physical – After EOL, can safety-critical systems be secured when connected to internet-connected components? [Automotive]

NOTE: This was originally asked on the main StackOverflow site, but now moved here because of the security nature of the question.

Since internet-connected Infotainment Systems are now connected with other components of a car… Is it possible to secure the safety-critical systems like the brakes after security updates stop?

For most devices the answer is “no”; without security updates a device is assumed to be vulnerable to attacks. But clearly this is not acceptable for safety-critical systems.

The two main approaches seem to be: isolation, and limited communication channels.
However, since infotainment systems are now used to update brake systems and control things like steering sensitivity and putting the car into gear, isolation and limited communication are more difficult.

Background:

There has been at least one successful demonstration of using the infotainment system with internet connectivity to hack into and completely take over steering and braking. To make matters worse, no manufacturer has promised updates for the lifetime of a car, so once they decide the car is no longer “supported” (let’s say 15 years after purchase) then security updates stop.

Although this question could apply to a larger class of IOT devices, this is focused on modern cars which are now becoming “computers on wheels.”

The problem is easy to illustrate (sorry for the ascii art) –

       Safety-critical systems at risk

.--------.  .----------.  .--------------.
| Brakes |  | Steering |  | Accellerator |  . . .
 --------    ----------    --------------
    |             |               |
    |             |               |
 ---------------------------------------------- CAN Network
            |
            |
     .--------------.
     | Infotainment |
      --------------
            |
            |
       .~~~.~~~.~~.
      (  INTERNET  )
       `~~^~~~^~~~`

Even if the internet connected components (i.e. infotainment systems) are mostly isolated from the rest of the system, presumably at some point the cryptographic algorithms used to verify system updates will be less and less secure over time.

Once the manufacturer decides the car is EOL, it seems the only way to secure the safety-critical part of the car is by simply disconnecting (physically powering off) any communication into the critical systems. That is, physically only allow safety-critical systems to send data. For example, the infotainment display could be limited to communicate to the rest of the car via RS232, and physically disconnect the communication line back to the safety-critical systems.

       Safety-critical systems isolated

.--------.  .----------.  .--------------.
| Brakes |  | Steering |  | Accellerator |  . . .
 --------    ----------    --------------
    |            |               |
    |            |               |
 ---------------------------------------------- CAN Network
            |                        |
            |                        |
    .---------------.        .------------------------.
    | Status Module |        |     Update Module      |
    |    Tx    Rx   |        |                    Rx  |
     ---------------          ------------------------
          |                                        ^
          |    X  <- Physically disconnected       |
          V    |                                   |
     .--------------.                              |
     |   Rx    Tx   |---|--------------------------
     | Infotainment |   ^
      --------------    X  Physical disconnect switch
            |
            |
       .~~~.~~~.~~.
      (  INTERNET  )
       `~~^~~~^~~~`

But, now that infotainment systems are becoming critical to the operation of the vehicle, such isolation and limited communication is not as easy, and may not even be possible.