A couple of months’ ago a national government issued its first public statement on autonomous, or driverless cars. The 15-point safety standard issued by the Obama Administration in the United States attempted to strike a balance between public safety and the commercial interests of tech companies like Tesla and Google, which are eager to reap the gains of digital transformations on the road. But details were a little thin on a critical issue to both the commercial and public interest: A concrete approach to vehicular cyber sabotage.
Keeping up with the cyber threat landscape is one of the greatest challenges to cybersecurity today. New threats and vulnerabilities emerge on a daily basis, and, like many sectors, the auto industry has been slow to develop the necessary security mechanisms for greater resilience. For example, after a pair of security researchers hacked into a Chevy Impala in 2009, it took General Motors five years to develop a counter-measure for the exploit code.
The pace of change is quickening. Car companies are now plugged into cyber threats and are hardening cars against cyber sabotage, from data loss to safety-critical situations. They are also working in association with regulators to develop standards that help detect and prevent attacks. The 15-point safety standard even includes pre-market approval of driverless cars and regulation of post-sale software updates. Although a bit slow, we do commend this move, which makes Department of Transportation a world leader in the nascent area of Internet of Things device development.
This attention to software and safety systems is critical. Just as personally identifiable information should be compartmented and firewalled, so should the software in a car. In 2015, for example, a pair of security researchers upended the transmission of a 2014 Jeep Cherokee and took control of the car’s accelerator. Just a month later a Corvette’s breaks were disabled by a team of researchers using a standard insurance dongle, and earlier this year, the alarm on a Mitsubishi Outlander was disabled and its doors opened.
More recently, researchers exposed vulnerabilities in 24 cars across 19 manufacturers using a radio amplifier to trick the keyless sensor into opening the vehicle. All of these breaches occurred remotely through compromised software, pushing the industry to pay greater attention to software security, encryption and development.
While automakers are making strides, they risk applying to their cars the same fragmented approach to cyber security that we see in their IT systems. Many businesses protect their data incrementally, patching gaps with a firewall here or access control there. In addition, one would like to see ongoing and detailed requirements behind each and every of the 15-point safety standards that would hold manufacturers to account.
The more hi-tech a car is, the increase in the number of possible endpoint vulnerabilities. To design true cyber security, it must be built into every device from the very beginning, ensuring that the hardware has been hardened against attack, and guaranteeing that the software in the command centre of every car has been tested rigorously.
The time to strengthen these procedures and shore up the cyber defences is now. By 2020, 25 percent of all cars shipped will support different levels of autonomy, and that proportion will climb to 44 percent by 2025, according to Navigant Research. Automaker Ford hopes to have fully autonomous vehicles on the road by 2021. It is also time to reach out to global regulators and include their inputs as the auto business is an international one.
An absence of the necessary skillset within the auto manufacturer is no excuse to deliver on cyber security requirements. For companies without hacking expertise or the resources to perform constant, iterative testing, external contractors can deliver some of the world’s best cyber defence knowledge at less expense to the business.