Car manufacturers will be expected to present detailed plans for avoiding hacking of their self-driving cars under new US Department of Transportation guidelines designed to preserve safety in a sector whose massive momentum is already making it a target for hackers both curious and malicious.
The new Federal Automated Vehicles Policy (FAVP) outline a 15-point safety assessment including data recording and sharing, privacy, system safety, cybersecurity, human-machine interface, and consumer education and training, and more.
Autonomous vehicles, the guidelines state, must apply “appropriate functional safety and cybersecurity best practices” and implement data-security measures “that are commensurate with the harm that would result from loss or unauthorized disclosure of the data”.
Hack prevention measures include the use of a “systems-engineering approach to minimise risks to safety” that includes “systematic and ongoing safety risk assessment,” the guidelines state, highlighting the importance of collaboration between industry members and the role of the Automotive Information Sharing and Analysis Center (Auto-ISAC), to which entities “should report any and all discovered vulnerabilities from field incidents, internal testing, or external security research as soon as possible, regardless of membership.”
The guidelines emphasise the importance of documentation and rapid iteration: “Identification, protection, detection, response, and recovery functions,” they state, “should be used to enable risk management decisions, address risks and threats, and enable quick response to and learning from cybersecurity events.... the entire process of information cybersecurity considerations should be fully documented and all actions, changes, design choices, analyses, associated testing and data should be traceable within a robust document version control environment.”
Enthusiasm about self-driving cars has grown in Australia as elsewhere, with high-profile Telstra CTO Hugh Bradlow recently predicting that all cars on Australian roads will be driverless by 2030.
The explicit discussion of cybersecurity issues in the FAVP reflects a growing general recognition in the boardroom that security issues must be addressed from the beginning of development and not at the end, says Dane Meah, CEO of security specialist InfoTrust.
“Historically security was added to networks but now you're seeing much more focus through dedicated risk and compliance managers who are looking towards having a defined set of policies and processes to prevent cyber attacks,” he told CSO Australia.
Researchers have already scoped out a range of possible attacks on increasingly automated cars in recent years, with surreptitious video recording of drivers, remote adjustment of in-vehicle systems, disabling the brakes, and more.
It's not hard, Meah said, to imagine a ransomware attack on cars that could threaten to run a car off the road if money isn't paid within a certain amount of time. “Autonomous vehicles are a massive risk from a cybersecurity perspective,” he explained. “In-car ransomware may sound extreme, but let's not forget the types of organisations that are behind a lot of cybercrimes – organised criminals, nation states, and individuals..”
Although regulators have been moving proactively to encourage collaboration between autonomous vehicle makers and security specialists, as well as the road authorities building and maintaining roads that will increasingly be loaded with sensors to support autonomous vehicles.
“I would be looking towards the car manufacturers to show some maturity in terms of protecting engines within the road network,” Meah said, highlighting the conflict between efforts to build open road-control networks and the need to prevent hackers from exploiting this openness for nefarious purposes.
Cybersecurity concerns have seen a raft of investments from startups rushing to secure in-car systems. Volkswagen, for example, this month established a new cybersecurity firm focused on protecting in-car electronic control units (ECUs) while startup Karamba Security was an early entrant into the race to harden all cars against attack through exploitation of their internal control systems.
The FAVP guidelines are a welcome step in an effort that must include the entire industry, Karamba Security chairman and co-founder David Barzilai said in a statement after the new guidelines were released.
“The leading car companies and Tier-1 providers have already started to create internal methods for hardening cars against attackers,” he said. “Yet, they have been experiencing a gap between common enterprise cybersecurity methodologies that protect against data loss and in-car security that protects against fatalities and damages.”
“It's not a simple task, but it is absolutely critical, as preventing the attack is even more important than detecting the attack. The industry must stop hackers before they ever succeed to penetrate into cars due to the sheer scale of fatalities and property damage that could result from cyberattacks on cars.”