Impressive technological developments in the automotive sector are accompanied by new challenges, especially in the area of API security.
Driverless, self-driving, autonomous – these are all terms used to describe the cars of the future. This futuristic tech is set to become more prevalent in the coming years and one day it may be the norm.
Vehicles will communicate with each other and their increasingly smart environment through technologies that fall under the general heading of vehicle infrastructure integration. This means vehicles will not only communicate with their manufacturers, but also with the cars driving alongside them, the traffic lights, road signs, and street sensors. Cars will become authentic data centers and will have to be secured accordingly. But what does this mean for our security and defense against cyber-attacks?
Within the next year the connected car market is expected to grow to more than USD 100 billion. But the expanding number of functions will need to be secured against vulnerabilities. This will require a paradigm shift among original equipment manufacturers (OEMs), to make network security and cyber security as much of a core competence as engine control, brakes or airbags. Security experts estimate that many OEMs are lagging behind by up to three years when it comes to effective defense against cyber-attacks – even if the security delay may cost lives.
The connected car industry faces several quite specific security challenges: in reality the connected car is a whole ecosystem of solutions based almost completely on a reliable and ubiquitous network beginning with basic entertainment and extending to navigation, mobile connectivity, diagnosis, and remote maintenance. And it doesn’t end there. To get from here to there, OEMs will have to integrate reams of code with a multitude of interfaces (APIs) from manufacturing, servicing, insurance, government, and technology partners.
APIs for greater security
Technically speaking, this will mean an explosion in the number of devices and APIs. But each opening to the outside world is also a potential entry point for hackers, and every API represents a big security and privacy risk. The automotive industry faces an enormous task to tackle IT and network security and API protection issues.
Building blocks of connectivity
A connected car may be an unfamiliar type of data center today, but the security implications are no different from those driving the cyber security measures taken by other industries to integrate and protect sensitive data at mobile endpoints. Importantly, APIs are the building blocks of connectivity and the automotive industry must defend them against cyber-attack and hackers, without at the same time compromising fast and reliable access for authorized users.
Comprehensive API management
REST-APIs make communication with the web possible. Their huge number makes it a challenge just to keep track of them. A further problem is that many of these APIs are built by third parties so they are not sufficiently secured, and do not always comply with the standards demanded by OEMs. Difficulties arising from the fact are that the standards exist only in part, are not obligatory across the whole industry, and to some extent must be borrowed from other sectors like finance.
This brings the need for comprehensive API management increasingly front and center, including concerns such as API key control, versioning and support, registry, securing developers and devices, as well as analysis and performance and scalability.
End-to-end encryption with APIs
APIs are also of enormous importance in end-to-end encryption for authentication and data transfer. Many OEMs rely on hardware security modules (HSM) that provide randomly-generated individual keys to achieve authentication within a public key infrastructure. Alternatively, software can be pre-encrypted at manufacture and the data transfer keys physically stored in hardware isolated from the database.
A look into the future
OEMs have come some way, but the road is still long. Vendors are about to incorporate cyber security solutions into their product design and manufacturing. The first step in the journey towards greater security and privacy is the use of established protocols and security features like reliable authentication with 3-legged OAuth, OAuth 2.0, OpenID Connect, and Single Sign-On access to driving functions, as well as encryption.
Of course, it won’t be possible to provide the same level of security for all features of a connected car. Risk assessments will be crucial. For instance, infotainment features don’t require the same protection from vulnerability as the autonomous driving system. Careful selection of security tools for each vehicle sub-system will be required to protect the APIs, and close cooperation will be invaluable.