Sunday, August 6, 2017

UK DfT guidance on Security for Cars

The Department for Transportation (DfT) of the UK just released a guidance on Security for connected cars. This is part of the CNPI and the overall State strategy for Security. It comes when the US also is drafting new legislation with the IoT Cybersecurity Improvement Act.

My first thought was we officially entered an era where products are regulated for Security just like food has been for decades. This is most welcome. Just a few months ago I bought a cheap surveillance camera and while trying to secure it well beyond the (ridiculous) level from factory, I realised it was running the same firmware that Mirai was exploiting.

This would not really be a problem because they all run some custom Linux and it never takes too long to get access to it to try to harden it. Where the firmware stopped, a firewall, some logging or even a blind would do the trick. Problem is I really do not want to spend hours doing this for any device and keeping up with all vulnerabilities, botnets and whatnots just for one of the devices that costed £30. Trying to update the firmware only showed that nothing had been released in months.

The automotive industry and the connected gadget one have very different problems. For example, whereas car manufacturers have a reputation to protect and resources to maintain firmware, distribution/updating is complex. For connected gadgets, reputation for an Amazon seller means nothing and cost is the primary driver. Maintaining software or having a customer service easily drains the razor-thin margins, at their current operating models (it does not need to be so).

These regulations are one confident step to change everything. In the US, one of the aspects of the Act seem to be the obligation to release software updates. In the UK, one of the principles is accountability of the board and a requirement for post-sale and "product after-care".

No comments:

Post a Comment