This article was written by David Kernohan, CAV Commercial Manager at Millbrook, partners of the BeARCAT project and Cyber Feasibility Studies. 

On Wednesday 13 May, we presented the results of the Baselining, Automation and Response for CAV Testbed Cyber Security, BeARCAT. This was a three-month feasibility study on security testing connected vehicles and roadway communications infrastructure, funded by the UK Government’s Centre for Connected and Autonomous Vehicles (CCAV), delivered by Innovate UK with support from Zenzic.

Zenzic’s UK Connected and Automated Mobility Roadmap to 2030 concluded that cyber security was by far its largest “Golden Thread” with over 249 related milestones and proposed a Cyber Security Centre of Excellence (CSC) to support the vehicle approvals process from 2024. BeARCAT provided three project deliverables that investigated requirements: the cyber security challenges of Connected and Autonomous Vehicles (CAVs); the operation of physical and virtual security test facilities; and the business case for CAV and communications testing.

The study looked at the feasibility of a cyber test facility and, as operators of an automotive test facility over the past 50 years, Millbrook was welcomed into the consortium. From our perspective, a Cyber Test Facility could represent a logical extension to our existing cellular and roadside communications network. This covers the majority of our 70km of tracks, providing the Government’s 5G transport testbed, as well as a key component of CAM Testbed UK.

I was particularly pleased to be involved as I have a long standing interest in this area, having worked on its fringes for many years. Prior to joining Millbrook, I spent over 30 years in the military, latterly specialising in high technology areas such as unmanned air systems and electronic countermeasures. I saw the consequences of successful electronic attacks, whether intentional or not! When I left the Army, I considered doing a Master’s degree in cyber security and visited Warwick University to discuss the options. Little did I know that several years later, I would be working alongside the same department.

The BeARCAT consortium is a collection of expertise and knowledge from across the UK. It was fascinating to work with the leaders in this new, cutting-edge field. The consortium is led by Cisco, a world-leader in cybersecurity with advanced threat detection, response and mitigation capabilities. Alongside Cisco were top experts from Telefonica’s Technology Strategy Team who helped to define policies on ‘Security by Design’ and identified possible cyber security vulnerabilities for CAVs. The team also helped to define models classifying cyber risks for road network communications. Warwick Manufacturing Group (WMG) applied its expertise in communication, autonomy, cybersecurity and threat detection, by testing infrastructure and data sharing techniques. These were used to develop a framework for cyber security testing of CAV communications in a testbed environment.

The instigation of the COVID-19 lockdown presented some challenges. Whilst I personally find it easier to focus on thinking and writing papers whilst in the relative quiet of home, COVID precautions saw BeARCAT team members working from home in many diverse situations and locations. The 12-week timeline therefore became particularly challenging, with many hours of input, as we collaborated remotely from locations as far away as China to develop a cohesive paper.

Our final report covered all areas required for a UK cyber test facility. Our technical partners analysed the threats and produced a testing framework, based on existing international standards and conventions. This framework includes a reference architecture, security threat modelling and risk assessments, security knowledge and testing procedures. Practical security testing covers CAVs, mobile communications infrastructure and C-V2X, and cloud services. This will be used for certification of vehicle security which is likely to be embraced by vehicle manufacturers around ISO SAE 21434, a superset of the UNECE Cyber Security Management System (CSMS) proposal.

However, the technical component of cyber testing needs to be supported by testing infrastructure and a viable business plan. This is where Millbrook was able to add value. A cyber test facility will require physical infrastructure and engineers to support it, as well as people to keep it running. There are also many procedures that need to be considered to maintain confidentiality, manage risk and support customers.

Following a market research study by WMG at The University of Warwick, Millbrook put forward a business model identifying the target audience and offers that could be made to each customer segment, as well as a proposed pricing structure. There are extensive overheads in running a testing facility and, considering that this is an emerging sector, we concluded that test facilities are best located within existing organisations such as those within CAM Testbed UK, thereby expanding its capability and building on existing Government investment.

For me, the BeARCAT cyber feasibility study was a fascinating excursion from my usual role and I look forward to the next steps in addressing this Zenzic Golden Thread.

You can find out more information about the Cyber Feasibility Projects and download the report here.