“Pay a ransom or we crash your car”? Hacks a concern as self-driving cars gain traction

New US autonomous vehicle guidelines position cybersecurity as a critical part of car safety

Car manufacturers will be expected to present detailed plans for avoiding hacking of their self-driving cars under new US Department of Transportation guidelines designed to preserve safety in a sector whose massive momentum is already making it a target for hackers both curious and malicious.

The new Federal Automated Vehicles Policy (FAVP) outline a 15-point safety assessment including data recording and sharing, privacy, system safety, cybersecurity, human-machine interface, and consumer education and training, and more.

Autonomous vehicles, the guidelines state, must apply “appropriate functional safety and cybersecurity best practices” and implement data-security measures “that are commensurate with the harm that would result from loss or unauthorized disclosure of the data”.

Hack prevention measures include the use of a “systems-engineering approach to minimise risks to safety” that includes “systematic and ongoing safety risk assessment,” the guidelines state, highlighting the importance of collaboration between industry members and the role of the Automotive Information Sharing and Analysis Center (Auto-ISAC), to which entities “should report any and all discovered vulnerabilities from field incidents, internal testing, or external security research as soon as possible, regardless of membership.”

The guidelines emphasise the importance of documentation and rapid iteration: “Identification, protection, detection, response, and recovery functions,” they state, “should be used to enable risk management decisions, address risks and threats, and enable quick response to and learning from cybersecurity events.... the entire process of information cybersecurity considerations should be fully documented and all actions, changes, design choices, analyses, associated testing and data should be traceable within a robust document version control environment.”

Enthusiasm about self-driving cars has grown in Australia as elsewhere, with high-profile Telstra CTO Hugh Bradlow recently predicting that all cars on Australian roads will be driverless by 2030.

The explicit discussion of cybersecurity issues in the FAVP reflects a growing general recognition in the boardroom that security issues must be addressed from the beginning of development and not at the end, says Dane Meah, CEO of security specialist InfoTrust.

“Historically security was added to networks but now you're seeing much more focus through dedicated risk and compliance managers who are looking towards having a defined set of policies and processes to prevent cyber attacks,” he told CSO Australia.

Researchers have already scoped out a range of possible attacks on increasingly automated cars in recent years, with surreptitious video recording of drivers, remote adjustment of in-vehicle systems, disabling the brakes, and more.

It's not hard, Meah said, to imagine a ransomware attack on cars that could threaten to run a car off the road if money isn't paid within a certain amount of time. “Autonomous vehicles are a massive risk from a cybersecurity perspective,” he explained. “In-car ransomware may sound extreme, but let's not forget the types of organisations that are behind a lot of cybercrimes – organised criminals, nation states, and individuals..”

Although regulators have been moving proactively to encourage collaboration between autonomous vehicle makers and security specialists, as well as the road authorities building and maintaining roads that will increasingly be loaded with sensors to support autonomous vehicles.

“I would be looking towards the car manufacturers to show some maturity in terms of protecting engines within the road network,” Meah said, highlighting the conflict between efforts to build open road-control networks and the need to prevent hackers from exploiting this openness for nefarious purposes.

Cybersecurity concerns have seen a raft of investments from startups rushing to secure in-car systems. Volkswagen, for example, this month established a new cybersecurity firm focused on protecting in-car electronic control units (ECUs) while startup Karamba Security was an early entrant into the race to harden all cars against attack through exploitation of their internal control systems.

The FAVP guidelines are a welcome step in an effort that must include the entire industry, Karamba Security chairman and co-founder David Barzilai said in a statement after the new guidelines were released.

“The leading car companies and Tier-1 providers have already started to create internal methods for hardening cars against attackers,” he said. “Yet, they have been experiencing a gap between common enterprise cybersecurity methodologies that protect against data loss and in-car security that protects against fatalities and damages.”

“It's not a simple task, but it is absolutely critical, as preventing the attack is even more important than detecting the attack. The industry must stop hackers before they ever succeed to penetrate into cars due to the sheer scale of fatalities and property damage that could result from cyberattacks on cars.”

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuritysecurity awarenesscarCSO Australiaaccess controlransomewareautonomous vehiclesmalicious attacksFederal Automated Vehicles Policyhackphysical securitydata breachUS Department of Transportation guidelinesencryption

More about CSOInfoTrustTransportation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place