In the next five years we will see more and more self-driving vehicles, or autonomous vehicles, hit the market. An “autonomous vehicle” is a vehicle capable of navigating roadways and interpreting traffic-control devices without a driver actively operating any of the vehicle’s control systems. Although self-driving vehicles have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel, concerns remain that could delay widespread adoption. Of particular concern are data privacy and security risks. This article addresses the cybersecurity issues of self-driving vehicles. We have also published an article discussing privacy issues of self-driving vehicles, which can be found here.

The numerous points of entry into a self-driving vehicle’s computer system give clever thieves and cyber terrorists multiple opportunities to take control of vehicles. For example, in 2010, one man in Austin, Texas triggered horns and disabled the ignition systems in more than 100 non-autonomous vehicles by hacking into an auto dealer’s computer system.1 Additionally, in 2015, two cybersecurity researches hacked into a vehicle’s internal network and paralyzed it on a highway.2 While hackers like these can control non-autonomous vehicles through entry points like internal network systems, entertainment systems, hand-free cell-phone operations, and satellite radio, self-driving vehicles are even more vulnerable to attacks, because they have all of those entry points plus many more.

The automotive industry has addressed the issue of cybersecurity of self-driving vehicles by creating a series of Automotive Cybersecurity Best Practices (“Automotive Best Practices”).3 The Automotive Information Sharing and Analysis Center (“Auto-ISAC”) issued the Automotive Best Practices, which guide how individual companies can implement the previously released “Enhance Automotive Cybersecurity” Principle. The Automotive Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response training, and collaboration with appropriate third parties. In effect, the Automotive Best Practices prompt participating members to enhance the security of self-driving vehicles by managing cybersecurity at the product level. The Automotive Best Practices are listed below.

In addition to the automotive industry, the federal government has also issued non-binding guidance to the motor vehicle industry for improving cybersecurity issues of autonomous vehicles. The National Highway Traffic Safety Administration (“NHTSA”) first issued guidelines in October 2016 (“NHTSA Best Practices 1.0”).4 Specifically, in an effort to reduce the probability of a successful cybersecurity attack, those cybersecurity best practices promote a layered approach to vehicle cybersecurity. For example, the NHTSA Best Practices 1.0 suggests that the automotive industry creates a culture of leadership where they can handle increasing cybersecurity challenges, mechanisms for information sharing, a documented process for responding to incidents, and more. Furthermore, the NHTSA has warned that if the industry does not follow the guidelines, cybersecurity vulnerabilities will likely occur, and that such vulnerabilities may be considered safety defects compelling a recall.5 The NHTSA Best Practices 1.0 have been listed below.

In September 2017, the NHTSA updated its guidelines (NHTSA Best Practices 2.0).6 Like the first version, this updated version recommends that the industry dedicate resources to assessing risk and testing vehicles for cybersecurity vulnerabilities. However, this updated version puts even more emphasis on the importance of responding to incidents than the first version. For example, NHTSA now recommends that entities have a documented process for transitioning to a minimal risk condition when a problem is encountered and consider methods of returning self-driving vehicles to a safe state immediately after being involved in a crash. Additionally, unlike the first version, the updated version includes guidelines for state legislatures and highway safety officials. The NHTSA recommends that those entities document how they intend to account for all applicable Federal, State, and local laws in the design of their vehicles and self-driving vehicles. The NHTSA Best Practices 2.0 have been listed below.

Automotive Best Practices enacted by the Auto-ISAC, including some of the various specifications:

1. Governance:

  • Define executive oversight for product security.
  • Communicate oversight responsibility to all appropriate internal stakeholders.
  • Establish governance processes to ensure compliance with regulations, internal policies, and external commitments.

2. Risk Assessment and Management:

  • Establish standardized processes to identify, measure, and prioritize sources of cybersecurity risk.
  • Monitor and evaluate changes in identified risks as part of a risk assessment feedback loop.
  • Establish a process to confirm compliance by critical suppliers to verify security requirements, guidelines, and trainings.

3. Security by Design:

  • Identify and address potential threats and attack targets in the design process.
  • Layer cybersecurity defenses to achieve defense-in-depth.
  • Perform software-level vulnerability testing, including software unit and integration testing.

4. Threat Detection and Protection:

  • Assess risk and disposition of identified threats and vulnerabilities using a defined process consistent with overall risk management procedures.
  • Identify threats and vulnerabilities through various means, including routine scanning and testing of the highest risk areas.
  • Report threats and vulnerabilities to appropriate third parties based on internal processes.

5. Incident Response and Recovery:

  • Document the incident response lifecycle, from identification and containment through remediation and recovery.
  • Perform periodic testing and incident simulations to promote incident response team preparation.
  • Notify appropriate internal and external stakeholders of a vehicle cyber incident.

6. Training and Awareness:

  • Establish training programs for internal stakeholders across the motor vehicle ecosystem.
  • Educate employees on security awareness, roles, and responsibilities.
  • Tailor training and awareness programs to roles.

7. Collaboration and Engagement with Appropriate Third Parties:

  • Engage with industry bodies, such as the Auto-ISAC, Auto Alliance, Global Automakers, and others.
  • Engage with academic institutions and cybersecurity researchers, who serve as an additional resource on threat identification and mitigation.
  • Form partnerships and collaborative agreements to enhance vehicle cybersecurity.

NHTSA Best Practices 1.0:

1. Vehicle Development Process With Explicit Cyber Security Considerations:

  • Design a specific process that gives explicit considerations to privacy and cyber security risks through the entire life-cycle of the vehicle.
  • Establish rapid detection and remediation capabilities.

2. Leadership Priority on Product Cybersecurity:

  • Allocate resources within the organization focused on researching, investigating, implementing, testing, and validating product cybersecurity measures and vulnerabilities.
  • Facilitate seamless and direct communication channels through organizational ranks related to product cybersecurity measures.

3. Information Sharing:

  • Share information related to cybersecurity risks and incidents, and collaborate in as close to real time as possible.

4. Vulnerability Reporting Policy:

  • Create your own vulnerability reporting policies, or adopt policies used in other sectors.

5. Incident Response Process:

  • Create a documented process for responding to incidents, vulnerabilities, and exploits.
  • Outline roles and responsibilities for each responsible group within the organization and specify any requirements for internal and external coordination.

6. Self-Auditing:

  • Document the details related to the cybersecurity process to allow for auditing and accountability.

7. Risk Assessment:

  • Develop and use a risk-based approach to assessing vulnerabilities and potential impacts considering the entire supply-chain of operations.

8. Penetration Testing and Documentation:

  • Conduct cybersecurity testing.
  • Collect all reports resulting from the tests and maintain them as part of the body of internal documentation associated with the cybersecurity approach.

9. Self-Review:

  • Establish procedures for internal review and documentation of activities relating to cybersecurity.

NHTSA Best Practices 2.0

1. System Safety:

  • Follow a robust design and validation process based on industry standards.

2. Operational Design Domain:

  • Define and document the Operational Design Domain (ODD) for each self-driving vehicle available for use on public roadways.
  • The ODD should include, at a minimum, roadway types, geographic area, speed range, environmental condiditons, and other domain constraints.

3. Object and Event Detection and Response:

  • Have a documented process for assessment, testing, and validating of the self-driving vehicle’s capabilities.

4. Fallback (Minimal Risk Condition):

  • Have a documented process for transitioning to a minimal risk condition when a problem is encountered or the self-driving vehicle cannot operate safely.
  • Fallback strategies should take into account that human drivers may be inattentive, under the influence of alcohol or other substances, drowsy, or otherwise impaired.

5. Validation Methods:

  • Develop validation methods to appropriately mitigate the safety risks associated with their self-driving vehicle approach.

6. Human Machine Interface:

  • Consider and document a process for the assessment, testing, and validation of the vehicle’s HMI design.

7. Vehicle Cybersecurity:

  • Follow a robust product development process that includes a systematic and ongoing safety risk assessment for each self-driving vehicle, the overall vehicle design into which it is being integrated, and when applicable, the broader transportation system.
  • Document how your entity incorporates vehicle cybersecurity considerations into self-driving vehicles, including all actions, changes, design choices, analyses, and associated testing.

8. Crashworthiness:

  • Consider incorporating information from the advanced sensing technologies needed for self-driving vehicle operation into new occupant protection systems that provide enhanced protection to occupants of all ages and sizes.

9. Post-Crash Self-Driving Vehicle Behavior:

  • Consider methods of returning self-driving vehicles to a safe state immediately after being involved in a crash, such as shutting off the fuel pump, removing motive power, moving the vehicle to a safe position off the roadway, disengaging electrical power, and other actions that would assist the self-driving vehicles.

10. Data Recording:

  • Establish a documented process for testing, validating, and collecting necessary data related to the occurrence of malfunctions, degradations, or failures in a way that can be used to establish the cause of any crash.

11. Consumer Education and Training:

  • Develop, document, and maintain employee, dealer, distributor, and consumer education and training programs to address the anticipated differences in use and operation of self-driving vehicles from those of the conventional vehicles.

12. Federal, State, and Local Laws:

  • Document how your entity intends to account for all applicable Federal, State, and local laws in the design of their vehicles and self-driving vehicles.

Best Practices for Legislatures

  1. Provide a “Technology-Neutral” Environment
  2. Provide Licensing and Registration Procedures
  3. Provide Reporting and Communications Methods for Public Safety Officials
  4. Review Traffic Laws and Regulations That May Serve as Barriers to Operation of Self-Driving Vehicles

Best Practices for Highway Safety Officials

  1. Administrative
  2. Application for Entities to Test Self-Driving Vehicles on Public Roadways
  3. Permission for Entities to Test Self-Driving Vehicles on Public Roadways
  4. Specific Considerations for Self-Driving Vehicles Test Drivers and Operations
  5. Considerations for Registration and Titling
  6. Working With Public Safety Officials
  7. Liability and Insurance

Factors the NHTSA will consider in determining whether a cybersecurity vulnerability compels a recall:

  1. The amount of time elapsed since the vulnerability was discovered (e.g., less than one day, three months, or more than six months);
  2. The level of expertise needed to exploit the new vulnerability (e.g., whether a layman can exploit the vulnerability or whether it takes an expert to do so);
  3. The accessibility of knowledge of the underlying system (e.g., whether how the system works is public knowledge or whether it is sensitive and restricted);
  4. The necessary window of opportunity to exploit the vulnerability (e.g., an unlimited window or a very narrow window); and
  5. The level of equipment needed to exploit the vulnerability (e.g., standard or highly specialized).

Questions to consider when addressing cybersecurity issues of self-driving vehicles:

  1. What are the functions of the new self-driving technology and what are the implications if they were compromised?
  2. Who has authority and enforcement power to govern the security system of the self-driving vehicle?
  3. Does your company need to notify owners of self-driving vehicles of the risks their vehicle presents?
  4. How can your company guard against hacks for control of the vehicle?
  5. What is the safety risk to society and the value risk to your company?
  6. What can your company do to minimize exposure to the potential loss or damage to owners of self-driving vehicles?
  7. How should your company anticipate how the conscious and malicious acts of third parties affect the vehicle?
  8. What design decisions could your company make with respect to the risk assessment process?
  9. How can your company protect identities of users and avoid tracking users while they are in their self-driving vehicle?
  10. Will your company’s vehicle cybersecurity protections unduly restrict authorized access by alternative third-party repair services?