By Bunmi Ade | The Financial Times Future of the Car Summit returned to London in May 2017 – this event covers innovative powertrains, Connected and Automated cars and the advent of changing customer demand patterns and auto cyber-security. We caught up with Sergey Zorin, Head of Transportation System Security at Kaspersky Lab after the FT event for a brief interview on the company’s view of the future of cars generally and their relationship with motorsport teams.
Speakers included Mike Flewitt (Chief Executive Officer, McLaren Automotive), Gilles Normand (Senior Vice President, Electric Vehicles for Renault), Stefan Sielaff (Director of Design, Bentley Motors) and the mentioned Sergey Zorin. Kaspersky Lab was also one of three Associate Sponsors of the event.
In addition to being one of the world’s fastest-growing cybersecurity companies globally, the company is also involved in motorsport via its partnership with Scuderia Ferrari (since 2010) and more recently, the Blancpain GT Series, racing with the Ferrari 488 GT3 model.
Sergey, at the #FTCar summit, Kaspersky said security is a major issue for connected cars – given recent global malware/ransomware attacks, how can future cars be protected adequately?
Although the recent WannaCry epidemic did not directly affect the security of connected cars (since most of them do not run Windows OS), ransomware is a real threat to car security. While researching car infotainment systems, we were able to prove that the system can be infected with ransomware with a malicious firmware update and that it would be a rather easy thing to do. The problem is that the ransomware criminal business model is applicable to almost any connected device, including a connected car. In order to ensure that connected cars are protected from any malicious interference, including malware attacks, there should be a security module, a special hardware-software solution, that checks the legitimacy of all in-car and car-to-infrastructure communications. We call this component a secure gateway, but it can be called by different names, of course. We believe that this component is a must-have for a car if it has connectivity.
General malware epidemics such as WannaCry are something that the car industry should be protected from. Because the IT infrastructure of car industry companies is often no different to regular office IT infrastructures, malware can potentially infect the server-side infrastructure of a crucial v-2-i, system – fleet management system for example, and cause a denial of service. In this case the owner of the system would experience real losses.
So do you envisage new insurance products against potential malware attacks?
Specific insurance anti-malware products will most likely appear if, or when, malware attacks against cars become widespread. For example, similar offerings already exist in the banking industry – in both the consumer and corporate markets.
However, insurance compensation can cover some losses from car hacking, but not all of them. Business reputation and customer reputation, which is extremely important when it comes to cars, are examples of potentially inevitable losses. Luckily, I think we still have several years before malicious attacks against cars become common in the wild. And this time should be used in order to develop and implement proper security technologies. At Kaspersky Lab, we’re developing such technologies in cooperation with several car industry partners.
General malware epidemics such as WannaCry are something that the car industry should be protected from.
As we explore Vehicle-to-Grid and Wireless EV charging applications i.e. cars connect to the electric grid to provide back-up power, what are the wider security implications on cars and the grid? And how can these risks be mitigated?
From the security standpoint, Vehicle-to-Grid and Wireless EV charging are both a problem for connected cars. The connectivity of a car gives malicious users an entry point to its systems. And if the car is connected to another system, (which in this case is the power system) it automatically becomes an additional entry point for hacker that aims to target critical infrastructure. I’d rather not speculate on this topic, as this is an emerging trend and so far we’ve seen only one example of a successful hack of this system and luckily, no known examples in the wild. Potentially this type attack can work in both ways: they could either use a car vulnerability to access the grid and exploit vulnerabilities to do damage to public safety, or they could use the hacked grid as a stepping stone in order to get into the car’s systems.
In terms of protection strategies, there is nothing new here: a car should not allow code execution that was not authorised by the car maker. That’s it. But in order to archive that, the architecture of a car should contain a specific watcher – a dedicated security element which would “know” which interactions between the internal components of a car are legitimate and which are not. As for grid security, that’s more of critical infrastructure protection problem. There are hundreds of pages of Best Practice to protect critical infrastructure systems, but in general the key pillars are: regular security assessment, patch management, penetration testing, and having dedicated anti-malware solutions in place.
Kaspersky is involved in Formula 1, and now F2 and Blancpain Endurance – what are main differences in the requirements of these motorsport series and how much of the motorsport technology and cybersecurity learnings can be applied to road cars?
There are no specific security requirements from the organisers but we secure all team IT equipment and telematics. Our security technologies and solutions, which we use in motorsport, can be used in developing the in-car security of road cars and for developing its connectivity ecosystems for consumers.
Bunmi Ade is a motorsport consultant with several years’ experience as a Business Development Manager and Brand Influencer for motorsport brands. She has worked with Driven International since 2015 and is responsible for new markets at the consultancy whose clients include British Automobile Racing Club. Bunmi founded the GridPasses website, hosts regular business roundtable discussions with motorsport industry experts and occasionally writes for various publications like Times Newspaper, Paddock magazine and eRacingMagazine.