Recently, the US congress released a bipartisan draft of a new autonomous vehicle bill. A deeper analysis of the bill is available at “New AV Bill, Its Bipartisan, Is It Better ?” One of the most interesting aspects of the bill was its emphasis on cybersecurity.
For most consumers, cybersecurity is connected to their interactions with information technology. Words such as phishing, denial of service, and identity theft have entered the popular lexicon. At the industrial, infrastructure and utility level, computer controlled physical resources are increasingly common. Since bad actors have the potential to cause real damage with these systems, great care is taken to protect these systems from external attacks. In many of the most critical situations, the Department of Homeland Security is directly involved.
However, the modern automobile is the rare entity which is large enough to cause damage (especially when viewed as a fleet), yet managed like a consumer device. The article "Do Progressive And Geico Need To Think Like Hurricane Insurers When It Comes To Self-Driving Cars?" explores the idea of a shift in thinking that automotive insurers might have to employ when facing a risk profile of a buggy software update which is uploaded on millions of cars simultaneously. The result has the look and feel of a natural disaster. With cybersecurity, we must now contemplate the idea of a bad actor being able to induce such a natural disaster with malice intent.
All of the above begs the question, is cybersecurity for autonomous vehicles a national defense issue ?
Since automobiles have been operating for over a hundred years without such a concern, one might reasonably ask: What exactly has changed ? The drivetrain of the automobile has not changed in function for a very long time. A cyberattack on the infotainment system may be inconvenient, but certainly not life threatening. A cyber-attack on a single autonomous vehicle might cause local safety issues, but does not rise to a level of a national defense issue.
The big change is over-the-air updates.
With modern over-the-air updates one can turn a fleet of cars into an army of adversarial robots. If you believe this cannot happen, the story “Hackers Remotely Kill a Jeep on the Highway—With Me in It,” by Andy Greenberg may be eye-opening. Over-the-air updates are the classic double-edged sword. The capability is incredibly useful to update and fix functionality for automobiles in the field. However, with a very small amount of work, one can also cause a great deal of havoc in the field. There are at least three levels of risk which must be managed in order to prevent bad consequences:
Secure Platform: The hardware and software pieces which make up the critical pieces of the over-the-air infrastructure must have well understood and secure supply chains.
Secure Run Time: The operating system which manages the automobile must have secure interfaces and be hardened for cybersecurity issues.
Secure Physical Security: The operating centers of fleets (ex: Tesla TSLA’s software update center) must be secure. One imagines a modern version of the popular AMC series “The Americans” running counterintelligence operations on fleet control centers.
The concepts of secure platforms, run-time systems, and protecting critical assets are well known within the industry. As an example, Blackberry, transformed from a cell phone provider to an enterprise software company, is a leading supplier of secure operating systems for automobiles.
“Blackberry’s QNX technology has built in concepts for hardware and software trust validation, hypervisor to maintain a separation between the safety critical and infotainment systems, and a core operating system which passes all the functional safety standards,” said John Wall, Sr. VP SVP, Head of QNX at Blackberry.
Today, the application of these secure methods for cybersecurity are left to automakers as voluntary self certification. As an example, the SELF DRIVE Act just asks for a cybersecurity plan and identification for someone who is focused on cybersecurity issues. In terms of the regulator, as described in “AV 4.0: Reasonable For AV, But Perhaps Missing The Boat On ADAS Regulation,” DOT has effectively left the ADAS space wide open despite the growing proliferation of ADAS enabled automobiles on the roads today with this functionality.
Is this sufficient as a matter of public policy ?
More recently, the United Nations Economic Commission for Europe (UNECE) has been developing a vehicle regulation(WP.29) with regards to cybersecurity in connected and autonomous vehicles. UNECE vehicle regulations are law in 54 nations (contracting parties, CPs), and most other nations accept UNECE approved vehicles for import, registration, sale and use. In this new work, regulations are proposing a mandatory Certificate of Compliance for Cyber Security Management Systems. This certainly seems like a step in the right direction.
Overall, with certain aspects of ADAS and AVs, we seem to be approaching a situation where the fundamentals of safety and systemic risk looks much more like a national security concern than standard commercial practice. It would seem some regulatory framework would be desirable. As an example, right now, interestingly, there is nothing in the current regulatory environment which requires automobiles to use the properties built into a system such as Blackberry QNX.
With the financial crisis of 2008, the notion of “systemic risk” was born in the financial industry, perhaps this same notion needs to be built in the transportation industry before we have many non-financial crashes.