The automotive cybersecurity forum put on by the National Highway Traffic Safety Administration (NHTSA) yesterday in Washington, DC, surfaced a wide range of issues and conflicts at the heart of the connected car industry. One clear takeaway from the event was that cars will never be secure.
Acceptance of this proposition, alone, will be a major step forward for the automotive industry which has begun to tackle the problem by setting up an ISAC (Information Sharing and Analysis Center) in collaboration with the Alliance for Automobile Manufacturers, GlobalAutomakers, SAE and Booz Allen Hamilton. This new ISAC faces some stiff challenges in an industry consisting of committed competitors and limned by anti-trust regulations.
Car makers and Tier 1 suppliers participated on multiple panels at yesterday’s event and chose their words carefully in the face of multiple calls for greater industry transparency and cooperation. The impression created was one of an industry facing simultaneous cyber and regulatory attacks in the midst of a transition to widespread connectivity.
Points of contention on the various panels included:
Just to be clear, the panelists may have debated and disagreed regarding some of these issues, but the reality was clear:
Representatives of the Food and Drug Administration and the Federal Trade Commissions were on hand to share their perspectives on a problem with which they have already come to grips. The FDA must approve thousands of medical devices with the same life-threatening potential of automobiles. The message from the FDA was to focus on policies and procedures rather than seeking to become too prescriptive.
The goal, in the words of the FDA representative, is to “surf the new technologies” rather than face being “dashed against the rocks” with an overly specific or rigid compliance program. “We don’t tell (applicants) how to achieve security,” he said. “We expect them to have their own risk models.”
The FTC representative advised, among other things:
But the most powerful message was: Prepare for failure. Cars will never be secure.
The advice for auto makers was stark. Systems will be compromised. Product and system designers must work to minimize intrusion. Security by obscurity is a part of this, but more must be done.
System designers must think about how intrusions will be detected and have a response plan in place. Whether it is a network shut down or “safe” or “limp home” mode, engineers must have a plan. Last year Chinese car maker BYD saw fit to shut down its entire telematics system following a breech. In some circumstances, such a response may be necessary to isolate the intrusion.
Finally, electric car maker Tesla Motors was notable by its absence on the stage throughout the event. As a promoter of vehicle security and software updates a casual observer might have expected Tesla to assert a leading voice at an automotive cybersecurity confab.
The reality is that Tesla remains somewhat on the outside of the industry in part because it is neither a member of the Alliance of Automobile Manufacturers nor GlobalAutomakers. This may be why Tesla has not signed the Memorandum of Understanding in support of the Right to Repair law passed in Massachusetts. Sources say Tesla is complying with existing laws in the U.S., Europe and China.
There is consensus within the automotive industry that there is a problem. Addressing the problem will require cooperation between car makers and likely some assistance from Federal regulators. Individual car makers are, not surprisingly, at different points of the spectrum as to the severity of the security problem and the urgency of their response.
A final note: There was little or no mention at the NHTSA event of vehicle-to-vehicle communication to be achieved using 802.11p technology. Some expect this to be yet another source of cybersecurity vulnerability soon to be mandated by the U.S. DOT. The broad range of issues related to implementing 802.11p V2V technology were not discussed.Share this post via: