According to computer security expert Steve Gibson, it’s a principle of cybersecurity that, “attacks only get more capable over time”.
As as products become more connected, and threats evolve, industry will need to be vigilant and responsive to cybersecurity - as illustrated by the first demonstration of a production car being remotely controlled over the internet.
Researchers demonstrated to Wired magazine and other media the ability to take control of major systems of a Jeep Cherokee SUV via its UConnect connectivity and entertainment system over from a laptop due to the combined effects of at least two security missteps. On 23 July Fiat Chrysler Automative (FCA) issued a recall to patch to address patching of the firmware of the 1.4 million affected vehicles and Sprint (the wireless service provider) closed the open cellular connection to the vehicle that provided unauthorised access to the vehicle network.
In the UK, support is available to businesses in the form of vouchers to small businesses, Cyber Security Knowledge Transfer Partnerships and the forthcoming Cyber Security Pre-Accelerator Programme.
UK National Cyber Security Programme
The UK Government UK National Cyber Security Programme is investing £ m between 2011 and 2016 in the National Cyber Security Programme to protect and enhance the UK in cyber space, and recently announced Cyber Security Knowledge Transfer Partnerships (KTPs).
Innovate UK recently opened its Cyber Security Innovation Vouchers - Round 13 fund offering up to £5,000 funding for SMEs, plus Cyber Security Knowledge Transfer Partnerships are available to businesses worth up to £80,000.
In addition KTN is supporting The Cyber Security and Resilience team at the Department for Culture, Media and Sports is keen to support early stage innovation in the sector through the development of a new cyber security pre-accelerator programme for entrepreneurs, and support is being developed for early stage innovation.
Cyber Security Innovation Vouchers
The new Cyber Security Innovation Vouchers - Round 13 funding to protect small businesses from cyber attacks was announced by the Government in July.
The launch of the voucher scheme is part of a package of initiatives designed to increase the resilience of UK businesses to cyber-attacks. The package also includes a new online learning and careers hub to help ensure the UK has the cyber skills talent pool to protect both the public and private sectors as we face the reality of increasing cyber threats.
The new UK £1m cyber security innovation vouchers scheme will offer micro, small and medium sized businesses up to £5,000 for specialist advice to boost their cyber security and protect new business ideas and intellectual property. The scheme will be overseen by Innovate UK.
Vouchers enable firms to access services from the UK cyber security industry. This new scheme will also help businesses to adopt Cyber Essentials, a Government scheme to protect businesses online.
The National Cyber Security Programme is investing £860m between 2011 and 2016 to protect and enhance the UK in cyber space.
Cyber Security Knowledge Transfer Partnerships
Also announced was the new Cyber Security Knowledge Transfer Partnerships (KTPs). The Cyber KTP fund is worth £500,000, and is jointly funded by DCMS and Innovate UK. It will provide grants to encourage partnerships between academic institutions and cyber security companies to support innovation and to help the businesses improve their competitiveness and productivity. The funding of £500k is expected to support around 12 innovative cyber security projects.
The joint DCMS/BIS Digital Economy Unit (which includes the Cyber Security & Resilience Team) recently moved fully into DCMS, thereby creating a single, strong focus in Government on digital economy issues. Minister for Culture and the Digital Economy, Ed Vaizey, is the lead Minister, “The 2015 Information Security Breaches Survey stated that 74% of small businesses had a security breach that could cost the company anything from £75,200 to £310,800. As the number and cost of breaches have risen, it is important that companies ensure that they have appropriate cyber security. Government has produced cyber security guidance for small businesses”.
Funding of around £80,000 is available from Innovate UK to improve businesses by working with a research organisation and newly-qualified graduate.
This funding covers part of the cost of a graduate working in your company on a specific innovation project. Your research partner will supervise the graduate’s work.
You can apply for a KTP award if you are a UK business of any size; large company with a focus on supply chains; charity or not-for-profit organisation; higher or further education organisation; or a private or public sector research and technology organisation
If you would like to form a KTP you should contact a regional KTP advisor or university KTP office to discuss your project idea. KTP advisers will tell you if you are eligible and will work with potential partners to develop joint proposals. KTP is open to any business although some KTP competitions target businesses working in specific industry sectors.
UK cybersecurity research and innovation
EPSRC and Innovate UK previously announce a £5 million investment in UK cybersecurity research and innovation in a world-leading hub for cybersecurity research and innovation for Smart Cities and the Internet of Things.
The funding, from the Engineering and Physical Sciences Research Council (EPSRC) and Innovate UK, has been awarded as part of a major expansion of the Centre for Secure Information Technologies (CSIT) at Queen's University Belfast, will also be used to enhance security in virtual environments and connected devices, and tackle emerging malware threats to detect and prevent fraud and personal information theft from laptops, smart phones and cloud storage.
Cyber Security Pre-Accelerator Programme
The Cyber Security and Resilience team at the Department for Culture, Media and Sports is looking to support early stage innovation through the development of a cyber security pre-accelerator programme.
This programme aims to address the gap between the early stage and academic research, and commercially mature innovation. It will serve to connect early stage ideas into more mature incubators and accelerators.
This programme plans to:
Support increased exploitation of cyber research, help identify new ideas, and facilitate development of entrepreneurial skills;
Help transform early stage ideas into viable propositions and potential new businesses;
Maximise the ability of new cyber ideas to receive the support they need to enable them succeed;
And ultimately provide a pathway to connect early-stage ideas to more incubators and accelerators.
Funding of up to £250,000 is available towards the setup of the programme and organisations with innovative ideas and a track record of running pre-accelerator programmes that can help support the cyber security ecosystem.
KTN hosted a pre-procurement briefing event for potential bidders.
An invitation to tender is expected to be published in the EU Official Journal and on the Government Contracts Finder Website on 24 August 2015, with an expected closing date of 12 October.
National Cyber Security Programme
The Government is already supporting the UK cybersecurity industry through a five-year £860 million National Cyber Security Programme (NCSP) Cyber security - GOV.UK.
Under the National Cyber Security Programme, government works to raise businesses’ awareness of the threat from cyber crime and encourage firms to use effective cyber security risk management practices.
The government has published tailored guidance for small businesses as well as a free online training package. The training covers fraud, cyber crime and staying safe online. We worked with industry to produce a cyber action plan for small businesses.
In 2013 it set up the Cyber Growth Partnership (CGP) to increase export market understanding and access, develop the UK’s cyber offering and brand; and develop skills, research and innovation support the UK sector and boost the UK’s global market position in cybersecurity products and services.
The Cyber Growth Partnership (CGP) is made up of members from government, industry and academia and helps to deliver the UK's cyber security export strategy. It works to help UK cyber security companies increase their access to overseas and domestic markets, to develop and publicise the UK's offer and brand and to increase the talent pool available to them in the UK. It is co-chaired by the CEO of BT, Gavin Patterson and the Minister of State for the Digital Industries, Ed Vaizey MP and aims to meet the UK government's export target of £4bn by 2020.
Vulnerability demonstrated in vehicles on the road - leading to a recall by FCA of 1.4 million cars
US government agency National Highway Transport Safety Administration (NHTSA) judged that the security issue raised by security researchers Chris Valasek, director of vehicle security research for IOActive and Charlie Miller, security engineer for Twitter, presented sufficient risk to safety to require a recall for affected vehicles.
As a result of the issue being highlighted to them by the researchers FCA had previously started to distribute a firmware patch, and the wireless access issue had been closed, but it would have been unlikely that sufficient vehicles would have been fixed without distributing the update directly to owners.
In correspondence with the agency submitted on 23 July 2015, Fiat Chrysler acknowledged the radios on about 1,410,000 Jeep, Dodge and Chrysler models equipped with the uConnect information and entertainment system, “have certain software security vulnerabilities which could allow unauthorized third-party access to some networked vehicle control systems. Exploitation of the software security vulnerabilities could lead to exposing the driver, the vehicle occupants or any other individual or vehicle with proximity to the affected vehicle to a potential risk of injury”.
As detailed in a Wired magazine prior to the recall Hackers remotely kill a Jeep on the Highway with me in it, from 2013 Chris Valasek and Charlie Miller were funded by the US Defense Advanced Research Projects Agency (DARPA) to survey the cyber security of a number of cars. Their findings of that survey of 16 vehicles, led them to more closely examine the Chrysler’s Jeep.
After a year of research they found certain firmware modules were rewritable. Rewriting the firmware enabled access to the controller area network (CAN bus). In addition, they also found a way to connect to the vehicle via the vehicles uConnect entertainment system, in such a way that they could take over instrumentation, disable transmission and cut the engine - all remotely over the internet.
A hack, described by security commentator Steve Gibson, “as bad it gets”.
Chris Valasek and Charlie Miller plan to present part of their research Remote Exploitation of an Unaltered Passenger Vehicle at the Black Hat conference on 5 August 2015 and at DEF CON on 8 August 2015.
Miller praised Fiat Chrysler and Sprint (the wireless provider for Fiat Chryslers Uconnect system) for both taking action that has fixed the vulnerability.
Fiat stated that exploitation of the software security vulnerabilities required extensive technical knowledge, physical access to a subject vehicle and a long period of time to write applicable code. But NHTSA’s view was that successful exploit of this security vulnerability could result in unauthorized remote modification and control of vehicle systems.
NHTSA said that Chrysler is currently notifying and mailing affected owners in the US, sending a USB drive that includes a software update that eliminates the vulnerability, free of charge. Optionally, owners may download the update to their own USB drive from http://www.driveuconnect.com/software-update/ or take their vehicle to a Chrysler dealer for immediate installation.
In its chronology of the issue to NHTSA FCA wrote that in January 2014, through a penetration test conducted by a third party having identified a potential security vulnerability pertaining to certain vehicles equipped with RA3 or RA4 radios.
“A communications port was unintentionally left in an open condition allowing it to listen to and accept commands from unauthenticated sources. Additionally, the radio firewall rules were widely open by default which allowed external devices to communicate with the radio. To date, no instances related to this vulnerability have been reported or observed, except in a research setting”.
The supplier (Sprint) began to work on security improvements immediately after the penetration testing results were known in January 2014. Improvements that addressed closing of the open communications port and upgrades to the radio firewall were introduced to production in July 2014 on 2015 MY products. Additional improvements that addressed short range vulnerabilities were introduced to production in January 2015 and July 2015, again on 2015 MY products as a running change.
All of these improvements were bundled into the 2013-2014 MY single service release issued in July 2015.
On July 14, 2015, FCA US’ Vehicle Regulations Committee approved an extended warranty program to provide free software updates to all affected vehicle owners. The committee also approved sending all affected customers an e-mail (where available) and a first class branded letter describing the importance of the software update as well as instructions of how to update their vehicles.
Not just cars have potential for vulnerabilities
Recent cyber security alarms show concern for such vulnerabilities aren’t restricted to cars.
In June a Cyberattack ground the Polish airline carrier LOT grounded more than 1,400 passengers at Warsaw's Frederic Chopin Airport.
The attack occurred on 21 June 2015, and targeted the airline’s ground operations system, the carrier said in a statement.
The incident, which led to the cancellation of 10 flights departing from Warsaw, was resolved by 9:00 pm.
"This is the first attack of its kind," LOT spokesman Adrian Kubicki told TVN 24 television.
Alejandro Rivas-Vásquez, head of cyber at professional services firm KPMG, also recently highlighted the risks of cybcersecurity of UK rail signalling technology. “In contrast to air and highways, rail is behind in adoption of new technologies and managing associated risks.”
The focus for the £20 million Connected and autonomous vehicles competition is connectivity, autonomy and customer interaction – along with catalysing new business models, but proposals should also consider safety and reliability.
Within the thematic areas, collaborative R&D proposals must address system validation tools and methodologies including security.
There’s a requirement cyber security measures in the Department for Transport’s Code of practice for testing of automated vehicle technologies.
The code advises manufacturers providing vehicles, and other organisations supplying parts for testing, to ensure that all prototype automated controllers and other vehicle systems have appropriate levels of security built into them to manage any risk of unauthorised access.
It adds that testing organisations should consider adopting the security principles set out in BSI PAS754 Software Trustworthiness - Governance and management - Specification or an equivalent.
New policy unit - Centre for Connected and Autonomous Vehicles
The Department for Transport and Department for Business, Innovation and Skills (BIS) also recently announced the establishment of a joint policy unit, the Centre for Connected and Autonomous Vehicles (C-CAV), to co-ordinate government policy on driverless cars and connected technology.
C-CAV is currently working on a range of new technological developments, including plans to test new roadside communication technology to improve traffic flow and safety through ‘connected corridors’.
This would pilot technology that will provide drivers with useful journey and safety information.
FCA example ‘just the beginning’
The lesson from Fiat Chrysler case According to cybersecurity expert Steve Gibson commenting in his podcast Security Now, is that, “Everybody acted as well as they could given that this problem existed in the first place”.
"But", he concluded, "I think this is just the beginning".