Steering the course of cybersecurity in the automotive industry with PKI 

Today's cars are rapidly evolving into sophisticated machines, complete with intricate communication systems, autonomous functions, and extensive connectivity capabilities.  

The rise of connected cars and the promise of autonomous vehicles have thrust the automotive industry into a new era. However, as the digital horizons of vehicles expand, so do the threats that lurk in the cyber shadows. Cybersecurity, once a concern limited to traditional computer systems, has now become paramount in ensuring the safety and reliability of our modern vehicles, and the automotive industry is now on the journey of implementing the NIS2 directive in order to enhance cyber resilience and mitigate damages caused by cyber incidents.  

This article seeks to illuminate the essential role of public key infrastructure, or PKI, in anchoring cybersecurity within the automotive domain. Through our exploration, we will understand how PKI acts as a formidable bulwark, safeguarding vehicle-to-everything (V2X), Plug & Charge,  vehicle-to-cloud (V2C) and Secure Over-The-Air (OTA) communications from cybersecurity incidents —but as with all technological advancements, there are still hurdles to overcome.

The current landscape of connected cars and cybersecurity 

As the march of technology continues, vehicles are no longer isolated entities traveling our roadways. They have become part of an interconnected web of devices, constantly transmitting and receiving data. These connected cars, whether fully autonomous or with advanced driver-assistance systems, communicate with each other, infrastructure, and even pedestrians.  

In parallel with the cybersecurity advancements for connected vehicles, global environmental incentives are reshaping consumer choices. For example, the Canadian government offers sale incentives of $2,500 to $5,000 to citizens to purchase an electric car, demonstrating a commitment to adopting more eco-friendly transport solutions.  

While this increased connectivity offers revolutionary benefits, from improved safety to reduced traffic congestion, it simultaneously introduces new cyber vulnerabilities.

Understanding PKI in the automotive Industry 

Public Key Infrastructure, or PKI, is not a new concept—having historically been utilized to secure online communications, transactions, and identities, PKI's potential has also been recognized in the automotive sector.  

At its core, PKI uses a combination of private and public cryptographic keys to encrypt, decrypt and sign. To make it scalable and more user-friendly the public key is added to a digital certificate issued by a Certificate Authority (CA), which validates the identity of the certificate holder and provides the means for secure communications. 

For vehicles, this translates to secure exchanges of information.

Vehicle-to-Everything (V2X) communication 

The overarching concept of V2X encompasses both V2V (Vehicle-to-Vehicle) and V2I (Vehicle-to-Infrastructure) and technology for communication between vehicles and roadside infrastructure, e.g., traffic lights and cameras. V2X is standardized by ETSI in Europe.  

As vehicles share information about speed, direction, and potential hazards, the ability to trust this information becomes paramount. If given the opportunity, an attacker might provide false data, leading to confusion or even accidents. 

While V2V focuses on vehicle interactions, V2I communications cover the exchanges between vehicles and infrastructural components like traffic lights, sensors, and road signs. 

V2X security relies on a PKI, as per the ETSI standard. With PKI, each vehicle is equipped with digital certificates that ensure the authenticity of the messages used in the V2X communication. Furthermore, specific V2X PKI characteristics ensure privacy and prevent tracking of vehicles' driving behavior. Vehicles and infrastructure components can trust the information they receive from other vehicles and infrastructure components.

Plug and Charge communication  

Plug and Charge (PnC) is a consumer-friendly technology for charging electric vehicles: It offers the frictionless experience of charging with an automated, cashless payment process. Plug and Charge sets the vision of an open and interoperable charging ecosystem, where any vehicle can charge at the charging stations of any operator, independently of geographical location and of the business party supplying the charging contracts. Payment is carried out seamlessly without the driver's interaction.  

In such an open ecosystem with many independent business entities, electric vehicles, charge stations, and Internet-based backend systems must be able to trust each other's equipment and data in terms of communication and data security so that charging transactions are legally safe and criminals are prevented from misusing the infrastructure. 

The international standard ISO 15118 specifies the technical implementation of vehicle-to-charge-station communication and the handling of the charging contracts for PnC. Under the hood, PKI is used for secure identification, authentication, digital communication, and contract management.

Vehicle-to-Cloud (V2C) communication 

Another important use case is V2C. Where V2X is great for information that needs to be near real-time, there are also use cases where the opposite applies. By sending information to the vendor backend, it can be shared with cloud systems (Interchange nodes); this information can then find its way to other traffic participants. While V2X is about communication in the closest proximity, V2C covers use cases beyond that, both in time and space. Imagine a car driving in a rural area, detecting that the road is very slippery (e.g. through unexpected wheel spin). V2X communication may not bring much value if there are no other vehicles in the area to notify about this hazardous condition. When the information is provided to the backend system though, it can be forwarded to other vehicles driving on that road at a later point in time – V2C. 

Also, for this communication, security is essential, and PKI has been adopted as the industry de facto standard, providing vehicle and backend system authentication, data integrity, and confidentiality.

Secure OTA

Secure OTA encompasses a multitude of additional connected vehicle use cases. 

Vehicles continuously transmit data to the vendor backend for data collection for data mining/big data purposes, giving the vehicle vendor valuable insights into how their vehicles are driven, what conditions they face, etc. This constitutes important input to their product development, customer relationship handling and general business decisions – "data is the gold of the 21st century". However, for the data to provide real value, it must be trusted. If the originator or the integrity of the data cannot be proven – it provides no value as business decision input. 

Another connected vehicle use case is remote monitoring. By monitoring vehicle driving data, the vehicle vendor can for instance detect deviations from expected values and trigger predictive maintenance or offer value-added services based on driving behavior. Again, being able to trust the collected data is a prerequisite for these use cases. 

Finally, remote update of vehicle software and firmware enables problem fixing and new functionality in vehicles when they are already in the field without the need to prompt the vehicle owner to bring it to a physical workshop. This provides improved user experience and also decreases costs for the vehicle vendor. Furthermore, new cybersecurity regulations, like the Cyber Resilience Act (CRA), impose providers of connected devices to be able to ensure that they are secure from cyber-attacks also when in the field by being able to remotely provide firmware updates that fixes discovered security flaws. Before new software is installed in a vehicle, it must be verified that the software comes from the intended provider and that it has not been altered on the way to the vehicle. 

In all these Secure OTA use cases, the built-in authentication, data integrity and confidentiality features of PKI provide the perfect instrument for ensuring secure communication. 

Challenges in automotive PKI implementation 

While the benefits of integrating PKI into the automotive industry are evident, the path to its full realization is not without challenges: 

  • Scalability: The number of vehicles and infrastructural components that need digital certificates is vast, meaning that the PKI system for the automotive sector needs to be highly scalable and capable of issuing, validating, and revoking millions of certificates in real-time. 
  • Lifecycle management: Digital certificates have a finite lifespan. Managing the lifecycle of these certificates—issuance, renewal, and revocation—is complicated, to say the least, especially given the potential long lifespan of vehicles compared to traditional IT devices. 
  • Diverse Ecosystem: The automotive industry involves various manufacturers, suppliers, and third-party entities. Creating a standardized PKI solution that fits all stakeholders' requirements while maintaining the highest security standards is a daunting task.

Mitigating the challenges 

In response to these challenges, the industry is witnessing collaborations between automotive manufacturers, technology providers, and cybersecurity experts. Cross-industry partnerships are working to develop scalable PKI solutions tailored for the automotive sector. 

Open standards and protocols are also being developed, allowing for a consistent approach to cybersecurity across different vehicle brands and models. Lifecycle management is being addressed with over-the-air (OTA) updates, allowing for the remote renewal or revocation of certificates, thereby ensuring that vehicles remain secure throughout their operational life.

Embracing the digital evolution 

As vehicles become increasingly digital and the lines between automotive and tech industries blur, the importance of cybersecurity in the automotive world cannot be understated.  

PKI provides a tried-and-tested framework to secure this new era of mobility. By understanding its intricacies, benefits, and challenges, the automotive industry is better positioned to steer a course that maximizes the potential of connected vehicles while ensuring the safety and trust of users.  

Additionally, this digital evolution presents not only technological shifts but also cultural ones. As consumers begin to perceive their vehicles not just as transport but as interconnected hubs, their expectations for security, functionality, and convenience will shift.  

Meeting these evolving demands will require a harmonious blend of automotive expertise, cybersecurity expertise, and an understanding of the modern consumer's digital landscape.

Navigating the road ahead 

The burgeoning number of connected vehicles hitting our roads ushers in both unparalleled opportunities and new challenges for the automotive industry.  

As these vehicles become intricate webs of communication, forging a robust security framework is essential, which is where public key infrastructure comes in. It offers secure channels for vehicle interactions, both with each other and with infrastructural elements.  

While the complete integration of PKI into the automotive sector is fraught with its own respective challenges and hurdles ranging from scalability to lifecycle management, the industry's proactive steps promise a secure and cohesive future going forward.  

Through collaborations, open standards, and an unwavering commitment to both digital and physical security, the automotive world is gearing up to not just face but thrive in this digital evolution. For automakers and users alike, this means a future of connected driving that is as secure as it is revolutionary. 

Published

 

 

Want to test Nexus V2X PKI test service?

Read more here!

Discover more blogs

Access control Authentication Blog Multi-Factor Authentication (MFA) Virtual smart cards Workforce

Secure the modern workforce with Zero Trust

19 August, 2024
Discover Nexus Smart ID, a PKI-based solution for securing digital identities with zero trust and identity-first principles. Enhance security, stre...
Blog News Press release

Nexus becomes the exclusive supplier of identity cards for ID06

13 August, 2024
Nexus has been chosen by ID06 AB as the sole manufacturer of identity cards for Sweden's Construction industry
Blog IoT security News PKI Workforce Workplace Zero Trust

Google’s drastic decision is a hard lesson on Crypto-Agility

25 July, 2024
In the wake of the recent incident, organizations must strengthen their digital trust framework by focusing on crypto-agility.