Newly announced vehicle SOC will require unique set of skills, policies

Cyber Security News

A Google self-driving car is parked at the Computer History Museum in Mountain View, California. (Don DeBold from San Jose, CA, USA, CC BY 2.0 https://creativecommons.org/licenses/by/2.0, via Wikimedia Commons)

McAfee and Panasonic this week announced a joint venture to create a commercialized security operations center (SOC) specifically intended for autonomous vehicles – the latest sign that the cyber industry is starting to seriously ramp up efforts to address the unique safety and security challenges that connected cars will bring to the market.

“With the innovative development of autonomous driving, the advancement of digitalization, and the increasing number of connected cars, the risk of cyberattacks against automobiles is increasing every year,” read a press release from the two companies. “The Vehicle Security Operation Center will enable the provision of monitoring services to monitor connected cars around the world and contribute to the development of a safe and secure mobility society.”

It appears the time is now for vehicle SOCs (VSOCs), especially with regulators setting certain expectations for the automobile industry. Indeed, “due to some specific requirements within the new UNECE (United Nations Economic Commission for Europe) cybersecurity regulations that affect the majority of the world’s vehicle manufacturers, demand for vehicle SOC services is increasing rapidly,” said Andy Davis, global transport practice director at NCC Group. Consequently, “automotive managed detection and response services are being explored by a number of companies around the world.”

But there are several unique challenges to creating a VSOC, and a unique set of skills, capabilities and technologies will be required to guarantee a successful operation.

“The vehicle to be monitored is, itself, a collection of advanced technologies and systems. And because there are tens of millions of them, the complexity and number of monitoring targets is completely different from traditional SOCs,” McAfee and Panasonic said in a series of joint responses to questions that SC Media sent them. “In particular, unlike personal computers, vehicles have not been standardized, and it is difficult to analyze unless parts are actually developed as Tier 1.” (Tier 1 suppliers provide parts or systems directly to OEMs.)

Benjamin Vaughan, director of cyber defense solutions, North America at Thales, said one key technical concern will be how to import logs from the vehicle platform to the SOC in real time “without incurring excessive costs.” Another issue, according to Davis, is avoiding false-positive results, as “a fleet of tens or hundreds of thousands of cars could potentially generate a large number of alerts. And, therefore, it is critical to understand which alerts are the real ones and which are false positives.”

Other technology questions could pose challenges on the OEM side of the equation. According to Davis, this includes determining where to install attack-detecting sensor technology, and managing the development and integration costs of adding an intrusion detection software layer in a car’s embedded computers. Davis also noted that dedicated intrusion detection devices “can actually introduce new security vulnerabilities to a connected car, as they increase the attack surface,” potentially adding new risks that car manufacturers and their SOC providers must then contend with.

Beyond technical challenges, there’s also a matter of finding people with the right knowhow. Vaughan said that includes understanding the unique “blend of IT and OT systems on board the vehicle that need to be monitored.”

“With traditional IT environments, the threat is principally loss of data. However, with an autonomous vehicle, there is also a risk of physical damage and destruction,” Vaughan said. “The analysts/engineers would need to understand, for example, how the different systems on board control propulsion, steering, braking, etc. Skills in areas such as mechanical, automation and aeronautical engineering would be combined with cyber security experience, something that is certainly not needed in traditional IT environments.”

Moreover, Vaughan continued, “It will be important for an analyst to truly understand the pattern of life of the vehicle/platform they are monitoring to not only spot threats and vulnerabilities but also provide direction and guidance on the best means to secure a vulnerability.”

Additionally, SOC-related IT skills and experience will be important attributes, “and a deep understanding of automotive IDS and automotive SIEM is needed” as well, said McAfee and Panasonic. “They need to carry out a risk assessment regarding cyberattacks against in-vehicle networks, and have ideas about how to respond and a firm grasp on the matter.”

With that said, however, better technology can help reduce the amount of SOC analyst training needed for at least the more basic level of attacks.

“If the alerting solution that integrates with the VSOC provides clear and concise information about the origins and impact of each alert, then the SOC analysts should only require minimal additional training,” Davis said. “So, essentially, the amount of training required will be down to the quality of the detection and alerting solution. However, where more complex attacks are detected, second- and third-line analysis will still be required, which will require specialist automotive cyber security knowledge and expertise.”

And then there are policy challenges, the most significant of which is what to do when a cyberattack is actually transpiring while the car is actively being operated.

Davis at NCC posed a series of critical questions: “Who do you inform about the attack? The driver? The dealership where the car was purchased? The vehicle manufacturer? Then, what action do you take? Put the car into ‘limp home mode’ to reduce potential safety risks to the driver and occupants? Or maybe just display a warning on the dashboard that a serious problem has occurred and the driver should pull over when it is safe to do so? These are all operational challenges that need to be considered by vehicle manufacturers considering implementing a VSOC.”

And it’s not just cars. Similar policies will have to be determined for all autonomous vehicles, including drones or unmanned aerial vehicles (UAVs). “For example, with a UAV, would you be patching software during a live flight, on the ground, during maintenance periods?” Vaughan asked. “All these things would need to be considered by the team providing the protective monitoring and any follow-up remediation or incident response.”

As part of the partnership between McAfee and Panasonic, the former will be providing its experience with building and supporting SOCs and managed security services, while latter brings to the table its Automotive Intrusion Detection System, which mounts on a vehicle and transmits analysis data following a detected attack to the vehicle SOC and a Security Information and Event Management System.

“The Automotive Intrusion Detection System and the Automotive SIEM detects intrusions into an in-vehicle network by monitoring network communication and hosts operation and condition,” McAfee and Panasonic said. “It is about to be implemented to the vehicles as a countermeasure against cyberattacks. Panasonic has been working on the development of the Network Intrusion Detection System such as CAN [Controller Area Networks] and Ethernet monitoring, and the development of the Host-based Intrusion Detection System in IVI [in-vehicle infotainment] systems, and some of them have been installed in IVI.”