In the world of autonomous vehicles, the shift from UHF/VHF communications to 4G connectivity has revolutionized operations—and introduced new risks. This article explores how to implement secure remote access for an autonomous vehicle using the Dispel Zero Trust Engine, tackling the challenges of real-time remote handling in an internet-connected landscape.
Traditional fleet management was about extracting data from vehicles to monitor health and performance. But as vehicles become more autonomous and connected via 4G, they are exposed to the vast and vulnerable terrain of the internet. This shift demands robust cybersecurity measures to protect these advanced systems from exploitation.
Our mission: retrofit an autonomous vehicle with Dispel's zero trust secure remote access. We'll cover everything from establishing connectivity to ensuring low latency and stringent security. We'll confront real-world challenges and demonstrate practical solutions to protect autonomous vehicles from cyber threats.
This journey is about more than technology—it's about securing the future of remote operations in an increasingly connected world. Join us as we explore how to safeguard autonomous vehicles, ensuring they operate safely and efficiently in the age of 4G connectivity.
Securing autonomous vehicles in the age of 4G
In this article, we delve into the practical implementation of secure remote access and operations for an autonomous vehicle using the Dispel Zero Trust Engine. This demonstration highlights how real-time remote handling can be effectively managed and the challenges one might encounter during the process.
Fleet management is traditionally thought of as pulling data from devices, vehicles, endpoints, or other IoT systems (your fleet) that are out in the field. This information covers system health, current conditions, operating time, and performance metrics for predictive maintenance. Data streaming such as this from IoT, OT, IIoT, XIoT and the rest of the connected alphabet soup is quite common and readily done.
Remote operation of semi- or fully-autonomous vehicles opens a new focus area, with serious cybersecurity controls. Unmanned systems including ground (UGA), aerial (UAV), and maritime surface (ASV/USV) typically focused on system availability, latency, and responsiveness. Drone cybersecurity is not as secure as you might hope or think—unless you've been cybersecurity for long and then this will come as little surprise that R&D went straight to sales.
Our purpose then is to show how machine builders and vehicle operators can continue to remotely control their equipment while easily dropping in an IEC 62443/NIST 800-82 OT cybersecurity platform to protect transmission and access.
Security challenges of autonomous vehicles
Autonomous vehicles share the same cybersecurity challenges as any other OT asset, with the added risk that the endpoint can now gain speed and hit things. Typically most drone vendors do not implement a comprehensive NIST 800-53-aligned security control suite onto their systems. At most, you will find they use code signing and data-in-transit encryption.
Of the 1007 controls and enhancements in NIST 800-53 Rev 5, data encryption in transit only address four (SC-8, SC-13, AC-17, and AC-18).
With drone using 4G LTE connectivity, the attack surface of the device is no longer limited to the realm of relatively near-field UHF concerns. A drone becomes any other IoT asset and should require the same protective controls any other OT device needs under NIST 800-82 or IEC 62443. Welcome to the whole internet.
Implementing Dispel Zero Trust
We wanted to see if we could retro-fit an autonomous vehicle with Dispel zero trust secure remote access.
Our platform
The team at Dispel labs decided to go with a LY-DG01 remote control lawn mower for two primary reasons:
The system is easily modded, meaning experimenting would be easier than a more delicate platform.
It was more rugged allowing for outdoor operations and maneuver in more realistic operating environments.
Taking delivery of our LY-DG01
Establishing Connectivity & Latency
Connectivity to LY-DG01 (LY for short) was straightforward. A 4G router and chip established traffic to the onboard switch. Using a Dispel Wicket ESI, we set up a Layer 2 overlay network from LY to our lab's regional SD-WAN.
Low latency is remote operations is crucial. Ping times matter more when you could be driving off a cliff. As with all OT assets, security functions should stay as close to the asset as possible for just this reason. In the case of our LY, the gas-powered drone-tank would require real-time handling.
Key Points:
Low latency is crucial for remote operations, especially to prevent accidents.
We placed the Dispel Region in our US-East availability zone to minimize ping times.
To minimize latency, we put the Dispel Region in our US-East availability zone. With over 30 availability zone around the world, Dispel Region SD-WANs allow us to keep networks as close as possible to the assets they're connecting to to minimize ping times.
With the handshake between the Wicket ESI and the Region established, we loaded LY into the Dispel Dashboard, assigning an IP address, subnet, port and protocol rules, and setting up the access control list (ACL) rules for remote connection.
Adding our drone to the Dispel Dashboard
Success and Remote Operation
With the LY-DG01 uplink established and registered, we achieved secure remote access and operation. Our logging, monitoring, access windows, and user controls were in place, preventing unauthorized access.
Key Points:
The Wicket ESI controls all north-south connectivity, ensuring robust security.
The LY-DG01 demonstrated precise remote handling despite our limited driving experience.
Takeaways and real-world implications
Drone and other autonomous vehicle manufacturers can and should implement zero trust access principles into their equipment for both trust and safety.
When we began researching this project we found most drone buyers are not typically OT operators and IT managers but rather the end users or equipment procurement. Even through drones connect into IT and OT systems, they're often not be categorized as an IT endpoint or OT asset and therefore fall between the cybersecurity control requirements imposed by both departments. This shows in the cybersecurity literature and measures taken by drone vendors in general.
Installing our Wicket and a 4G router, and connecting the LY-DG01 to Dispel ZTNA was a straightforward process like any other OT asset. From our experience here, retrofitting existing fleets for data streaming, remote maintenance, and operation can be done in short order with minimal lift.
Practical Recommendations for Manufacturers
Adopt Comprehensive Security Controls: Implement a comprehensive security control suite aligned with standards such as NIST 800-53 and IEC 62443. This includes data encryption, access controls, and regular security audits.
Integrate Zero Trust Principles: Ensure that all communication and control channels adhere to zero trust principles. This minimizes the risk of unauthorized access and potential cyber-attacks.
Educate and Train Users: Provide training and resources to end users and procurement teams about the importance of cybersecurity and how to implement best practices in their operations.
Collaborate with Cybersecurity Experts: Work with cybersecurity experts to design and implement robust security measures tailored to the specific needs of autonomous vehicles.
Retrofitting existing fleets for data streaming, remote maintenance, and operation with secure access can be done efficiently. Integrating platforms like the Dispel Zero Trust Engine provides a robust solution to ensure both operational efficiency and cybersecurity. By following these best practices, manufacturers and operators can enhance the safety and reliability of autonomous vehicles in real-world applications.
In the rapidly evolving landscape of autonomous vehicle technology, prioritizing cybersecurity is not just an option—it’s a necessity. Through our demonstration, we hope to inspire industry stakeholders to adopt secure remote access solutions and safeguard their operations against potential threats.
