondents consider hiring specialists with cybersecurity background in the near future.

The prerequisites lie in the turbulent state data privacy and systems safety may nowadays find itself. In 2013, cyber risks were ranked 3rd among top five major concerns threatening modern companies. The large-scale hacker attacks that have recently taken place, including an allegedly state-sponsored exposure of 500 million Yahoo user accounts, only contributed to the statement that operating online is ever-dangerous now.

In view of the growing concern over systems vulnerability, and the consequences breaches may entail, such as leakage of consumer private data, cybersecurity experts, senior executives and government representatives have raised a lot of urgent issues. What level of cybersecurity is adequate enough? How to design a proper piece of cybersecurity legislation? To what extent the government should be allowed to get access to consumer private data, even for surveillance purposes? And, most important, how not to compromise between consumer data privacy and cybersecurity purposes, which are not supposed to be mutually exclusive, but sometimes seem to?

Ensuring privacy and cybersecurity balance

Data safety experts suggest a lot of ways to maintain proper cybersecurity-data privacy balance, ranging from collecting system information (e.g. computer IPs) instead of personality identifiable information (e.g. logins), with the possibility to retrieve the latter for surveillance purposes, to educating security personnel, to using various types of encryption, such as end-to-end encryption, to protect data from unauthorized access.

The latter has now become quite widespread, taking into account that more and more companies shift to producing intellectual property and providing services online, and need a working tool to protect their customers’ data. However, its growing popularity has sparked heated debates between the FBI and Silicon Valley on whether it can hinder investigation process. Authorities claim end-to-end encryption that allows data to be deciphered only after it reaches the destination point prevents them from gaining access to the personality identifiable information even if they are entitled to it.

The alternative methods of encryption proposed by the National Security Agency, such as split-key and escrow encryption, allow companies and government agencies to hold the split key, and decipher the data only by putting it together when there is a real necessity. However, these technologies are too complex to be introduced into a company’s daily operation, and too expensive to give a company an additional competitive advantage.

This is the point where cybersecurity and consumer data privacy collide, and, what is even more worrisome, whatever the outcome, public safety may be put at risk.

Ensuring fleet cybersecurity

Fleet cybersecurity is a relatively new phenomenon. Unlike in other industries, leakage of personal data is not the worst scenario here. Crafty hackers may use sophisticated malware to knock crucial car elements, such as brakes, transmission box or even engine, out of action, which may cost drivers, passengers and passers-by the most valuable thing ever – life.

In response to the rising fleet cybersecurity concerns, the National Highway Traffic Safety Administration has scrutinized all the best existing experience of ensuring fleet cybersecurity, and come up with the imperative guideline on how to make cybersecurity part of a company’s daily operation.

The NHTSA cybersecurity practices provide a non-binding guidance to automobile manufacturers, and suggests considering the following aspects of instilling cyber-secure behavior:

• Application of a layered approach to attack identification and prevention – first identifying all the possible risks, then designing a layer of defense for each of them;
• Timely revision of IT security industry standards, such as ISO 27000;
• Consideration of cybersecurity at each and every stage of a vehicle life-cycle;
• Cooperation between all stakeholders in terms of sharing cybersecurity risks data;
• Establishment of a procedure of proper evaluating, testing, documenting and reporting of cybersecurity risks;
• Production of an annual report on the existing cybersecurity practices, and making it public to provide the relevant information to all concerned parties;
• Restraining of the developers’ access to a vehicle’s ECUs if there is no proper operational reason to further have it;
• Protection of firmware from being accessed and modified by unauthorized parties (e.g. it may be insured by using digital signing);
• Usage of segmentation and isolation techniques to prevent unauthorized access to one system element through another;
• Proper encryption of the data communicated between vehicle and external servers.
• Cyber-protection of external devices brought to the car (for example, a driver’s personal mobile phone connected to a car system) as they can hinder a vehicle’s safety regardless of its primary purpose.