Cybersecurity solutions are all about managing risk. Researchers and the automotive community are engaged in the emerging discussions regarding autonomous cars, CIA investigations into nation-state attacks and black- and white-hat hacks with various consequences.
At the extreme, television pundits speak of potential catastrophes ranging from potential chatter within the Dark Web to real-world examples of hacks such as the 2015 Jeep that left a journalist helpless on the freeway after his engine was killed. At the other end of the spectrum, the engineering community is discussing more likely risks like Denial of Service (DoS) attacks against individuals or fleets where hackers would disable vehicles for ransom payments.
Either way, there are a host of underlying risk topics that aren’t being discussed, and should push the national and international discussions in the coming months and years.
Here is my Top 10 List:
1. How many hacks have happened to date? The quick answer is no one knows. There are certainly multiple “white hat” (a.k.a. non-malicious, research driven) hackers that have made their discoveries known leading to costly software patches for auto makers. There have been only a handful of real-world hacks (such as stolen Jeep Wranglers in 2016) identified to date. In the absence of some central oversight for corporate fleets, monitoring has been left to individual companies and leaders who must balance the costs and value of leadership without documented need or requirement.
2. How long into your vehicle’s lifecycle will it be cyber secure? The vehicle is sold at the dealership, and now it must be maintained by someone. New hacks are always being created and, therein, yesterday’s software becomes more known and more vulnerable. For how long will it be covered? And what constitutes expected coverage? The iPhone4 no longer gets updates.
3. What constitutes worthy of acting? If a hack happens and the cyber-criminal can control your steering wheel, the answer is obvious to everyone: the car must be fixed. But what if the hacker can put down your windows? This isn’t obviously safety-related and may only cause petty crime or inconvenience to the customer, but no widespread cost. So what is the cutoff worthy of acting on a grand scale? Does being able to change a radio station to broadcast a pirate advertisement warrant a fix?
4. How does the car get fixed quickly? Assuming the automaker wants to fix those open windows, all parties want the fix to be instantaneous and nearly free. One imagines software downloads akin to smartphone over-the-air updates. Car companies are moving in this direction, but only one company, Tesla, has this across the vehicle. And no matter who eventually implements re-flash communication technology, there will be places where getting a reliable re-flash won’t be possible due to cellular coverage or interference. No process is 100% reliable, and the OEMs will need a reliable and constantly-updating vehicular monitoring system to manage that risk.
5. What happens if the automotive brand fails? Without discussing product liability, most automotive companies will want to stand behind their product and user experience in order to win the next purchase and, therein, will provide ongoing cybersecurity. But what happens if the automotive company fails and no one is managing your cybersecurity updates?
6. What happens if the cybersecurity company fails? In a similar vein, what if the supplier who has created the algorithms and monitoring of the vehicle fails? What if the startup company that engineered your system no longer supports it? Unfortunately, it is not akin to McAfee or Norton on a laptop – you cannot simply uninstall and reinstall another solution – since there is not unlimited processing power or simple network designs in vehicles.
7. Can you protect yourself? In all likelihood, cybersecurity will never be a selling feature. People don’t want to imagine it, and rather than investigating, they just assume the protection is there or coming soon. But let’s imagine cybersecurity does eventually become a selling feature: it is difficult to measure on an objective, cross-brand statistic akin to horsepower or fuel mileage. So even if you wanted to drive improvement by speaking with your wallet, there won’t be an objective rating on the window sticker.
8. What if you aren’t the weakest link? An attacker always will go after the weakest solution with the largest impact. That might not be your car: you might have bought a cyber-proof beauty based upon that supposed selling feature. But the guy driving next to you on the highway might have a susceptible system and now you and everyone in proximity are at risk. So “secure” might be temporal if there isn’t a common tide that lifts all boats.[TS1]
9. How might privacy laws affect things? Many countries or regions have different laws about collecting Personably Identifiable Information” (PII) to protect the consumer’s privacy, but the risk is that this might hamper cybersecurity. “What vehicle was hacked when and where,” is a question that possibly places the consumer in a location he would consider private, and some countries don’t even allow a portion of that data to be collected, let alone permitting any data to be shipped outside of the country. The risk here is that some governments – rather than enable and/or encourage cybersecurity – create enough obstacles that the cost/benefit analysis causes automakers to do less.
10. What can governments do to enforce cybersecure designs? Unfortunately, the government cannot specify and enforce a specific cybersecurity design for two reasons: Cybersecurity is ever-evolving and likely would outpace the regulations, and any specific requirements would be a blueprint for the hacker. A great example of this is the federally-mandated OnBoard Diagnostics port (OBD-II port), which has been required in vehicles for decades and now appears to be the most vulnerable threat surface. The most any government could do would be to require ongoing vehicle monitoring and protection but, even then, any auditing would need to have minimal deep-diving as to protect against any disclosure of vulnerabilities.
There are many risks throughout the automotive system – some overblown, some undermentioned. Addressing those that truly will impact the customer experience will be the challenge for suppliers, governments and manufacturers.
Steve Tengler has worked within the automotive industry on the connected car for more than a quarter century for some of the top brands in world: Ford, Nissan and OnStar. He now is a Principal at Kugler Maag Inc. He has 30-plus publications to his name, and 50-plus patents.