Government agencies in the U.S. and the U.K. are working to get ahead of the curve and let the public know that they are concerned about vehicle cybersecurity.
Consumers should be aware of the possibility of a hacker attack on their cars. We now know that what used to be considered a movie scenario — remote hacking — could be done.
The current reality is that, while a variety of connectivity technologies have been transfused into cars, the equal and opposite security measures are yet to be deployed.
Surely, car hacking is the last thing automakers want to mention as they push the connected cars into the vast consumer disconnect. But government watchdogs in both the U.S. and the U.K. are working to get ahead of the curve and let the public know that they are concerned.
"Whether we're turning vehicles into WiFi-connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks," said Martin Callanan, a minister in the Department for Transport at the British government.
He said this last week when the U.K. agency issued new guidelines, requiring manufacturers of Internet-connected vehicles to put in place tougher cyber protections to ensure a stronger shield against hackers.
It isn’t just the U.K. The National Highway Traffic Safety Administration (NHTSA) in the United States also issued last fall the federal guidance to the automotive industry for improving motor vehicle cybersecurity.
Questions to ask
So should we all sleep well, confident that the feds have our back?
Not so fast, Gracie.
Questions that come to my mind include:
1. Do the guidelines issued by NHTSA and British Department of Transportation have any teeth for security enforcement?
2. More important, have they gone far enough to suggest effective cybersecurity measures for cars?
3. What are the differences in the proposals of the two separate governments?
As Roger Lanctot, director automotive connected mobility in the global automotive practice at Strategy Analytics, told us, “All of the work and guidance today is advisory vs. compulsory in nature.” Things will become real, in his opinion, “when financial and liability consequences are in fact defined.”
Sources of vulnerability in connected cars are many. Lanctot listed: “diagnostic ports, hobbyist/enthusiasts, dealers, suppliers/supply chain, criminals and terrorists to say nothing of incompetence, bugs, and the management of multiple onboard systems crossing domains with different development standards.”
Facing so many areas inside cars that must be protected as cars morph into always-on computing devices, it isn’t easy to come up with comprehensive guidelines. And yet, “Regulators need to demonstrate they are doing something,” said Lanctot.
How do security experts see the development of government guidelines?
Gene Carter, vice president of products at OnBoard Security, for example, believes that “both the U.K. and NHTSA guidance documents included basic security tenets.”
He explained such measures should be followed by any company connecting hardware or software to the web — including security by design, defense in depth, principles of least privilege, etc. In Carter’s opinion, however, these are basics. “I would hope that the automakers have learned enough from the IT world’s experiences, and they [should be] already doing those essential things.”
A few experts, including Carter, pointed out that the U.K.’s guidance does not go far enough in the area of software updates after a vulnerability is discovered.
Carter said, “The guidance merely states ‘organizations plan for how to maintain security over the lifetime of their systems.’”
In his view, “Over The Air (OTA) updates should be a requirement for automobiles. It is impossible for a manufacturer to create a car that is free of vulnerabilities throughout the 10-20 year life of a car. Without OTA, automakers are relying on car owners to bring their cars into a repair show every time a new vulnerability is discovered. This will leave many cars exposed to known attacks, while OTA would allow the fix to be pushed to the at-risk vehicles immediately.”
Of course, car makers “will save a lot of money in recalls by offering OTA, so it is likely they will move to that technology on their own,” said Carter. Still, “I would have preferred the UK specify its use and not leave it so ambiguous.”
Meanwhile, David Barzilai, chairman and co-founder of automotive cybersecurity firm Karamba Security, weighed in on the U.K. government’s guidance. While applauding pre-emptive action they might take, he pointed out that there is one area “we don’t feel these guidelines go far enough toward effectively preventing car hacking,” he said.
Again, that’s the area of how to deal with security bugs.
Next page: Differences in the U.S. and the U.K. guidelines