The government’s plans to tighten up the law on data protection and stiffen penalties for breaches will have prompted many firms to review their IT security measures. But what of company vehicles – increasingly connected assets representing a new target for hackers? Director asks experts in the field to explain the main threats and recommend the best ways to counter them
In August the government announced its intention to strengthen the law on data protection through a bill that, once enacted, promises to give individuals greater control over what others do with their personal information. British businesses will already be acutely aware of the headline punishments planned for those that fail to safeguard data they hold on employees and customers: fines of up to £17 million, or four per cent of global turnover, await the worst offenders.
Although boardroom discussions about this issue might naturally centre on the integrity of office IT systems and portable devices, what of those other mobile business machines that can handle a large volume of sensitive information and also potentially be hacked? The threat of cyber attacks on company cars, vans and lorries is predicted to loom ever larger as society embraces connected and, ultimately, autonomous vehicles. With semi-automated truck convoys due to be tested on British roads next year, the targeting of vehicles by cyber criminals is clearly a risk that anyone responsible for managing a fleet – and, indeed, safeguarding data – needs to address.
According to the Society of Motor Manufacturers and Traders, more than 1.5 million British motorists are leaving showrooms in vehicles that can be classed as connected every year. In essence, these are powerful computers on wheels, fitted with Sim cards that enable vast amounts of data to be transmitted and received over wireless networks in real time. Their telemetry offers numerous advantages for drivers and fleet managers alike. For instance, they can detect potential mechanical problems before these cause a breakdown; warn of road congestion ahead in good time and calculate the optimal alternative route; and encourage people to become better drivers by highlighting unsafe and uneconomical habits, such as harsh acceleration and heavy braking.
These benefits, along with a number of other advances that connected vehicles offer with respect to safety, convenience and cost-efficiency, are clearly welcome, but the supporting technology is susceptible to hacking.
So says Daniel Prince, a lecturer in cyber security at the University of Lancaster. “Cyber crime is a key threat to business in our digital economy, but this is becoming less about the theft of intellectual property or money from corporate accounts. It’s now more about the impact on operational activity,” he says. “This point was hammered home recently when we witnessed global ransomware attacks that crippled organisations as diverse as the NHS and car manufacturers.”
Prince, who is also an associate director at Security Lancaster, a unit of the university that works closely with businesses to combat cyber crime, notes that the emergence of smart vehicles “presents a challenge for business motoring: it has already been shown that they are vulnerable to local and more remote attacks. It’s possible for unauthorised individuals to control vehicle operations remotely and obtain tracking data. There is potential for vehicle-based ransomware to make a whole fleet unusable. Companies could also face liabilities by unintentionally exposing personal information about their employees.”
Prince expects this form of cyber crime to evolve rapidly, with offenders even gaining the ability to clone intelligent car keys. “Beyond this, there is potential for them to track delivery lorries and target products in transit for theft,” he says, adding that such a development not only poses a risk to physical assets; it also presents a threat to the individuals transporting those goods. This exposes the employer to further “duty-of-care challenges”.
Mobile data centres
The fact that vehicles are, in effect, becoming “mobile data centres” is at the root of the problem, according to Paul Harris, managing director of cyber security consultancy Secarma. “As with all networked computers, they have vulnerabilities that criminals are already seeking to exploit,” he says.
Harris explains that there are three main points of entry to a connected vehicle’s systems:
- The control area network bus. Mechanics will use this connection method during the servicing process. They have to hook up a diagnostic laptop by cable, so an offender would require physical access to the vehicle to infiltrate its systems this way.
- Wireless networks such as 3G, 4G, Wi-Fi and Bluetooth. These can be attacked remotely from varying distances.
- In-car infotainment systems, which present a new and fast-emerging security risk, according to experts.
“With their incorporation of 3G and 4G networking, cars are resolutely part of the internet of things,” Harris says, stressing that the potential threats posed by wireless access might not stop at data breaches or vehicle theft. “Features such as automatic parking are entering the market. If it became possible to control a vehicle’s movements remotely, for instance, the potential impact of cyber attacks would worsen.”
The good news is that the automotive industry is co-operating to deal with the threats. Manufacturers have foreseen the need for greater cyber security by creating standards, working groups and review boards to address issues of safety, reliability, security and privacy. Establishing cyber security standards, for instance, is high on the agenda at Thatcham Research, an automotive research centre established by the British motor insurance industry with a mission to improve vehicle safety and minimise the cost of claims. The organisation is a founder member of the 5*Stars cyber security consortium for connected vehicles.
Steve Launchbury, lead automotive security engineer at Thatcham Research, believes that the key to keeping the criminals at bay is “the effective management of data. In order for business drivers to benefit from many of the features that are increasingly present on connected vehicles, there are numerous layers of security that should be considered,” he explains. “One of these would be the safeguarding of vehicles or personal data from the risk of remote access. For instance, the driver’s smartphone plays a crucial role in many of the connected functions that are becoming more common in cars. The consideration for businesses is to ensure that, if the phone is linked to the vehicle’s systems via Bluetooth, any personal or corporate information that could be accessed through the device is protected.”
Employers must balance the requirement to manage this risk against the need to preserve the features that make connected cars so much more convenient to use, Launchbury adds, noting that Thatcham Research is examining the issue as part of a consortium-led group and working to “establish standards against which all vehicles will be assessed”.
There is broad agreement among cyber security experts that the best way forward is to adopt a co-operative “risk-based” approach to the problem. This requires fleet operators to have a good grasp of the main issues, according to Prince. “Companies need to understand all the capabilities of their connected fleets. The best way to do this is in a collaborative way, working with cyber security specialists to ensure that they have full appreciation of their exposure and are therefore able to form comprehensive strategies to mitigate the risks,” he says.
These strategies, and the processes for formulating them, will vary depending on the size and composition of an organisation’s fleet and how its vehicles are used. But all of them are likely to require employees to sign up to a carefully constructed mandate. Such a document should explain to drivers of leased vehicles that they will need to erase their data from in-car applications such as satnav systems and telephone directories when returning them at the end of a contract, according to Samantha Roff, managing director of Venson Automotive Solutions.
“This ensures that personal details such as the driver’s home address and phone number aren’t shared,” she says. “In the first place, the business and the employee will need an audit trail of what data has been requested [by the leasing firm] – and signed authorisation from the driver. The mandate should also inform the driver of the purposes for which that data is being used.”
Roff continues: “Drivers of company-owned cars, meanwhile, need guidance when it comes to registering for the additional services that manufacturers offer. In my experience, drivers often accept the terms and conditions attached to such services without reading the small print. This could mean that they are signing up for their information to be collected by, or provided to, the manufacturer or other third parties during their ‘ownership’ of that vehicle.”
Prince observes that companies need to weigh “the cons as well as the pros” before adding connected vehicles to their fleets. “It’s only when they flex their buying muscles and ask awkward questions that they’ll be able to gain a better understanding of the risks facing them in the new era of the intelligent vehicle,” he says. “Chief among these questions should be: ‘Has the vehicle you’re trying to sell me been through robust cyber security testing?’”
Who owns the information?
The data-handling process is clearly set to become more complex for any firm that’s building a fleet of connected vehicles. As things stand, it’s the manufacturer that owns the data they produce, but the government is facing calls to provide clarity on the legal position and specify which parties should have access rights. For instance, if a company hires a car for an employee to visit clients in different locations over a week, does it not have a claim on the data generated by the vehicle on that business trip? Or should this material belong to the hire firm (or, indeed, the employee) in addition to – or even instead of – the manufacturer?
The government’s decisions are expected to form part of draft legislation on data ownership to be issued in relation to a planned bill covering connected and autonomous vehicles. But, for the time being, there is broad agreement among manufacturers that the primary user – ie, the driver – should be at the heart of any consent process with respect to data sharing.
Roff is concerned by the risk that any new procedures established by the forthcoming legislation could place an undue bureaucratic burden on the users of connected vehicles.
“A daily rental car could be used by numerous individuals while belonging to a single registered keeper. Although the principle of consent underpins the handling of all personal data, there is a risk that poorly considered permission procedures – for instance, requiring every driver to consent to data collection each time they get behind the wheel – would be onerous and, ultimately, an annoyance that would discourage
people from using connected vehicles,” she says. “In the case of rental or company fleets, the onus is therefore on either the primary user or the registered keeper, depending on their contractual agreement, to perform or request a factory reset of personalised connected services on a vehicle they have driven before it is passed on to a new primary user.”
Edmund King, president of the AA, sums up the current situation thus: “Connected cars offer drivers a vast array of new and exciting services, plus they can help in the event of breakdowns and crashes by alerting the relevant authorities automatically. But it’s clear that drivers may be unaware of just what information is collected, how it is used, who owns it and how it is protected. From our research, it’s become clear that most drivers think that the car’s owner or driver should own the data.”
How’s my driving?
While people are generally comfortable with sharing information about the mechanical condition of the vehicles they use, they are less happy to reveal data on where or how they have driven them, a recent survey by the British Vehicle Rental and Leasing Association (BVRLA) has found.
The BVRLA’s chief executive, Gerry Keaney, stresses the need for employers to ensure that they always fulfil their responsibility for data protection. “Employers have a duty of care to protect employees that extends to protecting their personal information. Employees have the rights of any ‘data subject’ under the Data Protection Act 1998,” he says, noting that they will have further powers when the EU General Data Protection Regulation (GDPR) comes into force in the UK next May.
“It’s important that employers meet their obligations, regardless of whose personal data it is,” Keaney says. “Employers should have appropriate processes to prevent any type of security breach, be it the accidental or intentional destruction, loss, alteration or unauthorised disclosure of data. When employers are looking to start monitoring, they should always make their employees aware of its nature and extent, along with the reasons for it. Regardless of the purpose, it’s important that employers conduct an impact assessment beforehand and comply fully with the law on both human rights and data protection thereafter.”