Flexibility helps industry to push the envelope in cyber security
Autonomous driving technology has come on leaps and bounds since mainstream testing began nearly a decade ago. At the same time, in-vehicle connectivity has become a crucial element to new vehicles; you’d be hard pushed to find a new model without Bluetooth, for example. Cyber security, on the other hand, has seemingly lagged behind in the sense that little more than a sheet of best practices has been offered.
Regardless, ensuring that autonomous and highly connected vehicles operate without fault is chief of concern for those invested in connected and autonomous vehicles. Not only will it help to avoid bad press, something various automakers have already found outthrough research-led hacks, but also for avoiding more sinister results from a malicious attack. The onus is on robust cyber security measures to prevent defences from being breached, but some consumers may already be in peril.
“We see many attack points within the connected car ecosystem, and there are numerous ways for vulnerabilities to be exposed. Hackers are already going after these areas,” said Tom Tasky, Director, Smart Vehicle at FEV during a recent Automotive World webinar. “This is why cyber security needs to be addressed now, regardless of what the standards are, and without waiting for standards to be published.”
FEV is closely involved in this area, and has been performing risk assessments of vulnerable surfaces – Bluetooth, Wi-Fi, cellular communications and on-board diagnostics (OBD) ports – to understand the likelihood of an attack on the system, and any potential after effects. This, said Tasky, allows high-risk areas to be prioritised, with less pressing areas to be tackled later on.
Part of the freedom to pick and choose comes down to the lack of enforced cyber security steps from a regulatory body. Industry regulators, stakeholders and organisations have long pushed for a ‘proactive’ approach to cyber security; that is, find gaps in the system before criminal hackers can, and fix them. To remain ‘proactive’ and avoid being hindered by slow-moving legislation, a cyber security cheat-sheet was devised by the industry’s leading experts.
In 2014, the Auto Alliance, Global Automakers and 14 automakers joined forces to form the Automotive Information Sharing and Analysis Center (Auto-ISAC). Many other industries, such as aviation, also have their own dedicated ISAC. In July 2016, the Auto-ISAC outlined a number of cyber security ‘best practices’ for the industry to follow, which in some circles was long overdue. “Are we late on it? Maybe a little bit,” admitted Jonathan Allen, then Acting Director of the Auto-ISAC, at the time. “But we’re going to see more disruption in technology in the next five years than in the last 50, so some of the OEMs had to get their own programmes up and going. These best practices are helping them do that.”
There had been concerns as to whether best practices were enough to ensure the necessary steps were being taken to protect vehicles from cyber attacks. Indeed, it would seem logical that cyber security standards should be mandated by law – just as seat belts or airbags are in most major markets. The challenge is that the nature of cyber security means that it is not as simple as blocking all known loopholes and moving on. New risks appear almost daily, and it is a job in itself to keep up with potential vulnerabilities.
So far, cyber protection programmes have been successfully deployed in vehicles due to the flexibility provided by a lack of standards, noted Tasky. It may seem counterintuitive, he added, but it allows the industry to remain agile and stay up-to-date as threats arise. “These best practices do not tell you exactly what to, or how to do it,” he explained. “There needs to be openness to address vulnerabilities that come up, and there needs to be daily adaptability. You can’t wait for a standard that may or may not address your needs later.”
Setting laws would also create a minimum standard, and as such, provide little incentive for stakeholders to go that extra step. “This is not a regulatory framework or standard, because people would not have pushed the envelope,” noted the Auto-ISAC’s Allen. Automakers, he added, would otherwise “just want to get a passing grade.”
Moving forward, it is unlikely that the industry will be bound to strict cyber security standards, but that is by design. Instead, keeping the leash off has allowed automakers to keep on top of ever-evolving issues. “We see the need for a standard that is somewhat defined, but also very flexible and open to address new day-to-day concerns,” concluded Tasky. “It needs to remain fluid.”