BlackBerry recommends framework for AV and connected-car security

The rapid pace at which connected and autonomous vehicles are being developed has been accompanied by rising concerns about their vulnerability to hacking.

BlackBerry Ltd., whose profile in the auto sector has risen sharply in the last two years, on Wednesday released its own recommended framework to protect AVs and connected vehicles from cyberattack.

“Protecting a car from cybersecurity threats requires a holistic approach,” Sandeep Chennakeshu, president of BlackBerry Technology Solutions, said in a news release.

The onetime smartphone leader’s background in cybersecurity and embedded automotive software – via its Blackberry QNX unit – gives the company the experience necessary to create a defence against cybersecurity threats, he said. 

The company released a white paper with seven recommendations:

• Secure the supply chain, ensuring every electronic control unit (ECU) and chip can be properly authenticated and loaded with trusted software, regardless of who made or sold it. Scan all software for compliance to standards and security requirements. Evaluate the supply chain regularly against vulnerabilities.
• Create deeply layered security architecture, a “defence in depth,” with secure hardware, software and applications.
• Use system architecture that isolates safety-critical and non-safety-critical ECUs and can also “run-safe” when anomalies are detected. Ensure communication between the vehicle’s systems and external sources, as well as ECU to ECU, are trusted and secure.
• Ensure all ECUs are equipped with diagnostic tools and can report results to a cloud-based tool for analysis and to initiate preventative action if needed. Automakers should also confirm certain metrics can be scanned regularly when the car is on the road and deal with any issues via over-the-air (OTA) software updates.
• Speed the response to problems by sharing common vulnerabilities and exposures among a network of subscribing enterprises.
• Employ lifecycle management, including re-flashing a vehicle with secure OTA software updates as soon as an issue is detected, managing security credentials via active certificate management and adopting a unified policy to manage applications downloaded over the lifetime of the car.
• Ensure every organization involved in supplying auto electronics is trained in functional safety and security best practices so it is embedded in the culture.

The white paper was released not long after BlackBerry’s chief security officer told Computer Weekly that connected vehicles require higher security standards because of the safety risks they present if hacked.

“Somebody who hacks a sensor may not necessarily pose a safety risk, though a hack on my car could take over the controls and steering wheel,” Alex Manea told the publication in an article posted online Dec. 6.

BlackBerry's recommendations follow those of the U.S. National Highway Traffic Safety Administration, which released its Cybersecurity Best Practices for Modern Vehicles in October 2016.

According to the Cybersecurity and Connected Car Report from IHS Automotive, nearly 112 million vehicles around the world are connected. The global market for automotive cybersecurity could reach $759 million by 2023.