THE CHALLENGE OF CONNECTED CARS
If a physical device is connected to the internet, it can be targeted with a cyber attack. Thus, with tens of millions of connected cars on the road today – and hundreds of millions of them expected to be by 2020 – threats to the safety and privacy of motorists, passengers, bystanders and private as well as corporate property already exist and are set to grow substantially.
While connectivity can be (and already is being) used to make us safer, more productive and entertained while in transit, it creates an attack surface through which to access the vehicle’s delicate Controller Area Network (CAN) bus. Once inside, hackers may be able to send commands to the vehicle from a remote location in order to, inter alia, steal private and corporate data, track individual vehicles or entire fleets and hijack non-safety and safety-critical functions – imagine losing the ability to steer or brake while speeding down a highway!
Looking forward, by 2020, virtually all manufactured vehicles will come with embedded, tethered or smartphone mirroring connectivity. Already in the first quarter of 2016, cars accounted for one-third of all new cellular devices. No longer a pipe dream of futurists, car connectivity has pervaded the automotive industry and recent whitehat hacks of both private cars and commercial vehicles prove the ever-present danger.
Luckily, customer safety and satisfaction are the foremost concerns for automakers. As such, like a baby fresh out of the womb, connected cars will get constant oversight and protection too. Original Equipment Manufacturers (OEMs), Tier 1s, regulatory bodies, insurance companies, technology companies, telecommunications providers and organizations affected by the new attack landscape are all working to strengthen the industry’s cybersecurity posture.
Due to the dynamic and developing threat environment, the stakeholders are taking a multitude of approaches. For example, the aforementioned entities are collaborating in groups such as the newly formed Auto-ISAC, which recently published a best practices guideline for cyber security on wheels and amongst themselves to integrate cyber security into the entire vehicle lifecycle – from concept through production, servicing and decommission.
National governments have also taken note of the emerging public safety implications of vehicle connectivity. For example, bills such as the 2015 Spy Car Act, proposed by US Senators Markey and Blumenthal, as well as the Security and Privacy in Your Car Study Act of 2017 demonstrate past focus on vehicle cyber security by US regulators. Most recently in the US, the House of Representatives unanimously passed the SELF DRIVE Act while the US Senate Commerce, Science, and Transportation committee unanimously passed the AV START Act. Both proposed bills would make cyber security a necessary component of any automated driving system.
In the United Kingdom as well, lawmakers have published their Key Principles of Vehicle Cyber Security for Connected and Automated Vehicles while a recent European Commission proposal would see the EU Cybersecurity Agency (ENISA) create EU-wide certificates, similar to labels that are currently used for food safety, for trusted energy, transport and other networks, as well as new consumer devices, like connected cars. Additionally in the EU, the 15 Europe-based car, van, truck and bus manufacturers of the European Automobile Manufacturers Association published their Principles of Automobile Cyber Security which provides an overview of the policies they’ve adopted.
Over the past few years, relevant government agencies have also produced reports and guidelines such as the Cyber Security and Resilience of Smart Cars by ENISA and the Federal Guidance for improving Motor Vehicle Cybersecurity, NHTSA and Vehicle Cybersecurity and Automated Driving Systems (ADS): A Vision for Safety 2.0 by the US NHTSA.