The connected- and autonomous-car industries are in their infancy and so is the movement to regulate them – but both are growing by leaps and bounds. According to estimates, there will be tens, or even hundreds, of millions of connected and autonomous vehicles on the road by the end of the next decade.
That’s a fat target for regulators whose job it is to keep people safe, and they are hard at work drawing up rules that connected and autonomous vehicles will be expected to adhere to. Even though autonomous vehicles are still some years away, legislators already are taking action.
For example, the proposed Self-Drive Act, a bill pending before the U.S. House and Senate, will require “written cybersecurity and privacy plans for (autonomous) vehicles prior to offering them for sale.” Proposals in the European Union and by the United Nations make similar declarations.
This could be a tall order, considering that autonomous-vehicle technologies also are connected, which makes them eminently hackable.
The catalog of threats to connected and autonomous vehicles is growing. There was the 2015 Jeep hack; instructions are freely available on how to remotely hack a connected vehicle’s tire-pressure monitoring system, infotainment system, USB, Bluetooth connection and much more; and a study by antivirus firm Kaspersky shows many of the apps used in connected vehicles also are vulnerable to attacks.
With those kinds of odds, manufacturers and suppliers will have to come up with a solid battle plan to prove to regulators that they can keep drivers and passengers safe. Indeed, to do that, the Alliance of Automobile Manufacturers, a consortium of 12 manufacturers comprising BMW, Fiat Chrysler, Ford, General Motors, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Porsche, Toyota, Volkswagen and Volvo (below, left) has developed a Framework for Automotive Cybersecurity Best Practices.
The Framework provides general principles that manufacturers promise to follow in order to ensure security, including designing security into the vehicle; using risk assessment and management to discover and remediate new threats; collaborating with third parties to ensure best practices are adhered to throughout the industry, and developing an incident response and recovery plan.
However, it describes what the “response” to a cyber-incident will be, which entails best practices that “address incident response plans that may include processes to activate response teams, notify an internal chain-of-command, and trigger response activities to assess and counter cyberattacks.”
But regulators likely will be looking for more, such as how to prevent attacks in the first place. The U.S. Self-Drive act states: “A manufacturer may not sell…any highly automated vehicle…unless such manufacturer has developed…intrusion detection and prevention systems that safeguard key controls, systems and procedures.”
Similarly, the United Nations Economic Commission for Europe suggests in its World Forum for Harmonization of Vehicle Regulations:“The connection and communication of connected vehicles…shall be designed to avoid fraudulent manipulation to the software…as well as fraudulent access of the board information caused by cyberattacks.”
An innovative approach to cybersecurity, and one that is more likely to convince regulators that occupants of autonomous vehicles will remain safe, entails not just keeping hackers out but also doing something about them once they are in the system.
Technology that can examine behavioral anomalies and search for the source of those anomalies – which could be caused by malware – can effectively detect cyberattacks and address regulators’ directive for vehicle intrusion detection.
For example, a hacker’s attempt to install malware into a vehicle’s ECU in order to try and take control of one of the vehicle’s systems would be noticeable to a security system that evaluates anomalies. When a vehicle is in motion, waiting at a red light, reversing, etc., there are specific things that should be happening in the vehicle’s ECUs.
An intelligent security system will be able to match ECU activity with the profile of what the vehicle is supposed to be doing at any particular time. Activity not in line with that profile automatically would be labeled as suspicious, causing the system to alert a security operation center and take action.
Thus, the vehicle is rendered more secure regardless of the breaches made by hackers. With a system like this, regulators – as well as manufacturers, passengers and drivers – can rest easy knowing no matter what tricks hackers come up with, the “good guys” are going to be one step ahead.
Yossi Vardi is CEO of SafeRide Technologies.