Close this search box.
Data Protection

Connected Cars: Data Protection in 3 Steps

We are steadily moving towards a future where high connectivity is becoming the industry standard. This is why data security in connected cars has become a concern.

This is largely due to the increase in consumer demand, fueled by the convenience that IoT (Internet of Things) connected vehicles can offer.

This consumer demand makes sense when we consider the long-term benefits of driving or owning connected vehicles. Here are just a few of them:

  • A connected car enhances the experience of owning or using a vast array of apps and services that pair seamlessly with the smartphone the user owns;
  • Passenger and driver safety is increased and hazards are more easily avoided;
  • The driver has more control over the vehicle as well as its remote diagnostics;
  • Many routine tasks, such as parking, can be automated or partially automated;
  • Potential problems with the vehicle can be detected much earlier and money on fuel can be saved when the most efficient route is always chosen.

Consumer fears despite connected car innovation

Although the global connected car market is expected to surpass $219 billion by 2025, with 60% of automobiles will be connected to the internet, the industry is still facing challenges in its quest to become fully mainstream due to its main drawback: consumers’ fear of cyber attacks.

We all know that the increase in connected devices, whether vehicles or other devices, automatically increases the number of entry points and opportunities for criminals.

Considering the often very serious consequences of such attacks, this consumer fear is legitimate and needs to be addressed both by the IoT industry but especially by connected vehicle manufacturers if the industry wants to gain full consumer trust and adoption of their products and keeping their data safe.

Current safety status of connected cars

Indeed, protective measures are being taken to set data security standards in other areas of data exchange.

For example, the General Data Protection Act (GDPR) has made a significant difference to how we experience web browsing and any interaction that involves the processing of personal data.

However, IoT service providers are not currently required to comply with any additional security laws or standards.

While some are calling for specific government legislation, there are already several companies working on solutions to increase the security of connected devices.

It is not yet clear exactly what the impact will be on our personal privacy as we embark on this connected future. What is clear, however, is that if car manufacturers themselves do not step in with some clear technologies to prevent data hacking, mismanagement or data privacy breaches, the connected car industry will continue to struggle to be accepted by the general public.

So what are the automakers themselves doing these days? Crucially, what else needs to be done to reassure users that their data is safe?

What can car manufacturers do to ensure data security in connected cars?

1. investment in hardware security

Typically, the vehicles we are most used to seeing and driving on a daily basis have not been equipped with any kind of hardware security in the car’s own electronics.

This is because the car was never originally designed to have an open system that could be connected to external systems such as IoT devices. Instead, the car system should be a closed system.

Because of this, as soon as you connect the vehicle to something external, there are not enough protections (e.g. a firewall) in place against malicious parties.

This is solved in new cars by installing something called a secure gateway.

For IoT devices, no interaction could happen with the vehicle without first passing through the secure gateway, making the exchange of data between two parties significantly more secure.

2. Investment in software security

With the continued rise in cybersecurity incidents, automakers need to incorporate an approach to data security in connected cars that takes into account not only the obvious exposures in the car’s software, but also the hidden vulnerabilities that can be introduced by open-source software components.

Connected car software code is extremely complex to say the least, with the average car software based around 100 million lines of code.

With so much complexity comes many opportunities for vulnerabilities and an increased risk of malicious attacks from cybercriminals.

Nowadays, it’s not uncommon to hear about malware specifically designed to detect flaws in car software.

Today, several renowned car manufacturers and their software suppliers deploy testing tools that include safety assessments on static and dynamic software.

In connected cars, these tools are used to identify coding errors that can result in software vulnerabilities and opportunities for hackers and criminals to enable or disable certain features remotely.

While these tools are effective in detecting bugs in the code written by the connected car manufacturers’ own in-house team of developers. They are not effective in identifying open source vulnerabilities in third party code.

This leaves many of the key components of today’s apps exposed, due to the fact that they are made by developers working for external IoT providers rather than the carmakers themselves.

3. User awareness and consent

In addition to protecting the car’s hardware and the vehicle’s software, it is important to emphasize the responsibility of connected car manufacturers to alert users to the importance of which devices they allow to be connected and for what purpose.

This is where user consent needs to be obtained and regulations such as the GDPR rigorously enforced.

Third-party IoT providers must clearly define why they want to interact with connected cars and what they plan to do with any data they get from the automobile, but it is the job of manufacturers to assure users of the security of their data.

Eval & Thales technology partnership: bringing trust to connected cars

As we look to our increasingly connected future, we can be sure that the relationship between vehicles and IoT is only likely to increase in complexity.

With a dedicated approach to data privacy and security, any risks of cyber attacks or misuse of data in connected cars can be significantly mitigated.

The IoT industry is growing at an exponential rate now. Traditional car companies need to adopt a safety-first approach.

This approach is necessary to take advantage of the huge strides technology can make in the lives of drivers and road users through connected vehicles.

With more than 20 years of experience in connecting vehicles, Eval and Thales’ customers benefit from their leading position in mobile connectivity standardization, serving more than 450 mobile operators worldwide.

Global automotive connectivity solutions and remote management greatly reduce supply chain complexity for automotive manufacturers while enabling easier end-user experiences over long vehicle lifecycles.

Eval and Thales’ solutions enable the use of end-user subscriptions for infotainment services in mobility and provide the technical capability for infotainment/telematics connectivity.

Leveraging proven and advanced expertise in digital security and IoT, Thales Trusted Key Manager provides connected car manufacturers with support for digital transformation, ensuring the end-to-end security of the automotive ecosystem.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Data Protection

Smart Grid: what IT managers should know

A Smart Grid or intelligent power grid is basically a power network that uses internet technologies to enable two-way communication, coordination and control.

The vision of a Smart Grid starts with the overlay of an increasingly IP-based information network on top of the connecting elements of the existing power grid.

In the longer term, the Smart Grid will include rethinking the architecture of power generation and distribution to make the electricity grid more decentralized, resilient, secure and responsive to consumer demand and the provision of public services.

Architecturally similar to the Internet, the Smart Grid is hierarchical and has clear demarcation points. Energy utilities run the generation and interstate links of the network, equivalent to the backbone of an ISP (internet service provider).

Within a metropolitan area or neighborhood, local utilities run a neighborhood area network (NAN), equivalent to a metropolitan area network (MAN).

The Smart Grid reaches individual homes and businesses through the advanced metering infrastructure, which is like a local ISP’s DSL network – the last mile to the “smart meter”.

Within a building or home, consumers and businesses manage a home network or building automation system, which is the smart grid equivalent of a local area network (LAN).

The smart meter also acts as a network termination point or input router, a demarcation between the utility network and the home network or building automation system.

The interface between your building automation network and the utility supply will be smart. This brings huge opportunities for automation as well as severe management and security challenges.

What should IT managers know about Smart Grid?

The introduction of IP coincides with the merger of IT facilities and organizations. Companies are adding automation to buildings and the resulting networks are increasingly managed by the IT department.

The building automation network connected to a Smart Grid is rapidly becoming a network-based application running on a converged LAN, just as voice networks began converging onto data networks a decade ago.

In short, building automation will be an application that you must support on your network in the future. As with voice, this new network application will present unique management, quality of service (QoS) and security issues.

For example, building automation directly affects the physical space in our offices, creating unique management challenges, and systems must be secured against unauthorized access to a building or room.

But even without malicious interference, we need to ensure that future building automation systems and smart grids are as reliable as current systems.

A “smart” light switch should turn on the light instantly and every time, just as a voice over IP (VoIP) phone should provide a dial tone, instantly and every time.

The lesson of VoIP was that mechanical systems are inherently more reliable and it is not simple to achieve the same level of resilience and quality with a computerized system.

The Smart Grid will provide near real-time price updates and statistics on overall energy use

In our example, building automation connected to a Smart Grid will allow you to control the skylight, blinds, lights, vents and even micro power plants such as solar panels, fuel cells and diesel generators.

This can enable adjustment of energy consumption and local generation patterns in response to prices and can also offer organizations the possibility to sell energy back to the grid.

Businesses can also be warned of impending power quality issues (such as power outages, spikes, supply shortages and blackouts) and adjust power usage or distribution to prioritize critical systems or unplug spike-sensitive devices.

Managing and securing this new network will require new skills, new hardware and new software. It will also require new types of firewalls, denial of service protections and security policies.

The Smart Grid will extend to your network, bringing new opportunities and new challenges. To prepare your business for the smart grid, you should start with organizational convergence between IT and facilities, followed by data convergence between IT networks and building automation systems.

Eval and Thales together to ensure the protection of Smart Grids

At a time when energy utilities play an increasingly important role in our everyday lives, smart grid technologies, including those leveraging the Internet of Things (IoT), present new smart grid security challenges that must be addressed.

Implementing a smart grid without the proper security of advanced metering infrastructure can result in grid instability, loss of private information, utility fraud and unauthorized access to energy consumption data.

Without proper security, the benefits of IoT-based energy, such as reliable directional communication between applications and devices, as well as secure information gathering for accurate big data analytics, would not be realized.

Effective security equipment manufacturers, consumers and utility providers with the confidence to leverage the power of IoT.

Building a reliable and secure smart grid will require robust smart grid security solutions that can be easily deployed at the communication and application layers of the smart grid infrastructure.

Areas where smart grid protection is critical include:

  • Device manufacturing;
  • Secure communications;
  • Internet of Things (IoT) devices and applications;
  • Field firmware updates and provisioning;
  • Device authentication;
  • Secure meter management;
  • Protecting data integrity and privacy.

The importance of security in Smart Grid with PKI and HSMs

Smart Grid security solutions must be able to deploy on a large scale, with minimal effect on applications.

Smart grid protection at the communication layer will require a system to identify connected meters, to verify that these meters are configured correctly, and to validate these meters for grid access.

The recommended solution for this authentication process is an identity-based model, usually a public key infrastructure (PKI).

PKIs are ideal for large-scale security deployments that require a high level of security with minimal impact on performance.

In a PKI environment, it is essential that private keys and certificates are protected with a trusted key management solution that protects against evolving data threats, such as hardware security modules (HSMs).

Thales Hardware Security Modules provide the highest level of security by always storing cryptographic keys in hardware.

Thales HSMs provide a secure encryption foundation as the keys never leave the FIPS-validated, intrusion-resistant and tamper-resistant device.

Since all cryptographic operations take place inside the HSM, strong access controls prevent unauthorized users from accessing confidential cryptographic material.

In addition, Thales also implements operations that make deploying secure HSMs as easy as possible, and our HSMs are integrated with the Thales Crypto Command Center for fast and easy partitioning, reporting, and monitoring of cryptographic resources.

Learn more about the use of HSM applied to Smart Grid technology from Eval’s experts and learn how to apply encryption capabilities effectively in your smart grid. We are happy to answer your questions and help you define the best ways to make your network smart and reliable.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.