Imagine you are driving down the highway in your Jeep Grand Cherokee when suddenly the transmission goes out, the brakes slam on, the radio changes stations and the air conditioner starts blasting cold air on max.
This confluence of events is not just a freak coincidence; hackers now control the two tons of steel that were previously your car. As customers are demanding vehicles with all the features of a smartphone and the ability to keep connected wherever they may drive, companies such as Fiat Chrysler must realize that in addition to being an automobile manufacturer, they also now are a technology company.
To help prevent missing a vulnerability as large as this one, auto manufacturers must implement controls that ensure the information and cybersecurity of the components and vehicles they produce. ISO/IEC 27001, a globally recognized voluntary standard, provides the framework and the controls needed to properly protect information-security-management systems.
As automobiles are becoming more and more connected to the internet of things, major vulnerabilities and safety issues are becoming apparent.
In 2015, hackers Charlie Miller and Chris Valasek were able to remotely gain control of a 2014 Jeep Grand Cherokee (below, left) by learning the vehicle’s IP address and using a “zero-day” exploit. The hackers used the vehicle’s entertainment system to send commands to other controls such as the transmission, brakes and, in some cases, steering. They also were able to track the location and speed of the vehicle via GPS.
The hackers gained access to the vehicle through Uconnect, an onboard computer that is in numerous Fiat Chrysler models.
Through this Uconnect module, the hackers were able to rewrite the firmware code, allowing them to send instructions and commands through the car’s internal network and control crucial driving elements such as the brakes, transmission and steering. As a result of this revelation, Fiat Chrysler sent a USB stick with a firmware patch to all owners, which itself is rife with potential for a malicious actor to intervene and insert bad code into the “patch.”
To ensure the safety of the public and the quality of their products, auto manufacturers must start thinking like technology companies.
This means they should elevate cybersecurity awareness and risk mitigation within their organizations, perform penetration testing of their products and work closely with major suppliers to provide the training and independent assessments needed to protect product quality and integrity. They should consider hiring ethical hackers who can look at these products with a different lens and are trained to replicate the mind of a malicious attacker and use an exhaustive set of tools to perform and imitate this mindset.
Auto manufacturers also need to look at their entire organizations including all of their people, processes and technologies to ensure all potential weaknesses are assessed and addressed from the design phase and every step until it rolls off the assembly line, ultimately reaching the goal of organizational resilience.
As automobiles become ever more dependent on computers, wireless internet and artificial intelligence, and as self-driving cars hit the streets in increasing numbers, the security of a car’s computer will become even more important. Conforming to industry best practices and standards such as ISO/ICE 27001 is a step in the right direction for auto manufacturers to help ensure the security of the product and the safety of the public.
Rob Brown is Global Automotive Champion and John DiMaria is Information Security and Business Continuity Champion at BSI Group.