"It will become necessary to promptly establish a framework for discussing information security in the automotive field," said Masahiro Uemura, director of the Office for IT Security Policy, Japan's Ministry of Economy, Trade and Industry (METI).
He made this comment in a lecture titled "How Japan Should Address Automotive Information Security Issues" at escar Asia 2014, a symposium that dealt with automotive information security issues and took place April 17 and 18, 2014, in Tokyo. In the lecture, he discussed the importance of establishment of an environment in which companies in the automotive industry cooperate on the issue of "how to protect cars from the menace approaching automotive software."
Uemura categorized automotive security issues into (1) control system-related issues such as taking over the control of brake, steering, etc and (2) information service-related issues such as unexpected start-up of an engine and alteration of internal information.
"Control system-related issues pose a high risk of a car accident," Uemura said. "But at this point, it is still difficult to externally take over the control. Information service-related issues have a small risk of a car accident. But it may be possible to make an attack via an Internet-based information service. In this regard, the security framework of a normal information system will be effective."
Cooperation between IT, auto industries becomes key element
In Japan, Information-technology Promotion Agency (IPA) is currently considering measures to ensure automotive security by using a functional model called "IPA car." In March 2013, it released the "Guidance for Automotive Security," showing its policy to strengthen security measures.
The frameworks for publication, countermeasures, standardization and mutual authentication that public and private organizations are promoting for the information security of the control systems of factories and plants serve as a useful reference in the automotive field, Uemura said.
"In the field of control systems, it is becoming important for different industries to share their experience," he said. "It is because there is a cultural difference between efforts of IT-related companies and those of companies operating plants."
"It is important for concerned parties to discuss measures to appropriately share information on the vulnerability in automotive security," he continued. "The vulnerability can surely be overcome if different industries share their experience."