SoylentNews is people
SoylentNews
from the but-what-if-secure-means-rot-13 dept.
I must have banged my head and woken up in an alternate universe as something apparently reasonable seems to have emerged from inside the British government. It has issued a guidance on cyber security for "intelligent" vehicles:
[...]
Smart vehicles are increasingly becoming the norm on British roads – allowing drivers to access maps, travel information and new digital radio services from the driving seat.But while smart cars and vans offer new services for drivers, it is feared would-be hackers could target them to access personal data, steal cars that use keyless entry, or even take control of technology for malicious reasons.
Now new government guidance will ensure engineers developing smart vehicles will have to toughen up cyber protections and help design out hacking. The government is also looking at a broader programme of work announced in this year's Queen's speech under the landmark Autonomous and Electric Vehicles Bill that aims to create a new framework for self-driving vehicle insurance.
[...]
The guidance contains eight key principles:
- Organisational security is owned, governed and promoted at board level
- Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
- Organisations need product aftercare and incident response to ensure systems are secure over their lifetime
- All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system
- Systems are designed using a defence-in-depth approach
- The security of all software is managed throughout its lifetime
- The storage and transmission of data is secure and can be controlled
- The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail
Each principle is fleshed out in slightly more detail and they also point out that the list is not intended to be exhaustive.
Now, dear Soylentils, what would you add to the list to come closer to completeness?
(Score: 2) by kaszz on Thursday August 10 2017, @06:33AM (2 children)
Microsoft products shouldn't be relied on in a hospital or any mission critical setting. That is where the mistake was done from the beginning.
(Score: 2) by cafebabe on Thursday August 10 2017, @09:04AM (1 child)
We've got a situation where hospitals, emergency services, the nuclear power industry, military and governments all claim that they're buying best-of-breed commodity components from reputable suppliers. (And by reputable, we means such fine, upstanding corporations such as Microsoft, Cisco, Oracle and Google.) When this monoculture fails, for example, through virulant malware, people are surprised, like it was an act-of-god or something. For example, Michael "Offensive Cyber [soylentnews.org]" Fallon said [www.gov.uk]:-
I don't know who he's been talking to but he's a complete idiot if he thinking that applying 100% of available patches to 100% of computers contributes to a mythically secure computer network. There should be ample evidence that it is a really bad idea to use the same commodity hardware as bedroom hackers, oblivious idiots and stingy businessmen. But, hey, if it doesn't work, do more of it.
1702845791×2
(Score: 2) by kaszz on Thursday August 10 2017, @06:27PM
Since Michael is the Defence Secretary, it means he's government and we all know how well politician knows actual facts. So either the Prime Minister hires someone that knows their stuff or have some adviser associated with the Secretary. Why this won't happen is likely the answer as to why they won't have security.
Another angle is that people that know their stuff may not get into a position that makes a difference or don't want to deal with the political environment. Which also gives some answers as to why security can't be had. If the political environment and technically skilled persons are like oil and water that will be a problem.
Any ideas?