Watch the 5-minute Interview with Prof. Norbert Pohlmann.
dotmagazine: Safety is a key topic in the discussions around the evolution of self-driving cars. And while we are each sure of our own capabilities behind the wheel, it is to be hoped that the self-driving car can bring down the number of injuries and fatalities caused by human error.
But before we even think of fastening the safety belt, the connected car needs an IT security belt. dotmagazine spoke to IT security specialist and Member of the Board at the eco Association, Professor Norbert Pohlmann, about the challenges of securing connected cars.
Prof. Norbert Pohlmann: Connected self-driving cars - that will be very important ecosystems with a lot of different kinds of security requirements. To give you some examples: on the one hand, connected cars have a high requirement on real time communication, and it is absolutely necessary that this communication has not being manipulated. Because if you manipulate the data, it can cause a fatal accident.
On the other hand, we have for example the insurance companies that also would like to have access to our data and to offer new insurance policies. And here we have high requirements on data protection. So we need an IT security concept which fulfills the different kinds of requirements.
dot: The connected car and the associated infrastructure is raising new challenges for the design of IT security.
Prof. Pohlmann: You have to see, we have the data stored and processed in the car, maybe on the edge, in the fog, but also in central cloud computing - for example, Artificial Intelligence - and it's really necessary that the data receives the same level of IT security at each level in the process. And therefore we need a comprehensive IT security concept and we need also a global security management system.
dot: And so, with products as complex as connected and self-driving cars, a security strategy needs to be developed that encompasses the entire value chain.
Prof. Pohlmann: We have to see that a lot of different organizations would like to have access to the data in our car, and we have different kinds of communication. We have car-to-car communication and we have car-to-infrastructure communication, and car-to-infrastructure communication means we have companies for self-driving services; we have the car companies who would like to have access to the car; we have entertainment companies; we have emergency calls; we have payment systems and we have charging stations; insurance companies; and all these companies have differing kinds of requirements and we have different kinds of security needs and therefore we need also an infrastructure, a security infrastructure. We set out to offer for each different kind of information the right security functions, and this will be a real challenge to build up such an infrastructure for cars.
dot: Coming back to the human element, it is often claimed that human nature is one of the greatest risks to IT security. So, is it possible to design connected car security to be independent of the user?
Prof. Pohlmann: What we really need is that we have security functions and trust function as security by design in the car and so that most security functions work without the involvement of the user. But additionally we have to integrate the user very easily. We were involved in a project called SecMobile and here we developed a modern multi-factor authentication where the user uses his smartphone as a security device and they could use this smartphone for the authentication to open the car, to activate the charging station, to make authentication to the entertainment companies, and that makes it quite easy for the user.
Norbert Pohlmann is a Member of the Board and Director of IT Security at eco – Association of the Internet Industry. He holds two positions at Westphalian University of Applied Sciences, Gelsenkirchen: Professor of Distributed Systems and Information Security in the field of IT, and Managing Director of the Institute for Internet Security. Since April 1997, Prof. Pohlmann has been chairman of the management board of the German Association for IT Security TeleTrusT, the role of which is to establish trustworthy IT systems. Prof. Pohlmann is co-initiator and chairman of the program committee of the "Information Security Solutions Europe" conference (ISSE), which takes place annually in different European cities (Berlin, Barcelona, London, Paris, Paris, Vienna, Berlin, Berlin, Budapest, Rome, Warsaw, Madrid, The Hague, Berlin, Prague, Brussels, Berlin). In addition, Prof. Pohlmann is a member of the scientific advisory board of the GDD (Society for Data Protection and Data Security e. V.) and a member of the steering committee "Taskforce IT-Security" (Federal Ministry of Economics and Technology). For five years, he was a member of the "Permanent Stakeholders' Group" of ENISA (European Network and Information Security Agency), the European Community's security agency (www.enisa.europa.eu).