IEC e-Tech
The more transport systems modernise and become autonomous, the more they can be hacked. International standards from organisations like the IEC can provide the appropriate cyber security requirements.
article here
In January, Italy’s maritime navigation systems governing vessels in the Mediterranean Sea were reportedly manipulated. The hacker was a 15-year-old school boy. While nothing other than teenage mischievousness seems to have been the motivation on this occasion, cyber security experts were on the alert. The case highlights the need for organizations everywhere to secure their transport systems as ships, trains and automobiles become increasingly autonomous. Autonomous vehicles (AVs) pose a particularly alarming threat as the world has witnessed a growing number of incidents involving trucks and vans used as weapons in terror attacks.
The challenge of connected vehicles
By 2030, 95% of new vehicles sold globally will be
connected, while the number in service will increase from 192 million in 2023
to 367 million by 2027. Last year “massive-scale global incidents” from hackers
targeting connected vehicles and services tripled from 5% to 19%, according to
a data security specialist.
It is not just the digitization of almost every aspect of
vehicle control and communications which raises the threat of cyber attacks. It
is that the interconnected nature of autonomous transport systems creates a
vast attack surface for criminals. Self-driving vehicles use cloud services,
GPS, sensors, cameras and communication networks to function. They are
connected to other Internet of Things (IoT) devices, which makes them
vulnerable to cyber attacks and hackers.
While the automotive industry is grappling with the issue,
governments are worried too. “A large cyber-terrorist attack targeting the
operating systems of many self-driving vehicles simultaneously could cause mass
casualties,” was the catastrophic scenario presented by British MPs
after their own investigation into autonomous cars. The MPs concluded that
self-driving vehicles pose cyber security risks “because of their connected
rather than automated capabilities”.
IoT connectivity is the weak link
The automotive industry has been aware for at least a
decade of how a malicious actor could remotely exploit vulnerabilities,
including IoT functionalities and components which are not cyber secure, to
invade user data and control a vehicle’s core functions, such as braking or
accelerating. According to this article by a cyber security company,
targets now include advanced driver assistance systems (ADAS),
vehicle-to-everything (V2X) communications and over-the-air (OTA) updates.
And it is already happening. Automotive hacks in
which attackers managed to control vehicles remotely and were able exploit the
system’s shortcomings to “put drivers, passengers or pedestrians’ life in
danger” rose dramatically in 2024 to account for over 35% of all cases of
automotive cyber attacks. “Threat actors are now deploying large-scale,
sophisticated, AI-powered attacks targeting not just vehicles but also the EV
charging infrastructure, API-driven applications and smart mobility IoT
devices,” the report’s authors say. “This expanding attack surface demands a
transformative, pro-active approach to cyber security.” As attacks on
autonomous vehicles increasingly target V2X protocols rather than other simpler
elements of the vehicles, adopting a standards-driven approach to cyber
security across the whole product lifecycle is deemed crucial.
A secure automotive future
Several established standards provide the blocks to building
supply chain trust across the whole product lifecycle. The IEC 62443 series
of standards define requirements and processes for implementing and maintaining
electronically secure industrial automation and control systems. These
standards set best practices for security and provide a way to assess the level
of security performance, including in transport. The approach to the cyber
security challenge is a holistic one, bridging the gap between operations and
IT as well as between process safety and cyber security.
ISO/SAE 21434 is the standard for automotive cyber
security engineering. It provides a comprehensive framework to identify, assess
and mitigate cyber security risks across the supply chain. The standard covers
the entire lifecycle of a vehicle, from concept to decommissioning.
Additionally, ISO/SAE 21434 satisfies the UN Regulation 155 (R155), which
ensures that cyber security management systems (CSMS) take a systematic
approach to risk management.
Compliance with such standards has become mandatory for
manufacturers and their suppliers, making it crucial for all involved parties
to have robust cyber security measures in place. While R155 is mandatory only
in the EU, Japan and Korea, its requirements are used by most car manufacturers
as a best practice across the globe.
The industrial cyber security programme of IECEE, the
IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and
Components, tests and certifies cyber security in the industrial automation
sector. IECEE includes a programme that provides certification to standards
within the IEC 62443 series.
Maritime cyber resilience
Cyber attacks on shipping companies have become
common-place. Amid growing acknowledgement of the risk, few within
industry believe efforts to combat the threats are sufficient.
Maritime systems, like rail control systems, are often
outdated and poorly protected. Ships are increasingly being targeted through
their GPS systems, which can impact navigation. Their automatic identification
systems (AIS) can also be hacked and even spoofed. AIS is an essential safety
system which uses radio signals, aiding maritime vehicles to identify and keep
track of each other, thereby preventing collisions. As much as it is
essential, it can become a weak link for cyber attacks.
“A ship is like a floating factory,” describes one maritime
information provider. “There are lots of systems that talk to each other, and
they're not protected. Usually there's no encryption or authentication. It's
easy to hack individual systems. It's just like hacking a Tesla, except it's
much bigger.”
The IEC has published international standards specifying
cyber security measures for ships. One of its technical committees, IEC TC 80,
has taken on the role of developing international standards for the Global
Maritime Distress and Safety System (GMDSS), an internationally agreed set of
safety procedures and communication protocols used to increase safety and make
it easier to rescue ships in distress. IEC TC 80 issues IEC
63154, which specifies requirements for standards to provide a basic level of
protection against cyber incidents (i.e. malicious attempts, which actually or
potentially result in adverse consequences to equipment, their networks or the
information that they process, store or transmit).
Hackers and cyber criminals are becoming more sophisticated
and use new digital technologies to access data and take control of transport
systems. But tools, such as international standards, are there to protect the
transport industries as they invest to modernize. By following the steps
described in the standards, much of the risks can be avoided.
No comments:
Post a Comment