Guest blog: Government security guidelines take necessary step

Richard Bellairs

In a guest blog, Richard Bellairs from PRQA welcomes UK government guidelines on automotive cyber security

As cars gain increasing amounts of driver assistance features that not only warn the driver but also take control, the threat of a cyber attack becomes more than an annoyance; the real danger now exists that a hacker could cause a car to crash on a public road. As the automotive industry continues its journey towards autonomy, this threat will increase.

While those in the automotive industry have been waking up to this danger over the past few years, it is refreshing to see that at last governments are also becoming aware and reacting. I was particularly interested in the guidelines put out by the UK government in August this year.

Under the title “The key principles of vehicle cyber security for connected and automated vehicles”, they laid out eight principles that the government believes should be followed throughout the manufacturing supply chain, from designers and engineers, all the way up to senior level executives. In fact, the first principle insists that personal accountability for product and system security should be at board level. Obviously, this should be delegated appropriately but companies must ensure that awareness and training is implemented to embed what the guidelines call a culture of security and that engineers embrace the idea of security by design.

The guidelines take this further by recommending that companies take steps to keep up to date with current threats and implement appropriate risk assessment procedures, including in the supply chain. Where appropriate, this should involve collaboration with third parties, subcontractors and suppliers. Various parties should work together to ensure systems safely and securely interact with external devices. Suppliers should be able to provide assurance such as independent validation or certification.

There are also guidelines on having security in depth, with no single point of failure. This involves reducing the attack surface where possible.

And the problem does not end when the hardware or software leaves the company, as aftercare must be in place over the product’s lifetime, including after-sales support services and incident response plans.

Other principles include making sure the storage and transmission of data are secure and that a system can respond to an attack and react appropriately if its defences or sensors fail. The latter includes failing safe if safety-critical functions are compromised.

However, I was particularly interested in principle six, as its call for adopting secure coding practices is close to my heart. These should be able to manage risk from known and unknown vulnerabilities in software, including existing code libraries. Procedures to manage, audit and test code should be in place.

The experience of our customers shows that the adoption of secure coding practices, supported by a comprehensive code quality management system with static analysis tools, can be extremely effective for reducing the risks from security vulnerabilities in software. I look forward to the adoption of this principle in the future regulatory framework for autonomous vehicles.

These government guidelines are welcome as I see them as a necessary step to making vehicles safer and allowing the industry to realise its vision of autonomous driving.

Richard Bellairs is product marketing manager with PRQA


Recommend to Colleagues: 

Add new comment

Plain text

  • Allowed HTML tags: <a> <em> <p> <h1> <h2> <h3> <code> <ul> <ol> <li> <dl> <dt> <dd> <strong>
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Follow Us:

Twitter icon
Facebook icon
RSS icon