Here’s a stat that’ll give you pause for thought.

By 2022, all cars fresh off the assembly line will be connected.

That puts things in perspective, doesn’t it? We’re used to thinking of driverless cars and intelligent vehicles as the gadgetry of the future. But in reality, it’s a transformation that’s taking place right now.

It’s a hugely exciting prospect. And while the pace of innovation is unprecedented, there are a number of bumps in the road. Namely, security.

Automotive cybersecurity is critical. We’re not talking about personal data or money being stolen (which is terrible enough in its own right) but the physical danger that a car can pose in the wrong hands. Thinking more widely, what happens if a vehicle fleet is targeted? Without proper defences, connected vehicles could put people’s lives are at risk.

Imagine a world where hackers can take control of your vehicle. Or manipulate data in sat-navs – directing entire fleets of cars in order to create gridlock in our cities.

This is a future we must be prepared for. Whether it be government or private businesses – both need to fully understand the scope of this potential threat, and take action to mitigate risk.

And to do that, proper testing must be conducted.

Asking the right questions

The BeARCAT Project was started to understand these cybersecurity challenges – as well as make recommendations on the testing needed to overcome them.

The project was grant-funded by the UK Government’s Centre for Connected and Autonomous Vehicles (CCAV), administered by Innovate UK with support from Zenzic. The project was a collaborative endeavour, led by Cisco with partners Millbrook, Telefonica and The University of Warwick.

Together, our aim was to work as a consortium to investigate three areas – which we called ‘work packages’. These were:

> The cybersecurity challenges of Connected and Autonomous Vehicles (CAVs)
> The building of physical and virtual security testing facilities
> The business case for CAV and communications testing

Starting with the first work package – understanding cybersecurity challenges – the most pressing concern was to explore the full scope of the threat.

This isn’t a case of protecting a single network, which would be complex enough in its own right. Connected vehicles will eventually communicate with a number of sources – whether it be the manufacturer, local authorities, mobile operators, or cloud-hosted services such as Waze and Spotify.

Another major development we will see in a few years is intelligent roadside infrastructure. From smart stop signs to connected traffic lights, congestion will be managed in a much more intelligent manner. Vehicles will continually exchange data with the world around them – and that communication must be watertight.

The second work package was just as important. Thorough testing means replicating the conditions found on roads and in the communications networks that will support connected vehicles – which, in practice, is extremely difficult.

There is no such thing as a ‘common roadway’. Different countries, counties, and even towns have different regulations on how roads must be built and how communications infrastructures operate. If your testbed is in the middle of the UK, how are you supposed to test your connected vehicle on a road and a communications network built to American standards?

(On a side note, Millbook, who worked with us on this project, has a stretch of American highway at their testing grounds – based right in the heart of Luton!)

For the third work package, we wanted to investigate how businesses would benefit from CAV testing. What do the business models in this area look like? What would be the competitive advantage? And, looking from a national point of view, what is the economic benefit of establishing more testing facilities in the UK?

Project recommendations

Our learnings came together in a feasibility report, which made several key recommendations.

Firstly, the consortium recommended investment in a standard security framework that could be used to support cybersecurity testing. This would cover provision of a reference architecture, coverage of security threat modelling and the establishment of a security knowledge base – in effect, everything that would help stakeholders within CAV ecosystems.

In terms of testing facilities, we noted that several layers of tests would be needed: physical infrastructure, telecommunications, services, applications, and finally, the business layer.

Thoroughly testing each of these layers will be an extensive process, with many support and engineering staff required. For that reason, we suggested the testbed would best be located within an existing test facility, in order to save money on the overheads.

Finally, in terms of the business model, we noted that this is an emerging sector – so all recommendations were speculative. However, by examining the future data volume generation from CAVs, the UK and global addressable market for cybersecurity, and the potential revenue (among other criteria), we concluded there is a strong business case.

The future of BeARCAT

The future of mobility is incredibly exciting, and I’m proud that Cisco is taking pragmatic steps to make tomorrow a reality.

Now that we’ve submitted the report, we’re waiting for the government’s response. It’s for them to decide how many testbeds to create, where to build them, and ultimately how to fund them.

But this report is only one output from a consortium that wants to make a real difference. BeARCAT offers a great example of the cross-disciplinary thinking required to create a viable testing framework to address cyber security challenges for CAVs in the UK. By combining our expertise and making recommendations based on our collective knowledge, the consortium is helping the UK drive towards a connected future.

Author - Peter Shearman, Head of Co-Innovation, Europe CSIG