TROY, MI – A day will come in the very near future, cybersecurity experts warn, when locking the car doors will not be enough to keep the bad guys out.
“It’s only a matter of time before hackers figure out how to access our cars,” says Lisa McCauley, vice president and general manager-Cyber Innovations at Battelle, a non-profit R&D organization focused on industrial cybersecurity and connected-vehicle technology.
McCauley’s alert comes after joining executives from the Alliance of Automobile Manufacturers, the Association of Global Automakers and parts-making giant Delphi to announce plans today to form a voluntary information-sharing and analysis center for the industry to target the threat of hackers as vehicles begin connecting to the Internet and communicating with other cars and trucks sharing the transportation infrastructure.
With 100 million lines of code in the average vehicle today, the appeal to hackers is great. But unlike an Internet mashed together 30 years ago without thought to potential security risks, the connected vehicle starts from an almost clean slate and offers the opportunity to design robust defenses under standards the industry can agree upon worldwide.
A hub for collecting, sharing and disseminating information will be vital to drawing a vehicle-cybersecurity road map, the executives say.
“We are taking this action to prepare for unforeseeable events,” says Mike Cammisa, director-Safety at the AGA, which together with the AAM will implement the industry initiative, known as Auto-ISAC.
Auto-ISAC will bring together nearly 25 automaker members with other industry and government stakeholders on the issue, beginning with a cyber-policy technical group to lay the groundwork for broader collaboration.
Cammisa says financial commitments to Auto-ISAC are not specific at this time.
Andrew Brown Jr., vice president and chief technologist at Delphi, says while no reports of cybersecurity events against vehicles exist today, the advent of the smartphone connection inside cars and the government-led push to make vehicles safer and cleaner by getting them to communicate with each other via designated short-range communication could open the door.
Brown also notes 60% of all new vehicles by 2017 will be connected to the Internet. General Motors, for example, begins rolling out 4G LTE wireless Internet connectivity to most ’1- model cars and trucks this summer. Some other luxury OEMs already offer Wi-Fi hotspots in their products.
“People will want to do harm,” Brown says, acknowledging that oftentimes hackers are driven by publicity for their exploits and not by potential financial gains.
However, vehicles have been hacked. A pair of researchers demonstrated last year how they could access the electronics of a ’10 Toyota Prius and ’10 Ford Escape. They disassembled much of the dashboard to access the vehicles’ networks, according to reports. That’s a major hurdle for the everyday hacker, Brown says.
“If you can get that sort of access, anyone can break in,” Brown adds. “But without it, it is very difficult.”
Brown says so far the industry has built strong defenses against hackers hoping to disable critical vehicle-safety systems. But the rapid adoption of connected technologies presents a new challenge.
“We have to understand what the risk factors are,” he tells WardsAuto during a media event on the supplier’s campus to launch Auto-ISAC. “What are the potential vulnerabilities we might have?
“The industry is trying to be proactive and anticipate what those threats might be and put in mitigation factors in our designs and protocols so we don’t have to wait for an event to have a cause to action,” he says.
Brown envisions a company such as Delphi creating a “blanket” of protection for a vehicle, but also designing security to a standard where the parts and components it supplies to its customers could marry up with others in the vehicle system without trouble.
“That’s why the ISAC is so important,” he says. “We can’t have different protocols and standards. We can’t tolerate those sorts of things.”
Battelle already has begun working on hacker defenses, although Karl Heimer, director-Center for Advanced Vehicle Environments at Battelle, admits few qualified cybersecurity engineers work in the automotive space, so his organization has started a mentor program.
Battelle also plans work soon on determining how a hacker might try to break into a vehicle, as well as an examination of existing vehicle hardware and software, connections between cars and the Internet and each other, and how a vehicle might respond to hacking.
The formation of Auto-ISAC also comes on the day President Obama visits the U.S. Department of Transportation’s Turner-Fairbank Highway Research Center in McLean, VA, where after a tour he says connected-vehicle technology will save lives and taxpayer dollars.
“That’s why America has to invest more in the kind of job-creating research and development (done) at the Highway Research Center,” Obama says, according to a transcript of his speech there.
