Auto makers have long relied on security by obscurity to get away with not defining or adhering to proper cyber security hygiene. This rationalization had been embraced in the context of low levels of automotive hacking mainly carried out by enthusiasts or so-called “white hat” or ethical hackers.
A new report from Strategy Analytics, highlighting the contributions of Argus Cyber Security, identifies the growing array of standards and regulations governing automotive security. The report points out that auto makers must confront and take responsibility for the vulnerability of their vehicles especially in the context of evolving autonomous vehicle tech.
– Argus Helps Answer the Call for Automotive Cyber security Regulation
In fact, the recent passage, and signing by President Trump, of the Cybersecurity and Infrastructure Security Agency Act of 2018, has established the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security. The Act and the Department recognize 16 critical infrastructure sectors, one of which is “Transportation Systems.”
While the focus of the Act is infrastructure, it is the belief of cyber security professionals that it is only a matter of time before the onset of autonomous vehicles triggers the identification of connected vehicles as part of this critical infrastructure. This perspective was voiced just this week at the Security Summit held at the L.A. Auto Show. Bryson Bort, CEO and founder of Scythe, in particular, emphasized this point.
Bort’s concerns were echoed at the Summit by John Gomez, CEO of Sensato, who focused on ransomware as the most immediate automotive cyber security concern. Gomez identified three types of threats including cyber criminals, cyber spies and cyber terrorists with the motivations being profit, intelligence, and ideology, respectively. Other speakers noted ongoing concerns with privacy and data ownership (Lauren Smith, Future of Privacy Forum) and the vulnerability of app-based car-sharing programs (Mikhail Savushkin, Kapsersky Labs).
Automotive cyber security was long ignored because it had no constituency or business model. Consumers weren’t looking for “secure” cars and car makers weren’t required to make secure cars. That is rapidly changing – especially with the onset of new laws and regulations around the world.
Before theses new laws and regulations, though, there was the famous “Jeep hack” of 2015. This hack, pulled off by Charlie Miller and Chris Valasek, embodied all of the shortcomings of the prevailing cyber security ignorance in the automotive industry at the time.
Miller and Valasek identified a vulnerability in certain Jeep models from FCA. Miller and Valasek likely notified FCA of the problem. They were likely disappointed in FCA’s response – so they created a video demonstrating the potentially horrendous implications of the vulnerability: remote control of certain vulnerable Jeeps.
FCA suffered a massive public relations blow along with absorbing the nine-figure cost of recalling millions of vehicles to correct the security flaw. Finally, the entire industry got the message. (Miller and Valasek now work directly for General Motors after briefly working at Uber.)
The lessons learned:
- Hackers can be helpful and must not be ignored
- Car makers cannot rely on hackers to identify and fix vulnerabilities
- Fixing vulnerabilities in the field is expensive (and embarrassing)
- Connectivity is essential to identifying, preventing and correcting cyber security vulnerabilities
- Cyber security must be addressed throughout vehicle design and system integration
The automotive industry is not out of the cyber security woods. The good news is that General Motors has seen fit to elevate cyber security to a Board-level responsibility – a model for other car companies to emulate.
Will there be more automotive hacks? No doubt. Do we have time to prepare for the day when cars are designated critical infrastructure? Yes. Will cars ever be certifiably secure? No