This interview is taken from the eco Association guidelines “Connected and Autonomous Mobility: Challenges in the fields of cyber security, data protection, and warranty and liability law”, to be published in English in early June 2019.
Cars are communicating more and more with each other and with their environment. As a result, they also attract the attention of cyber criminals. Prof. Norbert Pohlmann, Board Member for IT Security in the eco Association, calls on the industry to cooperate more, in order to jointly accomplish the greatest possible level of security.
Prof. Pohlmann, what are the IT security challenges in the Connected Car?
Prof. Norbert Pohlmann: In the past, the IT in cars was isolated from the outside world. As a result, unwanted access from outside was not possible. In the meantime, more and more systems in cars are connected, for example, for navigation or the automatic emergency call system eCall.
Added to this are systems for infotainment, or the automatic payment of parking fees and tolls, or Car-to-Car communication. In the future, cars will drive themselves. Then they will be dependent on even more information from the outside world – from the traffic control systems through to the traffic lights.
What are the specific dangers?
Prof. Pohlmann: Through extensive interconnection, complex IT ecosystems develop in which hackers can search for attack possibilities. As soon as they discover a vulnerability, they will exploit it. For example, they could attempt to place a blackmail Trojan and demand a ransom with the threat of immobilizing the car. The list of possible attack vectors is long, and we cannot expect cyber criminals to be more restrained with cars, on grounds of conscience, than they are in other areas.
Given the dangers, should we just forego connecting cars in the first place?
Prof. Pohlmann: Autonomous driving offers the opportunity to strongly reduce the number of traffic fatalities. Choosing not to take advantage of this opportunity due to a fear of failure is surely going in the wrong direction. Connected Cars will be safe if we make this our goal today. There are high expectations of the German automotive industry, when it comes to the reliability and security of the Connected Car. Manufacturers need to start working now towards fulfilling these expectations.
What do you expect specifically of the automotive industry?
Prof. Pohlmann: The automotive industry needs a collective strategy for the infrastructure of the Connected Car. Only in this way can secure and trustworthy data exchange be guaranteed for everyone. The core of this strategy must be cross-company standards – be it for the assistance systems, for recharging batteries, or for authentication to open and start the car.
Currently, every carmaker is working on its own infrastructure. This just increases both the complexity and the risk of vulnerabilities. Only by means of general standards and certificates that demonstrate a well thought-out, reliable, trustworthy, and secure infrastructure, can the security of Connected Cars be ensured in the long run – a basic prerequisite for people to accept self-driving cars.
Norbert Pohlmann is a Member of the Board and Director of IT Security at eco – Association of the Internet Industry. He holds two positions at Westphalian University of Applied Sciences, Gelsenkirchen: Professor of Distributed Systems and Information Security in the field of IT, and Managing Director of the Institute for Internet Security. Since April 1997, Prof. Pohlmann has been chair of the management board of the German Association for IT Security TeleTrusT, the role of which is to establish trustworthy IT systems.
Prof. Pohlmann is co-initiator and chair of the program committee of the "Information Security Solutions Europe" conference (ISSE), which takes place annually in different European cities (which to date include Berlin, Barcelona, London, Paris, Vienna, Budapest, Rome, Warsaw, Madrid, The Hague, Prague, and Brussels). In addition, Prof. Pohlmann is a member of the scientific advisory board of the GDD (Society for Data Protection and Data Security e. V.) and a member of the steering committee "Taskforce IT-Security" (Federal Ministry of Economics and Technology). For five years, he was a member of the "Permanent Stakeholders' Group" of ENISA (European Network and Information Security Agency), the European Community's security agency (www.enisa.europa.eu).