Security is a moving challenge. What is secure today may not be tomorrow – especially if your product or business is successful. It’s the nature of the emerging IoT business. This is why resilience must be an important part of your approach to security and why IoTSF has highlighted it as an area for greater focus.

2015 has not been a great year for security in the automotive sector. There have been numerous hacks which have been widely publicised. It is indicative of a world we are moving into where previously dumb and unconnected products are now smart (?) and connected: cyber-threat is a new reality.

It’s not all bad. We already know great deal and we can leverage that knowledge.

We asked industry veteran Richard Marshall (of Xitex Ltd., and one of first movers to take up IoTSF membership) to give us a view from his vantage point – what can the automotive sector learn from the telecoms sector?

Over to you Richard:

Security is a moving challenge

Creating a secure IoT deployment model or how VW might have fixed their emission problem

VWblog designThe recent publicity surrounding the VW diesel emissions scandal is good example of that product event that strikes fear into any company, that of the mass recall of a product. In VW’s case the impact to the company is the massive 40% reduction in the company’s share price. In this case unlike other automotive recalls, the root cause appears to be not a mechanical problem but of software test mode in the engine control unit (ECU), which should not have been used in normal driving. VW have just announced that a software fix will be all that is necessary to make the diesel engine emissions regulatory complaint for some of the affected cars but that the recall could take until the end of 2016.

As a thought experiment let us just consider the implications of being able to fix the emissions problem through just an over the air (OTA) secure software update and ignoring the possible fuel economy impact of that update or that mechanical parts changes may be required.

At the moment the affected cars will require to be returned to the franchised dealer for the software update to be carried out, all with a significant cost to VW. The alternative would be for the ECU to have been implemented with a secure software and hardware architecture which would ensure that only VW authorized software would be allowed to run on the ECU etc. This would prevent any attempt to install bogus software as the unauthorized software would be rejected by the cars. Previously the idea of opening up cars to external update without a wired connection from a manufacturer authorised programmer in a garage previously would have been a scary proposition. All sorts of situations could be imagined of cars being hacked or updated with bogus software, with all the associated disaster scenarios. However, with a secure architecture OTA upgrade becomes a reality, be it by one of the obvious wireless technologies such as cellular 3G/LTE or WiFi air interfaces. Clearly there would need to be three critical elements to any such system: the cars being updated can authenticate the identity of the entity providing the update; the cars can authenticate the software update payload; the servers providing the update have sufficient scalability to carry out a mass upgrade. If any of the authentications failed the car would reject the update attempt. Obviously there would also need to be safeguards that updates could only be applied when the cars were at rest without the engine running.

This type of software update problem has already been addressed in other connected device market sectors, notably the set top box and cellular mobile markets. In these markets whilst the ecological or safety impact is nowhere near as significant as the automotive market, the sheer scale of the deployments, security impacts and low product price make any mass recall virtually uneconomic. The cellular market is standards driven and the fundamentals of cellular base station security were designed around ensuring the Mobile Network Operator’s core network was secure to meet the regulatory requirements. The inception of Small Cells, little base stations that could be deployed outside the Mobile Network Operators’ core network represented a number of challenges not least were security implications, as well as possible RF degradation of the macro network. Thus the base stations security standards became the starting point for the subsequent Small Cells ones. The other significant difference was the sheer scale of the deployments of Small Cells by comparison with macro base stations, with potentially hundreds of thousands or millions of Small Cells. Unlike their macro cell base station brethren the upgrade of Small Cells had to be fully autonomous with no user intervention. In addition if the software or settings were corrupted the Small Cells have to be able to automatically repair themselves, meaning that only hardware faults were the reason for a product return. This drove the development of systems that could register and securely update millions of Small Cells, where the time to upgrade the software of a fleet hundreds of thousands of small cells could be measured in hours. With the security landscape being a dynamic one, with both security and safety updates often being critical to deploy, having the flexibility to roll out software updates in a scalable way allows prompt closure of such issues. Were such technologies cross fertilised in a form suitable for the automotive markets safety framework, delivering updates could be significantly lower cost and help ensure products remain safe and secure.

Setting aside the moral and legal implications that have arisen from the VW scandal, it does very clearly illustrate the need for OTA software updates for any mass volume deployed product. The drivers being the need to economically and promptly fix software based IoT products, with their associated high deployment volumes, where the actual reasons for the updates may be to rectify safety, security or functionality issues.

In the specific case of VW, had OTA been available but not secure, imagine the outcry if the cars were subsequently fraudulently updated so as to obtain better fuel economy at the detriment of the emissions. If such a secure software update could have been rolled out across the affected cars within hours, or a day at the most from when a fix was available, how much would that have mitigated the public relations, economic or potentially the regulatory impact on VW?


RichardMarshallRichard Marshall has worked in a variety of fields, focussing on cellular wireless and consumer products in the last twenty years, covering wireless local loop, powerline networking, set-top boxes, 3G/LTE Small Cells and now Internet of Things products.  He has worked for a variety of large multinational corporations such as Lucent Technologies and Sony, as well as being a founding team member in a number of start-ups. In the last startup Ubiquisys, which was acquired by Cisco in 2013, he was technology champion for their global secure activation and supply chain for their Small Cells. He now provides consultancy on product and design strategy, including security with emphasis on the IoT sector.  His experience in both the technical and commercial sides of Small Cell deployment technologies, has given him a perspective on the security challenges of the IoT market.

As this scandal has demonstrated, the need for OTA software updates is driven by both safety and economics imperatives.