In the next five years we will see more and more self-driving vehicles, or autonomous vehicles, hit the market. An “autonomous vehicle” is a vehicle capable of navigating roadways and interpreting traffic-control devices without a driver actively operating any of the vehicle’s control systems. Although self-driving vehicles have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel, concerns remain that could delay widespread adoption. Of particular concern are data privacy and security risks. This article addresses the cybersecurity issues of self-driving vehicles. We have also published an article discussing privacy issues of self-driving vehicles, which can be found here.
The numerous points of entry into a self-driving vehicle’s computer system give clever thieves and cyber terrorists multiple opportunities to take control of vehicles. For example, in 2010, one man in Austin, Texas triggered horns and disabled the ignition systems in more than 100 non-autonomous vehicles by hacking into an auto dealer’s computer system.1 Additionally, in 2015, two cybersecurity researches hacked into a vehicle’s internal network and paralyzed it on a highway.2 While hackers like these can control non-autonomous vehicles through entry points like internal network systems, entertainment systems, hand-free cell-phone operations, and satellite radio, self-driving vehicles are even more vulnerable to attacks, because they have all of those entry points plus many more.
The automotive industry has addressed the issue of cybersecurity of self-driving vehicles by creating a series of Automotive Cybersecurity Best Practices (“Automotive Best Practices”).3 The Automotive Information Sharing and Analysis Center (“Auto-ISAC”) issued the Automotive Best Practices, which guide how individual companies can implement the previously released “Enhance Automotive Cybersecurity” Principle. The Automotive Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response training, and collaboration with appropriate third parties. In effect, the Automotive Best Practices prompt participating members to enhance the security of self-driving vehicles by managing cybersecurity at the product level. The Automotive Best Practices are listed below.
In addition to the automotive industry, the federal government has also issued non-binding guidance to the motor vehicle industry for improving cybersecurity issues of autonomous vehicles. Specifically, in an effort to reduce the probability of a successful cybersecurity attack, the National Highway Traffic Safety Administration (“NHTSA”) issued cybersecurity best practices that promote a layered approach to vehicle cybersecurity (“NHTSA Best Practices”).4 For example, the NHTSA’s guidelines suggest that the automotive industry creates a culture of leadership where they can handle increasing cybersecurity challenges, mechanisms for information sharing, a documented process for responding to incidents, and more. Furthermore, the NHTSA has warned that if the industry does not follow the guidelines, cybersecurity vulnerabilities will likely occur, and that such vulnerabilities may be considered safety defects compelling a recall.5 The NHTSA Best Practices have been listed below.
The estimated amount of years until hackers will only need a laptop and code to control self-driving vehicles.6
The number of vehicles NHTSA’s enforcement authority recalled in July 2015 due to cybersecurity vulnerabilities.7
The number of states to date that have introduced and passed legislation relating to self-driving vehicles.8
The percentage of fatalities on U.S. roads in 2014 that were caused by human error or faulty decision-making.9
Automotive Best Practices enacted by the Auto-ISAC, including some of the various specifications:
- Define executive oversight for product security.
- Communicate oversight responsibility to all appropriate internal stakeholders.
- Establish governance processes to ensure compliance with regulations, internal policies, and external commitments.
- Risk Assessment and Management:
- Establish standardized processes to identify, measure, and prioritize sources of cybersecurity risk.
- Monitor and evaluate changes in identified risks as part of a risk assessment feedback loop.
- Establish a process to confirm compliance by critical suppliers to verify security requirements, guidelines, and trainings.
- Security by Design:
- Identify and address potential threats and attack targets in the design process.
- Layer cybersecurity defenses to achieve defense-in-depth.
- Perform software-level vulnerability testing, including software unit and integration testing.
- Threat Detection and Protection:
- Assess risk and disposition of identified threats and vulnerabilities using a defined process consistent with overall risk management procedures.
- Identify threats and vulnerabilities through various means, including routine scanning and testing of the highest risk areas.
- Report threats and vulnerabilities to appropriate third parties based on internal processes.
- Incident Response and Recovery:
- Document the incident response lifecycle, from identification and containment through remediation and recovery.
- Perform periodic testing and incident simulations to promote incident response team preparation.
- Notify appropriate internal and external stakeholders of a vehicle cyber incident.
- Training and Awareness:
- Establish training programs for internal stakeholders across the motor vehicle ecosystem.
- Educate employees on security awareness, roles, and responsibilities.
- Tailor training and awareness programs to roles.
- Collaboration and Engagement with Appropriate Third Parties:
- Engage with industry bodies, such as the Auto-ISAC, Auto Alliance, Global Automakers, and others.
- Engage with academic institutions and cybersecurity researchers, who serve as an additional resource on threat identification and mitigation.
- Form partnerships and collaborative agreements to enhance vehicle cybersecurity.
- Vehicle Development Process With Explicit Cyber Security Considerations:
- Design a specific process that gives explicit considerations to privacy and cyber security risks through the entire life-cycle of the vehicle.
- Establish rapid detection and remediation capabilities.
- Leadership Priority on Product Cybersecurity:
- Allocate resources within the organization focused on researching, investigating, implementing, testing, and validating product cybersecurity measures and vulnerabilities.
- Facilitate seamless and direct communication channels through organizational ranks related to product cybersecurity measures.
- Information Sharing:
- Share information related to cybersecurity risks and incidents, and collaborate in as close to real time as possible.
- Vulnerability Reporting Policy:
- Create your own vulnerability reporting policies, or adopt policies used in other sectors.
- Incident Response Process:
- Create a documented process for responding to incidents, vulnerabilities, and exploits.
- Outline roles and responsibilities for each responsible group within the organization and specify any requirements for internal and external coordination.
- Document the details related to the cybersecurity process to allow for auditing and accountability.
- Risk Assessment:
- Develop and use a risk-based approach to assessing vulnerabilities and potential impacts considering the entire supply-chain of operations.
- Penetration Testing and Documentation:
- Conduct cybersecurity testing.
- Collect all reports resulting from the tests and maintain them as part of the body of internal documentation associated with the cybersecurity approach.
- Establish procedures for internal review and documentation of activities relating to cybersecurity.
Factors the NHTSA will consider in determining whether a cybersecurity vulnerability compels a recall:
- The amount of time elapsed since the vulnerability was discovered (e.g., less than one day, three months, or more than six months);
- The level of expertise needed to exploit the new vulnerability (e.g., whether a layman can exploit the vulnerability or whether it takes an expert to do so);
- The accessibility of knowledge of the underlying system (e.g., whether how the system works is public knowledge or whether it is sensitive and restricted);
- The necessary window of opportunity to exploit the vulnerability (e.g., an unlimited window or a very narrow window); and
- The level of equipment needed to exploit the vulnerability (e.g., standard or highly specialized).
Questions to consider when addressing cybersecurity issues of self-driving vehicles:
- What are the functions of the new self-driving technology and what are the implications if they were compromised?
- Who has authority and enforcement power to govern the security system of the self-driving vehicle?
- Does your company need to notify owners of self-driving vehicles of the risks their vehicle presents?
- How can your company guard against hacks for control of the vehicle?
- What is the safety risk to society and the value risk to your company?
- What can your company do to minimize exposure to the potential loss or damage to owners of self-driving vehicles?
- How should your company anticipate how the conscious and malicious acts of third parties affect the vehicle?
- What design decisions could your company make with respect to the risk assessment process?
- How can your company protect identities of users and avoid tracking users while they are in their self-driving vehicle?
- Will your company’s vehicle cybersecurity protections unduly restrict authorized access by alternative third-party repair services?