Written evidence submitted by the NCC Group (SDV0011)
NCC Group is delighted to have the opportunity to engage with the Transport Committee and offer our expertise as a UK-headquartered global cyber security and software resilience business.
NCC Group’s mission is to make the world safer and more secure. We are trusted by more than 14,000 customers worldwide – including some of the largest firms in the automotive industry – to help protect their operations from ever-changing cyber threats. Indeed, we have a dedicated Transport Practice whose Global Director regularly shares his views and insights into emerging and future risks and opportunities, while, as a leading expert in this space, NCC Group’s Senior Security Consultant Dr Liz James serves as Vice-Chair of techUK's Intelligent Mobility and Transport Steering Board. Recognising the increasing convergence of cyber security and safety in the connected world (which we explore in more detail below), we recently announced the acquisition of Adelard – a well-established UK computer system safety advisory business – extending our risk management service offering in the field of safety critical systems. In support of our mission, we continually invest in research and innovation as an intrinsic part of our business model to match the rapidly evolving and complex digital environment. Indeed, in FY2021, we delivered 3,400 research days. The security of connected technologies is one of our core research specialisms. For example, earlier this year, our researchers identified a vulnerability in Bluetooth Low Energy (BLE) used by cars with keyless entry, which would enable hackers to unlock, start and drive a vehicle using cheap off-the-shelf hardware. We have also published a white paper on the cyber threats facing the connected car and intelligent transport ecosystem; and have many years’ experience researching the safety and security of smart cities, working with leading UK universities to understand how we architect, implement and operate smart city designs that are secure by design and safe.
We are passionate about sharing our expertise and insights with policymakers and parliamentarians who are tackling crucially important questions about the use of critical and emerging technologies. In this submission, we have focused on the safety and security of connected and automated vehicles, and the underpinning regulatory framework, and hope that our input proves useful. Indeed, we would be delighted to give oral evidence to the Committee’s inquiry to help explore the proposals we raise in this submission in more detail.
We believe that some confusion has arisen around what constitutes “self-driving”, “automated”, “autonomous” and “connected” vehicles. So as to aid clarity, we define these terms below:
For the purposes of this inquiry, the main distinction to establish is between automated vehicles and connected vehicles. While the two are heavily intertwined – indeed, many driving automation systems rely upon the connectivity of the vehicle – and will likely evolve in tandem, the risk profile for each is different and should be considered as such.
New vehicles can contain hundreds of millions of lines of code, and often, over a hundred embedded computer systems from many different automotive suppliers. This means if devices within the network of a connected vehicle have been poorly designed or are misconfigured, they can be attacked by threat actors, and there are many different wired and wireless entry points into the ecosystem that attackers can exploit. The increasing complexity of connected vehicles, as companies incorporate new technologies, means that the attack surface is growing, with connected vehicles targeted in three primary ways:
Considerations for a regulatory framework
Public trust is fundamental to the successful rollout of connected and automated vehicles, but this trust could be easily undermined if cyber security is not prioritised. However, the diverse nature of the automotive industry – from small electric vehicle start-ups to huge multinational manufacturing groups and many other shapes and sizes of organisation in between – means that cyber security has had different priorities in different companies historically. This is especially due to the tight margins within the sector. A recent industry report highlighted that 30% of car manufacturers and suppliers do not have an established product cyber security programme or team. As such, we strongly advocate regulatory intervention to set minimum mandatory standards that vehicle manufacturers, software developers and other supply chain partners must abide by. UN Regulations already exist on cyber security, software update management and automated lane keeping systems, laying the foundations for outcome-focused regulation of connected and automated vehicles’ design and development lifecycle which UK (and international) policymakers should look to build on. In doing so, the UK Government should promote a holistic, agile and proportionate approach to security and risk management that:
People and skills
To ensure that connected and automated vehicles are secure by design, it is critical that those who design and build vehicles, such as engineers and software developers, bake in security considerations from the outset. However, in reality, these individuals do not always have the skills or understanding required to do this. At a base-level, relevant engineering and software development educational programmes should reflect cyber security as part of the system development process. In addition, there is a need to develop specialists who are able bridge the gap between the design and development of a vehicle and good cyber security practice. This should, we believe, be pursued through one or more appropriate Government-appointed bodies, such as the Engineering Council and the UK Cyber Security Council – the new standards-setting body for the cyber security industry which is developing career specialisms as part of its approach to tackling the cyber security skills gap.
Wider legislative framework
Security vulnerability research plays a critical role in ensuring the cyber security (and, as we have outlined, the safety) of connected vehicles. This is where cyber security researchers identify vulnerabilities in products and work with manufacturers and vendors to fix them, before malicious actors are able to exploit them for nefarious purposes. For example, where NCC Group’s researchers identified the aforementioned vulnerability in Bluetooth Low Energy (BLE), before issuing the research publicly, we responsibly disclosed the details of the products tested to the manufacturers (including Tesla) and discussed mitigation approaches with the Bluetooth Special Interest Group (SIG). The UK Government recognises the important role vulnerability research plays – for example, the Product Security and Telecoms Infrastructure Bill will mandate that manufacturers of consumer connected devices must have a vulnerability disclosure policy in place, that enables researchers to report these vulnerabilities. However, the Computer Misuse Act 1990, which was written over three decades ago and remains the primary law governing cybercrime in the UK, inadvertently criminalises a significant proportion of the type of vulnerability research cyber security professionals are capable of carrying out. This is because the Act, as it is currently written, blanketly prohibits all unauthorised access to computer material, irrespective of intent or motive. It means that researchers can face legal action for reporting a vulnerability to an organisation, even if the affected organisation has a vulnerability disclosure policy in place. We believe this undermines the government’s aims to encourage greater vulnerability reporting, and that it should take a more holistic look at its cyber security laws and policy to ensure that they are fit for purpose. Specifically, the Computer Misuse Act should be updated to include a statutory defence – as a matter of urgency – to put in law a basis from which cyber security researchers can defend themselves where they undertake legitimate cyber security activities.
Notwithstanding that the UK has geographically-specific and road design factors automated vehicle technology will need to consider and account for, the UK should avoid creating domestic cyber security regulations that are not aligned to international standards. Given the size of the UK market, and the ever-increasing complexity of international supply chains, divergence from global standards is likely to create unnecessary administrative burdens for organisations as they seek to navigate differing regimes and put the UK at a competitive disadvantage. Instead, the UK should be at the forefront of the standardisation of connected and automated vehicles globally, particularly given the risks associated with the proliferation of insecure components imported from (e.g.) China which could undermine the integrity of systems/vehicles. In addition, driving global standards creates opportunities for UK-developed and protected intellectual property to be adopted, and ensures interoperability across the global supply chain.
 E.g. https://www.mynewsdesk.com/nccgroup/blog_posts/securing-the-connected-cars-of-the-future-102275
 Find more information here: NCC Group uncovers Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, mobile devices and locking systems at risk | NCC Group Newsroom (mynewsdesk.com), or watch the exploit in action here on a Tesla Model Y: (161) Hacking group demonstrates Teslas can be unlocked remotely by relaying bluetooth from phone - YouTube
 latest-threats-to-the-connected-car-and-intelligent-transport-ecosystem.pdf (nccgroup.com)
 J3016_202104: Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles - SAE International
 Real-time operational and tactical functions required to operate a vehicle safely in on-road traffic.
 Waymo unveils self-driving taxi service in Arizona for paying customers | Reuters
 UN Regulation No. 155 - Cyber security and cyber security management system | UNECE
 UN Regulation No. 156 - Software update and software update management system | UNECE
 UN Regulation No. 157 - Automated Lane Keeping Systems (ALKS) | UNECE