Race report: Circuit Zolder, 15 June 2021

Nothing unlucky about finishing P13 at Zolder. A strong race in Belgium sees Copper Horse Racing move up two places in the overall standings.

Car 59 had performed well at two practice races held over the weekend at Circuit Zolder – a track opened in 1963 and designed by John Hugenholtz of Suzuka fame – so, on paper, things were looking promising. The challenge would be executing on race day, when emotions can run high. 

Close up: car 59 badged with logos, which include all Secure-CAV partners

Dry conditions for both race and qualification set the scene for some fast track times and close racing, with drivers able to push hard and focus their energy on battling each other on-track. In terms of passing, the main overtaking opportunities are at the first corner and coming into the last chicane – at least according to former DTM driver Robin Frijns

In qualifying, there were plenty of sector highlights for the white and green 2015 Lamborghini Huracan GT3, but some swift laps by the other competitors pushed Copper Horse Racing down to P24 on the timing screen, with nearly the entire field lapping within three seconds of each other. 

Race day  

As we know from previous races, cold tyres and brakes make the first two laps potentially treacherous for all on circuit. However, car 59 dodged any early tangles despite being tapped from behind and, one lap later, oversteering off-circuit when a rear-tyre touched the grass. All wheels back on track, Copper Horse Racing began its march up the order pulling a nice overtake on last week’s winner El Tigre Blanco. However, it wasn’t long before the hot pink Aston Martin V8 Vantage had re-passed – a battle that would have to wait for another day. 

Back in front: last week’s winner El Tigre Blanco retakes the position

But there was still plenty to play for and clean and consistent driving meant that Copper Horse Racing was well placed at the halfway point. And, for the first time since the Barcelona race, could make its own call on when to take the mandatory pitstop rather than having the decision forced through mechanical damage. 

Everything connected… 

Watching the cars go around the circuit, it’s clear that Zolder has some interesting scenery – particularly the wind turbines. In previous posts, we’ve mentioned cyber security threats to vehicles, where the attack surface grows as developers add connectivity to their products. The same holds true for operational technology powering industrial systems such as electricity generators and water treatment plants. There are lots of benefits to being able to monitor components remotely such as improved maintenance scheduling, but the methods of protection have to adapt to the change as physical security alone is no longer sufficient to deter bad actors.  

Scenic view: some of the sights at Zolder

With everything becoming connected as part of the ‘Internet of Things’ (IoT) these days, attention is finally turning to the amount of legacy that exists within systems. Protocols in use often originate in the 1970s and have no ability for authentication or to provide integrity protection for the data going across them. Add to that the fact that the hardware and software has not been designed for security and rarely gets updated and you have all the jigsaw pieces for a security (and safety) nightmare.  

Industry and governments are in a race to improve cybersecurity in all the different ‘verticals’ whether it be automotive, industrial, or consumer IoT and there’ll have to be a lot of work to either replace or monitor the legacy insecure equipment and services that are left behind. 

McLaren versus Lamborghini: there were some great battles to watch as race 6 unfolded

Returning to the on-track action, Car 59 spent the final phase of the race behind Dutch driver Teis Hertgers, in a McLaren, trying to open up an over-taking opportunity. And with the pressure of the race-clock ticking, David Rogers made his move – at turn 1 where the Lamborghini was quicker. The move didn’t come off and David lost a little time; the battle now turning to the Ferrari 488 of Ulmer Gallium who loomed large in the Lamborghini’s mirrors. This time it was Gallium who over-pressured, making a pass before the first chicane, but overshooting into the sand, giving back the number 13 position to car 59. 

Before: dry conditions allowed drivers to push hard
After: a nice chance to take in the amazing livery on Ulmer Gallium’s Ferrari 488

With 60 minutes around Zolder complete, the series had a new race winner – P1 qualifier Mar Coolio of Finland. Scott Ullmann, who came third in the last race at Mount Panorama, went one better this week to take second. And Scott Cranston, who had placed well earlier in the season at Donington and in Barcelona, completed the podium in third. 

Race winner: Mar Coolio crosses the line in a McLaren 720S

Next up is Imola for the penultimate race of season 7. You can follow the action live on Tuesday the 22nd of June by tuning into Twitch from 19:30 hrs, UK time. See you then! 

About the author 

James Tyrrell is a threat modelling analyst at Copper Horse.

Race report: Bathurst Mount Panorama, 8 June 2021

Heartbreak avoided as a strong drive by car 59 recovers all but one of the 13 places dropped in first lap chaos on the mountain. 

Changeable weather meant that drivers had to know their setups inside out to make progress at Bathurst Mount Panorama – a 6 km ‘scenic drive’ with no shortage of excitement. Put a foot wrong on the mountain section, which includes a string of tough turns such as ‘The Esses’ and ‘The Dipper’, and it can easily be game over with barriers either side of the track leaving little margin for error. 

Keeping it tight: drivers had to observe close barriers on the mountain section

The YouTube video below illustrates just how bizarre some of the crashes have been at the real-life Bathurst circuit – in this example from 2020, the car (also a GT3 Lamborghini) comes to rest on a fence! 

Lamborghini on the barriers: if you hadn’t seen it, you wouldn’t have believed it

In qualifying, Copper Horse Racing placed a very encouraging P17, before becoming derailed by a slow car rejoining the track towards the end of the session. Back in the pits, we’d prepared a number of race setups as it was forecast to rain. It wasn’t certain as to whether the race would be dry, fully wet or changeable. As it turned out, the race ‘weekend’ gave us heavy rain for the race itself. 

First lap chaos in the wet: car 59 did its best to navigate crashes on the left and right of the track

Within seconds of the lights going green, multiple incidents and cars littered the mountain, leading to an unavoidable crash and damage which sent car 59 tumbling down the order to P30 and forced the strategy into taking a very early pitstop. On the up side, this had the benefit of clearing a stop-go penalty from the previous race imposed by the stewards and also dealt with the mandatory tyre change, meaning that we could stay out for the remainder of the race.  

Voice activated

Many, if not all, of the sim racers taking part are using Crew Chief – an outstanding app that plays dual roles of spotter and race engineer, providing words of wisdom throughout every session. What’s more, the communication is two-way and Crew Chief can be programmed to listen out for instructions – for example, to prepare a set of tyres ahead of a pitstop. 

Battered but not broken: an unavoidable collision on lap one forced an early pitstop for car 59

Voice assistants can be found in real cars too – for example, to program heating or cooling in the cabin, change the volume on the radio, adjust the ambient lighting, set a destination for the Sat-Nav and even to activate a back massage. As well as bespoke offerings, vehicle OEMs are teaming up with tech giants such as Amazon and Apple, integrating ‘Alexa’ and ‘Siri’ into their products. Also, recent versions of Android Auto, which is reportedly available for over 50 different brands of vehicle, feature ‘Google Assistant’. 

But inviting microphones into the cockpit could have its downside. In 2010, researchers at the Universities of Washington and California San Diego pointed out that telematics units in vehicles could provide a path for bad actors to capture audio from the vehicle. In 2020, the paper – which explores a wide range of threats to a modern automobile – was given a ‘Test of time’ award from the IEEE; recognising the momentum that the study has added to the field of automotive cybersecurity. 

As you might have gathered from the first blog post in this series, the rig that’s used to compete in the Apex Online Racing GT3 Season 7 league functions as a vehicle hacking simulator outside of races. The setup can be configured to recreate numerous automotive cyber-attacks, including some of those first mentioned in the 2010 study, and follows from our activities within Secure-CAV

Back on track

At Bathurst, the white Lamborghini  drove a lonely few laps, with a clear track to pull its way back into contention after its early pitstop. The hot stint helped Copper Horse Racing to reel in drivers who were struggling ahead and positions were gained too as competitors took their mandatory single pitstop. 

Lonely laps: the middle section of the race felt like a hot stint

On the last lap of the race, a chance emerged to take 17th place from the car in front after a mistake on the mountain. Coming up to the last corner, as the race ticked out its final seconds, a successful do or die overtake would have restored car 59 to its qualifying position, however it just wasn’t to be. But there were no complaints from the team (or Jim, our vocal engineer in Crew Chief) with the P18 finish – the best race result so far for David Rogers in the series. 

Gotta go for it: Copper Horse Racing was on a mission to recover all of the places lost from the early crash and almost made it back to P17

On the top spot, with their first visit to the podium, was El Tigre Blanco who had shown they could be quick over a lap in qualifying. Dave Bramhall bested his familiar P3 by one to finish second and Scott Ullmann took third. A special mention in the blog also goes to Philippe Riehl of France who gained a monster 19 places to finish P9. 

See you at the next race (Tue 14 Jun, from 19:30 UK time) which takes place over Belgium’s Zolder circuit. And remember you can tune into the fun as we’ll be streaming live on Twitch.  

About the author 

James Tyrrell is a Threat Modelling Analyst at Copper Horse. 

Race report: Laguna Seca Raceway, 25 May 2021

Bruised and battered on a dark night in central California, car 59 refuses to give up and comes home P27. 

Race 4 got off to a cautious start as drivers were reminded by race officials to obey the white lines and know where to bail out when things go wrong. Laguna Seca Raceway, a circuit built around a dry lake bed and completed in 1957, contains one of the most demanding sequence of turns on the calendar. Known as ‘the corkscrew’, the challenging left, right, left chain of corners drops vehicles the equivalent of 10 stories over a track distance of just 450ft (137m) – a combination that has a cruel habit of spitting cars into the barriers. For drivers, add to this – the sand around the track which can spin a car with the slightest touch of a rear wheel and over 30 cars all fighting for position within a tight circuit which can be lapped in less than 85 seconds. 

Taking the plunge down the steep corkscrew

So, would the corkscrew throw drivers off course? You betcha! And if the track wasn’t already challenging enough, series organisers Apex Online Racing had decided to dial up the difficulty another notch by running the race under night conditions.   

A dark and difficult race

Navigating the track successfully under a pitch-black sky is helped by the powerful headlights on the GT3 cars. The same goes for drivers on normal roads finding their way on an otherwise unlit part of their journey. But what would happen if the headlights failed? It’s a scenario that we consider on our vehicle-hacking simulator, which demonstrates — in a safe and controlled environment — what it would be like to drive a car or truck that is experiencing a cyber-attack. We can tell you from experience that the lights going out unexpectedly, at speed, is a truly terrifying experience, even in a simulator. 

Threat modelling and cyber-security management 

Automotive cybersecurity standards and regulations such as ISO 21434 (Road vehicles – Cybersecurity engineering) and UN Regulation No. 155 (Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system) provide frameworks for vehicle manufacturers to consider such threats.  

Browsing these documents, you’ll notice that one of the worked examples (in Annex G of ISO 21434) explores potential attack paths that could lead to a loss of road illumination during night driving and the vulnerability management employed to manage them. 

The Lamborghini headlights piercing the night

Thankfully, both headlights on the Copper Horse liveried Lamborghini Huracan were fully operational during race 4. In pre-race practice, a good setup of the car from its aerodynamics through to tyre pressures, showed that swift lap times could be achieved by Copper Horse Racing, with the car 6th fastest. The short and tight circuit meant that qualifying ‘flying laps’ were impacted by traffic and by the end of the 15 minute qualifying session Copper Horse’s Lamborghini was 22nd on the grid of 31 cars.  

In the race itself, not everything ran so smoothly as early collisions (with other cars and barriers) meant that car 59 had to make its way to the pits twice to repair mechanical damage costing precious time.  

Glowing brakes as Copper Horse Racing’s David Rogers rounds T11 into the home straight

It was a test of mental resilience to stay the course of the race, and given the hurdles, surviving the 60 minute race was somewhat bittersweet given what could have been. The championship points gained, although small, could prove important when the series concludes on 29th June at Silverstone. 

Fireworks mark the end of a tough race which could have been so different

Mid-season review 

With four races done, we’re now halfway through the series with Copper Horse lead driver David Rogers currently 31st out of 46 entrants in the Tier 10 overall standings. At the top of the table is UK racer Dave Bramhall, who bagged another P3 finish – his fourth in four races! Scott Ullmann is in second, finally making it onto the podium after getting close in each of the previous races. And in third spot is Justin Dawson whose points took a hit after placing P36 in race one, but he’s on a mission to make up for it – scoring three P1 finishes in a row. 

Porsches dominated at Laguna Seca; Justin Dawson in car 12 leads from Scott Ullman in 222

Drivers have a fortnight in which to recharge before the next race on 8 June 2021 at the Bathurst Mount Panorama circuit in Australia. The weather conditions are not looking good… 

We were able to successfully broadcast the race from Laguna Seca live, so will continue this for the next race. If you fancy watching then check out drogersuk on twitch from 19:30 UK time. See you then! 

About the author 

James Tyrrell is a Threat Modelling Analyst at Copper Horse. 

Race report: Circuit de Barcelona-Catalunya, 18 May 2021

Best result so far for Copper Horse Racing, as David Rogers gains 12 places during the race to finish P20.

Under pressure: Car 59 had the competition on its tail for the first phase of the race

Dried off and ready for a slightly longer race 3, car 59 was lapping well in practice around Circuit de Barcelona-Catalunya, but stringing together a clean lap during qualification proved difficult. A familiar track to Formula 1 fans, the Barcelona circuit is quick to punish mistakes with lost time. In the twisty final sector, misjudging slow corners such as the 180 degree bend starting at ‘La Caixa’ (turn 10) will soon undo any gains made earlier in the lap. And getting a clean exit out of
the final chicane is crucial to cutting the timing beam at top speed.

At the end of qualifying, Copper Horse’s 2015 Lamborghini Huracan was lined up in 32nd position, 2.874 secs off the fastest Tier 10 lap time of 01m:45s.243 set by Italian driver Gianluca Cappellini in a Porsche 991. In Tier 1, Maciej Malinowski – also driving a Porsche – travelled the same distance in an unfathomable 01m:42s.684.

But the race is won after 90 mins not over a single lap, and a lot can happen in that time – especially when you have a 1047m long start/finish straight terminating in a sharp right-hand turn! Plus, there’s a refuelling stop to calculate – get it right and you’ll fly home with fumes in the tank, get in wrong and it’ll cost you valuable lap time.

Crunch time: Copper Horse’s white Lamborghini skirts around the carnage at turn one.
Pitstop action: refuelling added to the complexity of the 90 minute race.

Following last week’s rain-soaked race at Donington Park, competitors were happy to see a change in the weather at the Barcelona circuit. For race 3, sim-racing league organisers Apex Online Racing had dialed in dazzling sunshine, catching drivers in the eyes coming into sector 3 and driving out of sector 1.

Sunshine and clear skies: no need for windscreen wipers at race 3.

Blinding the Technology
Linking this scenario to our threat modelling work for automotive, it’s worth mentioning that it’s not only the driver that gets blinded by the sun. Bright light can trouble advanced driver assistance systems (ADAS) too. There are examples on YouTube showing how Tesla’s lane change feature can fail when sun glare prevents the vehicle’s forward-facing cameras from distinguishing the white lines on the road. Similarly, Comma.ai’s ‘Openpilot’ – a lower cost alternative for non-Tesla owners, which is based on a smartphone that looks out through the vehicle’s windscreen – has also been observed to lose tracking under sunny conditions.

Other products besides ADAS can also be vulnerable. If you have a robot vacuum cleaner, you might want to close the curtains before letting it loose, as Terence Eden (@edent) and many other customers have found that streaks of sunlight can stop such gadgets in their tracks.

Close racing: Lamborghini and McLaren drivers battling for position

Back in Barcelona, it was hard to blame the sun for a tap on the side that nudged car 59 off the track as close racing was pushed to its limit. But even with a couple of lost places, Copper Horse Racing’s driver David Rogers was still well up on qualifying, finishing P20 and bringing momentum into race 4. It wasn’t as comfortable a drive as it appeared though, as a mischosen set of brake pads struggled to last the full 90 minutes with the car suffering from brake fade in the second half of the race.

Podium Positions and Driver of the Day
At the top of the table, Canada’s Justin Dawson took the #1 spot for the second time in a row, while P1 qualifier Gianluca Cappellini slid back one position in the race to come second. Completing the podium, for the third time in three races, Dave Bramhall finished P3.

Driver of the day – a stat based on the number of positions gained during the race – goes to Marc André Stoltenberg of Germany in car 24 who gained 18 places to finish P16.

Driver of the day: Marc André Stoltenberg in the black Audi takes the inside line.

Next week, the driving conditions will change again as competitors experience the league’s only night race of the season at Laguna Seca Raceway – a scenario that will make track knowledge more important than ever and the track’s infamous corkscrew even more perilous.

Tune in next week for more updates on car 59’s progress in Apex Online Racing’s Assetto Corsa Competizione GT3 League Season 7.

About the author
James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Race report: Donington Park, 11 May 2021

Copper Horse brings home its 2015 Lamborghini Huracan GT3 safely in one piece on a wet and wild evening at the Donington Park circuit. 

After our introduction to league sim racing last week in France at Circuit Paul Ricard, car number 59 – driven by Copper Horse’s David Rogers – was back on track for race 2 of AOR’s ACC league, season 7. Same car, same driver, but dramatically different driving conditions this time around as rain hammered down, threatening spins at every corner. 

Poor Networks and eSports 

Our initial qualification was marred by a network disconnection, forcing us to the back of the grid for the race. This is actually something that we’ve been highlighting as a strong use case and justification for high availability 5G network slices. A couple of weeks ago the BMW and Williams eSports driver Sami Matti-Trogen lost his internet connection during his driving stint of a 24 hour race at the Nürburgring, whilst in 2nd place. This incident dropped him down to 8th place. 

Luckily the BMW team fought back to 3rd place. We’ll see lots more of this in the future and it’s a timely reminder that resilience for future networks is critical – whether it be eSports or things that affect human safety. Another related requirement for esports is parity in upload and download speeds, i.e. similar download and upload bandwidths. This is something that future networks will bring – for 6G and beyond. We have been trying to stream our races and practice races so far but the load on the network (primarily due to poor upload speeds) has caused one drop-out mid-race during a practice. This means that for our next race we’ll have to stream the replay after the event rather than live during the actual race, rather than risk a disconnect – particularly during a 90 minute race. In the future we may try to do some ‘out-of-band’ streaming over 5G by using a 5G Wi-Fi module, so watch this space. 

The Race 

With so much water on track it was always going to be a challenge to stay between the white lines, especially coming out of the sweeping right, left sequence of Hollywood and Craner Curves, where cars pick up speed on the downhill before navigating a tight right-hander at the Old Hairpin.  

Side-by-side on a tight circuit

Other tricky turns included Coppice, which appears at the top of a climb and was starved of grip under the wet conditions. Touch one wheel on the grass and you’d soon be experiencing the motion of the sim rig as it replicates the loss of traction through a sliding mechanism under the driver’s seat. 

Rear view – the spray added to the difficulties faced by all the drivers in the wet

Realism is a big part of the Copper Horse simulator as it supports our goal of safely sharing the experience of what it’s like to drive a vehicle that is being hacked. The custom setup features a number of added automotive elements including a CAN bus – a vehicle network that we have been studying in detail together with our partners in the Secure-CAV consortium.  

CAN bus is popular not just in cars, but also in elevators and even coffee machines. And the hacking simulator provides a great tool for highlighting the security risks that developers should be aware of, as well as demonstrating the mitigations that can be applied to protect the network. 

On track, the biggest danger was cars facing the wrong direction. Battling not just the other drivers, but also the grisly weather, it was a good result to finish P29 after a grizzly first lap, turn 1 crash involving most of the field severely damaged the car. 

A double-slide in front of the Copper Horse car, narrowly avoided

Weighing up the competition  

Jahn Solo of Germany and Dave Bramhall of the UK appear strong contenders for the title with both taking podium spots at Paul Ricard and Donington. Fortunes can change fast, as fellow Tier 10 driver Justin Dawson of Canada demonstrates – improving from a P36 finish in race 1 to take the top spot a week later. 

Every driver faced a tough fight against the conditions and each other

Next up in the 8 race series is a 90 minute race tonight (18th of May 2021) at the Circuit de Barcelona Catalunya. This time the windscreen wipers can stay off as the weather will be dry and sunny – something that can be guaranteed in the sim world! 

Hopefully we’ll be able to stream live again in the next couple of weeks. We’ll advertise replay streams on the @copperhorseuk twitter account. 

About the author 

James Tyrrell is a Threat Modelling Analyst at Copper Horse. 

Combining Future Automotive Security with eSports

David Rogers explains the launch of something completely different for Copper Horse and why it isn’t.. well completely different.

During the 2020 lockdown, our company was busy in the early stages of an InnovateUK project called Secure-CAV, together with our partners from Siemens, the Universities of Coventry and Southampton. The project is looking at how to secure the Connected and Autonomous Vehicles (CAVs) of the future, particularly at the lowest levels of the technology stack.

Using our experience in the mobile and IoT security space and particularly in hacking and securing hardware-level systems we have been working on a range of activities from real-world threat modelling through to dismantling and reverse engineering the hacking equipment used by criminals seeking to exploit vehicles in various different ways.

We had to adapt our ways of working such that we duplicated some of our equipment setups across the different partners and found new ways to collaborate. We also had access to some real vehicles which has helped us along the way.

One of the things that we wanted to do from early in the project was to be able to allow people to experience what it was like to be in a vehicle that was actively being hacked. Short of bringing people to test tracks and signing lots of insurance waivers, there aren’t many ways that this can be achieved. What we have done is to build a vehicle hacking simulator, which we’ve been able to feed telemetry from various simulators into to provide a ‘real’ physical experience. We’ll be talking a lot more about this in future blogs, but for now I want to tell you about something that came out of that work.

I have long been a big fan of different kinds of motor racing whether it be hill-climbing at Shelsley Walsh or Rallycross at Croft Circuit, so like many others during the various lockdowns, I decided to take up sim racing. This is a huge and passionate community and many of the real world racing teams are active in this esports world. Drivers including Rubens Barrichello, Jenson Button and George Russell are active sim racers. Whilst this is just the start of my journey, it is really enjoyable and it is nice to be able to compete in such a great community of people from around the world. There are some incredibly skilled drivers out there that would give some of the world’s best real-world drivers a run for their money.

With our Copper Horse Racing Team, I have begun competing in the Apex Online Racing Assetto Corsa Competizione GT3 Racing League, driving a Lamborghini Huracan GT3. We are competing in Tier 10 of the league – the Tier 1 and 2 races are broadcast each week online, with commentary.

Our car displays the logos of all our Secure-CAV project partners as well as You Gotta Hack That, not forgetting That Media Group for our fantastic vehicle livery.

Car Number 59 – the Copper Horse Racing Lamborghini Huracan GT3

For the simulator itself, we’re running a DoF Reality P3 motion rig, an entry-level setup of G29 wheel and pedals and triple 31″ screens supported by the lesser-spotted Nvidia GeForce 3070 video card. We’ll do a proper walkthrough of the rig in another blog as we have a very special and interesting setup.

Our first race took place last Tuesday (the 4th of May 2021). I have to be honest, it was pretty nerve racking. The lap times were fast and the action was hot at the Circuit Paul Ricard in France.

A close finish at Circuit Paul Ricard

I managed to drive a clean race without damage (despite there being absolute carnage at turns 1 and 2 which will surprise no-one in the sim racing community!) and finished 28th, which I’ll take for a first race on a track that the Lamborghini was never going to be a fan of.

Passing an injured Aston Martin at Circuit Paul Ricard

Race 2 will take place tonight (the 11th of May 2021) and is at a very wet and rainy Donington Park in the UK, for all the different drivers, ranking through Tiers 2-10. You can see last night’s elite Tier 1 race below:

Tier 1 Donington Park Race

Drivers are able to get practice sessions in to try the conditions as well as a couple of practice races. The conditions are tough for this race – 100% wet and a very tight circuit which means passing (and allowing cars through on blue flags) can be quite difficult. What I’ve been rapidly learning over the past week is that the right setups can drastrically improve laptimes. You can watch live on my Twitch stream here from 7.30pm BST: https://www.twitch.tv/drogersuk

The full race calendar can be found at: https://apexonline.racing/league/19#calendar

A hard fought evaluation race at Spa-Fracorchamps, Belgium

I’m looking forward to tonight’s race and the rest of the season, whatever happens! I hope you’ll join us on this journey over the next few months as we explain what we’re doing on future automotive security and take our car hacking rig on what should be an incredible journey!

Security by Design for Telecommunications Networks

David Rogers writes about future telecoms network security.

The UK5G Innovation Network recently published an article on the topic of Security by Design which I wrote a little while back, covering both IoT and managing risk in future networks. You can only fit so much into a couple of pages, so here’s a little bit more that I wrote on future telecommunications networks and the challenges of supply chain security.

An area that can’t have escaped anyone’s notice is the debate over what are now known as ‘High Risk Vendors’ in telecommunications networks. This mostly distils into a question over whether products and services are designed with security in mind. Risk can never be truly eliminated, but it can be reduced and managed. Equally, trust is something that needs to be gained and relied upon and is not simply about technology. Between businesses and governments, trust is about keeping promises and whether statements or actions are truthful and verifiable. Future networks in telecommunications both rely on secure technology and trust.

Food security could be significantly disrupted by attacks on connected agriculture

In general, it is often difficult to justify security measures to businesses as there is no obvious return on investment. Some companies have taken the attitude that they can weather any storm from a cyber attack because there is no real financial downside. This is beginning to change. Large businesses have been affected by ransomware attacks that have crippled their operations, in some cases taking them out of business, through to governments finally beginning to acknowledge and take cyber-crime seriously.

Increasing Resilience

As telecommunications networks have developed, we’ve slipped into a world where our reliance on them is such that we can’t afford for them to be disrupted.

The 5G vision is a collection of technologies, including different types of IoT radio and device types across multiple different sectors or ‘verticals’. This opens up a new set of issues around the ‘cyber-physical’ space – that is the attacks no longer just remain virtual. A cyber attack could potentially interact with a real-world object or system causing catastrophic consequences. In farming this could mean the loss of irrigation causing food security issues. In heavy industrial, this could mean the complete destruction of a blast furnace and in the automotive sector it could mean that cars could be stopped in the middle of the road, essentially halting the economy instantly.

Disruption to connected vehicles could cripple economies

Hostile nation states are already seeking to take advantage of the fact that the weakest links can be the most effective points of attack. Taking over a consumer or small business router can allow the attacker to create a bridgehead inside the UK, opening up all sorts of possibilities, including distribution of disinformation or ‘fake news’.

In addition, networks are shifting from a world where individual hardware boxes make up a network to one which those functions are ‘virtualised’; with all the functions now built into software. This means greater speed and reliability on the one hand, but also means that you’re really putting your eggs in one basket on the other.

Increasingly, there has been a drive to reduce costs and this has meant that in some cases security is at the end of a long list of requirements. This is where government has a role – to level the playing field such that everyone must provide an acceptable bar of security for entry into the market in the first place, thus affording every citizen in a country a certain guarantee of protection from the disruption of security compromise of a telecoms network or equipment vendor.

The supply chain that we’ve slipped into also means that companies are increasingly relying on open source software – that is, software that is developed by a community of individuals openly and collaboratively and released for anyone to use under a license. The challenge that has been faced for years is that companies are very happy to ‘take’ software for free, but rarely contribute back. This is a particular issue for security. While open source is openly visible for peer-review, attackers aren’t going to submit a fix for security flaws they find! This combined with many companies not keeping up-to-date with open source libraries in their products and services can be a real issue for security.

Addressing the Challenges of Supply Chain Security

These risks mean that extra attention has to be paid to the fundamentals of how networks are built from the ground up and how to make them more resilient. From a security design perspective, that means building defence-in-depth, mobile network operators not relying on single vendors in order to spread the risk more evenly, and validating that what is being built doesn’t contain known security vulnerabilities and flaws. It isn’t possible to create a flawless system and it isn’t possible to design software and hardware without the possibility of security vulnerabilities, however acknowledging this fact leads us to the necessity that companies need to stay on top of security research and have systems and processes in place to quickly deal with security vulnerabilities and exploitation as they arise. While the country-of-origin of a product or service is clearly a security consideration for both companies and governments, if it can be thoroughly validated and meets a good level of product security together with other cyber security measures, it matters much less. The overriding concern is that if a product or service supplied from anywhere in the world is fundamentally insecure, any country could theoretically attack it successfully; it doesn’t matter where the product originally came from.

There are many factors in the telecommunications supply chain to consider including hardware security, cryptographic key management, logistics, testing, auditing and working on security vulnerability management. From an industry perspective: for network operators – many of these are areas that have been opaque for some time, with vendors supplying products which have had little-to-no security and basic issues like default passwords. For vendors – operators have not been willing to pay more for security and have squeezed vendors for lower-priced products. They’re not really questioned when products are delivered with basic security flaws. For the entire world, there is a shortage of engineers who understand security; a failure by governments and the education system to understand that security must be a core component of modern engineering degrees and training. While some action has been taken, it cannot currently supply the demands needed now and in the future. Companies therefore need to step-up and ensure that as part of their efforts to increase security they must invest in their own existing staff to train them on product and cyber security.

Preventing Insecure Connected Products Being Sold

Work on improving security in the Internet of Things (IoT) continues apace! The UK government has reached another milestone in its mission to make the country one of the most secure places to do business and to live in, with the release of proposals for regulating the cyber security of smart products. They are well worth a read and provide a good steer as to what the future of insecure connected products will look like when we collectively say ‘Enough is enough’.

This Call for Views invites feedback until early September 2020 on a range of options as the government moves towards legislation based around the top 3 items in the UK’s Code of Practice for IoT Security:

1) To eliminate the problem of default passwords.
2) To ensure that companies in the IoT space have a way for security researchers to be able to contact them to report vulnerabilities in products.
3) To be transparent to consumers about how long software updates will be available.

These are anchored in the recently approved European standard for IoT security, ETSI EN 303 645 which has the support of industry and governments across the world, marking a significant harmonisation of views on how the problem should be approached.

The Call for Views outlines the aims of the government – to achieve an outcome where there are no products available on the UK market that are non-compliant with the above. In simple terms – you shouldn’t be able to buy a product that has not been designed securely.

This is of course just the start. The items above are fundamental, but there many different types of security that should be built into products, it’s just that some manufacturers of products and services choose not to do that. You wouldn’t allow a food manufacturer to supply to shops if they hadn’t taken basic sanitation measures so why should that be allowed in the smart product space?

Proposed Scope

The scope of products included is broader than IoT products and covers the scope of nearly all the connected products you could find in a home, including laptops and mobile phones. As PCs and mobile phones have been under attack for many years now, the product security in those industries is significantly mature and it really shouldn’t be an issue for those companies to conform to the basics because they’re already doing them.

The core scope is the connected products that everyone has concerns about – children’s toys, cameras, appliances such as fridges or washing machines, safety-relevant products such as connected door locks and so on as well as IoT ‘hubs’.

One area that has been a significant concern for many years is home routers. These rarely get updated and often stay in place in homes for many years without being touched. If they’re compromised, they can create a big issue to users because they’re the point of entry to the home and everything else that is connected, but equally, compromised routers and other equipment at scale can create harm to others across the world by being part of other types of attack.

The proposed scope also covers home workers by including things like printers and office equipment that you might find in both a home or office. This is particularly relevant as businesses have shifted their workforces to home during the Covid-19 crisis.

Things that are out-of-scope are because there is existing or forthcoming regulation in those domains – for example, smart Electric Vehicle (EV) Chargers, Smart Meters and medical devices.

Enforcement

The work laid out in the proposals sets out the obligations on Producers and Distributers, formalising the language that has been used thus far such that it forms the basis of a legislative and regulatory framework governing people who make products but also those that sell them into the UK. It also means that there must be a way to test and declare compliance of these products. This comes at a good time as the EU Cyber Security Act will also require such action to take place across lots of different types of networked products. The proposals also lay out when they expect companies to be compliant – it is proposed that everything must be in place by 9 months following Royal Assent of legislation. The implication is that companies have had long enough and enough warnings that these practices are simply not acceptable.

The list of proposed enforcement actions aligns with other existing ways of removing products from the market – i.e. issuing compliance notices, through to enforcement with real teeth: it is proposed that order breaches are contempt of court which carries a maximum penalty of a fine and two years’ imprisonment. Forfeiture and destruction of products are also on the table as well as financial penalties – the fine amounts are to be determined but a note states that other regulations consider fines of up to 4% of annual worldwide turnover (a clear reference to the EU data protection regulation GDPR). This alone shows that the intent is for the regulation to have real teeth and that the government means business. The ‘Avengers’ team of superheroes working on this project at DCMS and NCSC have done a fantastic job once again, supported by lots of other government departments. Especially now as well – ‘Quiet Batpeople’ is certainly not the right term, but these individuals have all also been volunteering to deal with various aspects of the Covid-19 response, so to deliver this work as well is a huge achievement!

Mapping the Global Direction and Understanding of IoT Security

Understanding where everyone stands on this from a technical perspective is a tough job. I am lucky to have a fantastic team who have been working on doing just that. We have continually been monitoring the progress of IoT security recommendations and standardisation and will continue to do so. Our work can be seen at https://iotsecuritymapping.uk. We recently added recommendations from Australia, Singapore, California’s new law on connected device security and the US National Institute of Standards and Technology (NIST)’s Device Cybersecurity Capability Core Baseline. There are more documents being mapped soon and we’re tracking work from Brazil, to India, to proposed legislation in the US State of Oregon.

We have noticed that there is defragmentation of ideas and recommendations happening across the world as there is a greater collective understanding of the problem domain and how to solve it. The mappings that we have recently created show strong alignment against the top 3 items listed above. We have also observed that whilst some countries are slightly less mature than the UK in tackling the issue, they can benefit from the international standardisation that has taken place and are starting to adopt and endorse this already. Truly we can adopt a global stance that it is unacceptable to provide connected products without even considering the basics of product security.

The Call for Views is open until the 6th of September 2020 and anyone can give feedback on the proposals to DCMS at: securebydesign@dcms.co.uk.

Here’s some more background material if you’re interested in further reading:

Automotive threat modelling: off-the-shelf solutions

Copper Horse’s automotive cybersecurity posts, including Automotive threat modelling: off-the-shelf solutions, can now be found on the Secure-CAV microsite.

Secure-CAV is an ambitious collaborative project that aims to improve the safety and security of tomorrow’s connected and autonomous vehicles through a combination of cybersecurity monitoring, hardware solutions, machine learning and functional demonstrators.

About the author

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Legislating for Security in Consumer IoT

Copper Horse CEO, David Rogers discusses today’s UK government announcement on legislation for consumer IoT security.

Today marks another step along the road for IoT security – the teeth of legislation and regulation to deal with companies that do not implement security in their consumer IoT products. It is likely that the UK will become the first country in the world to legislate on IoT security.

In May 2019, the UK government launched a consultation into regulation for the security of consumer IoT. The consultation is now complete, with 49 responses and a decision to move ahead with legislating for the top 3 items from the Code of Practice for Consumer IoT Security and ETSI TS 103 645 (pdf). Work is ongoing to bring the ETSI TS to a full European Standard or EN – the draft EN is currently out for review (pdf) until the end of February with National Standards Organisations.

For everyone, the time to act is now

From a personal perspective, I really think this is a huge step. Over the past couple of years I’ve been privileged to work with a fantastic team at DCMS and the NCSC who have been really motivated to help people and understand the problem space. The consumer support for legislation is there and we know that security can be implemented by manufacturers because some companies are already doing it and the security technology is available to be used. We already knew what good looked like – we just wrote it down and prioritised it. What we’ve seen is support from a number of countries and organisations and a recognition that acting now to address the fundamental security concerns is the right way forward.

We also know to a certain extent what the real situation is like in the market. In 2018, we conducted research on behalf of the IoT Security Foundation which showed that fewer than 10% of the manufacturers we surveyed had any way for a security researcher to contact them. The results of our follow-up survey are out this quarter and will reflect a broadly similar situation. Security by design is a concept that some companies choose to ignore because they think that they can get away with it or it doesn’t matter. Well, if you want to ship products to the UK in the future, you had better get your act together pretty quickly.

Considerations

One of the things that I think we need to be aware of is the danger of penalising ‘good’ manufacturers, rather than the rogue ones. I’ve seen this before with work I’ve done against counterfeit and so-called ‘sub-standard’ electronic products. Some measures that are proposed against counterfeit only increase the cost for the ones who will abide by the rules anyway, while the rogue ones get away with continuing to do nothing. In this case, I think we have the balance right. The measures being put forward are a foundational baseline, these are things that are really fundamental, but if not implemented can cause huge consumer harm. Default passwords in consumer devices in this day and age are well, pretty stupid when there are better, safer alternatives for enrolling users to devices and for initiating products from factory defaults. What we’re also asking for is transparency:

  • in access – for security researchers who want to report vulnerabilities to manufacturers easily and;
  • about the minimum length of time that devices will get security updates.

Both of these areas will serve to demonstrate a responsible, public commitment by manufacturers to addressing and resolving discovered security issues. Primarily, manufacturers should be honest towards consumers.

Last year when we created our mapping website, https://iotsecuritymapping.uk , we set out to both help manufacturers to understand how the UK’s Code of Practice mapped to the existing body of work and guidance on IoT security and privacy but also to provide some reassurance that what we were saying was not unusual – in fact, there was a broad consensus on what we were recommending, the fragmentation was really just in the semantics of how documentation from across the world was written. We made that available as open data precisely to help in the process of defragmentation and facilitation of common understanding. The decision by DCMS to translate the Code of Practice into multiple languages reduced the barrier to entry and understanding and acknowledged the truly global nature of both the electronics and software supply chain as well as the designers, security experts and security researchers across the world.

Next steps

The next few months are going to be hard work. My own anxiety is that there will also always be edge cases – those points at which adjustments need to be made or possibly where we haven’t considered certain use cases. I’m certain that the team working on it are conscientious and will work to understand manufacturer concerns and the feedback from the public consultation. Ultimately in all of this, we have had a choice – sit on our hands and wait for things to get worse or get on do something and make the world a safer place. We chose action over procrastination.

More reading on this topic: