As vehicles become more connected with consumers and their surroundings, transportation cybersecurity will have an impact on both data and physical safety. Michael Ger, general manager, manufacturing and automotive at Cloudera, and Michael Lin, product marketing manager at Cloudera, discussed the impact of cyber threats to the transportation industry and how to address them before damage is done. Here’s what they had to say.
MG: When you talk about connected vehicles, you have to understand that is just one part of a broader connected community. For example, connected cars will impact traffic patterns within connected cities and will rapidly impact new initiatives such as usage-based insurance, connected homes, and even home security systems. Similarly, medical devices are being integrated into the connected car so, should you have a health issue, the status of your health could be transmitted to your doctor through your vehicle. Yes, cars are more connected, but it’s the movement toward connected communities that’s most relevant.
MG: Cars are ubiquitous, and most people spend an enormous amount of time in their vehicles. More importantly, as vehicles become more connected and interact more broadly with the outside world, a huge number of connected vehicle use cases suddenly become possible.
MG: When considering the security of connected community data, you have to be able to answer questions like: Where and from whom did this data come from? Where and to whom did it go next? How recent is the data and how has it changed over time? To establish trust in these environments we have leveraged Hortonworks DataPlane services to provide a common governance framework across decentralized data sets from connected community constituents (i.e., automakers, insurance providers, city agencies, etc.). This includes the ability to centrally define data security roles, privileges, and policies across community data sets, in addition to being able to monitor how data has changed, data lineage, and exactly who viewed or edited the data (data audit) over time.
ML: Organized cyberattacks at a state level are most likely to be the biggest threat. That would affect public safety, and it could require car manufacturers to do a massive recall. We also need to look at it in layers.
MG: Attacking the vehicle is one layer, while attacking the data in broader connected community use cases is another layer. As you get into broader community use cases and more data points, it’s not just the vehicle data at risk, but all the other associated information providing additional value.
MG: Again, we need to think about this in layers. If just one layer is compromised, you are looking at vehicle safety. But looking more broadly, you must consider future connected uses, like with commerce. A personalized connection means they know my location and personal attributes. If that information is compromised, it is a privacy issue. If I was doing usage-based insurance, I have a user profile that could expose personally identifiable information (PII). Safety, privacy, and loss of business are all risks. The more data shared with the community, the more the risks increase.
ML: As vehicles are turned into IoT devices, another concern is that you’ve increased the attack vector for cybercriminals. IoT is like the end of the rainbow: hackers are using vehicles as a means to a treasure. What if the President’s car could be hacked? The hackers gain access to the vehicle’s main control system and can then listen to the conversations happening in the car. The same is true if the car is owned by a corporate executive. What kind of information will be shared with other countries or companies for financial gain?
MG: With public transportation, it is much less about PII and more about potential system risks: for example, taking down an individual train or a flight traffic control system. It isn’t about one person anymore, but rather taking down an entire system with hundreds of individuals.
MG: From the physical hardware, the original equipment manufacturer (OEM) and their suppliers are doing a good job protecting their systems. But when you move back into the connected community, the challenge gets greater. You’re using data sets that are bigger than any individual player. You need governance from a centralized location. Someone has to take control of cybersecurity. The question is: who will provide governance and responsibility for that data?
ML: There are different layers of risk, and there are also different layers of cybersecurity: the prevention layer and the detection layer. Individual vendors have to be responsible at the prevention layer—with adding firewalls, for example. The detection layer is the responsibility of car manufacturers or government entities. They could create their own security operations center, or outsource security to managed service providers.
ML: You need to have prevention systems like firewalls and detection systems in place. That’s a challenge because of the number of connected vehicles and the number of threats coming in each day. Security should also be done in layers, with protection and remedy solutions coming from security operation centers or managed security services providers.
Learn more about how to address transportation cybersecurity here.