How to Adopt Modern IDS and VSOC for Your Vehicle’s Security

This is the second in a two-part series about vehicle security. Find part one here.

The Way Forward: IDS and VSOC

Modern smart vehicles pose significant challenges to security architects and developers due to their inherent limitations. Despite the drastic improvements in the technology and processing power in modern vehicles compared to their predecessors, they still have limited computational resources compared to modern IT devices. This means the types of security software that can be run is limited.

Additionally, cars generally have longer lifespans than the average IT device. Some cars will stay in service for upwards of a decade—far longer than the average laptop, phone, or network device. Couple this with the relative difficulty in pushing significant security updates and patches to vehicles, and the velocity with which attacks are evolving, and it is very difficult to future-proof modern smart vehicles. So, what can we do? The answer is twofold: Intrusion Detection Systems (IDS) that monitor vehicle systems, and Vehicle Security Operations Centers (VSOCs) that can respond to the alerts generated by the IDS.

CAN Bus Intrusion Detection Systems

An IDS is a system that monitors activities within a network or specific node on that network and looks for aberrant behavior (deviations from the normal expected behavior). In a traditional IT setting, an IDS monitors a network and over time notices that a certain employee always logs into his workstation from a certain location at a certain time. Should that employee’s credentials be used from a different location at a different time, the system would notice a change in behavior and raise an alert for an analyst to review.

A vehicle IDS system works on the CAN Bus--which, as noted above, is the internal “network” within vehicles that facilitates communication between ECUs within the vehicle, including those connected to outside networks and devices. Broadly speaking, IDS systems can be deployed either as host-based (directly on a specific vehicle EDU) or network-based (monitoring the CAN controller or central gateway). Both methods have their strengths and weaknesses. NTT DATA, working with a major automotive OEM, has developed an optimized IDS that is flexible and lightweight enough to be deployed in either method.

Regardless of the nature of the IDS deployed, detection is only part of the solution: responding to the security issues detected by the IDS—and that’s where a VSOC comes into play. A SOC is a security center staffed by security experts, monitoring and responding to security issues. A VSOC specializes in security alerts coming from vehicle systems, combining the detection ability of the IDS with specialized analyst knowledge augmented by specific threat intelligence. NTT DATA’s VSOC manages the large volume of data coming from connected vehicles (around 25 GB per hour) while addressing the strict data privacy regulations around the world. In addition to expert analyst monitoring, NTT’s VSOC benefits from advanced threat analytics capabilities, threat hunting, and comprehensive threat intelligence.

The biggest threat today is from outside the vehicle. With the vehicle ECUs largely encrypted, the threat of someone breaking into the CAN bus and sending rogue commands is relatively low. But now that modern cars are connected to all other devices through various wireless protocols, now the threat can come from compromised files on those outside sources. If an attacker gains access through, say the OEM's own network, they may have the encryption keys and be able to manipulate those ECUs. This is why IDS and VSOC is critical. We need to be able to monitor the activity within the vehicles, not simply reply on the onboard technology.

Looking into the Future

As we look ahead from the smart cars of today, it’s almost certain that our vehicles will become ever more connected with the world around them, and even with each other. Autonomous vehicles of the future will almost certainly need to communicate between vehicles, and likely with a ground-based system for traffic control and other data. The need to continue to develop security around those systems and the communication between them is absolutely imperative.

I see many different ways smart cars could evolve. The most likely long-term scenario is one where each car combines data from onboard sensors with real-time communication between vehicles along with constant communication with ground-based systems, coordinating positions and speeds and routes. In this scenario, driving could be made much more convenient and safer. But again, with greater communication and coordination comes greater risk, and the need for ever more robust security.

To learn more about NTT DATA’s work in vehicle IDS and VSOC, see our whitepaper on Automotive Cybersecurity, here. And stay tuned for more exciting developments.