In June 2017, U.S. Secretary of Transportation Elaine Chao announced that her department is revising autonomous vehicle guidelines issued in September 2016. The new guidelines—which will be released later this year—are expected to address state deference to federal regulations, reporting requirements for accidents and other incidents involving test and production vehicles, human-machine interfaces, consumer education and training, post-crash behavior and crashworthiness.
According to “Chao Ponders Fed Role in Regulating Driverless Tech,” a June 2017 Detroit News article, Secretary Chao met with auto executives and noted that while the future of autonomous vehicles is bright, “We have a responsibility to ensure that the new technology is safe and secure.” Secretary Chao’s emphasis on “safe and secure” hints that, in addition to the topics mentioned above, the 2017 Guidelines may improve existing guidance by addressing safety issues peculiar to autonomous vehicles. This includes the standardization of road markings and identifying conditions under which autonomous vehicles are not permitted to operate, such as weather restrictions.
Cybersecurity Breaches and Other Risks
It is critical that the security issues covered in the 2017 Guidelines meaningfully address autonomous vehicle data recording and sharing, privacy and cybersecurity. Cybersecurity issues are especially significant. Any software that connects to the internet is susceptible to a cybersecurity attack, and autonomous vehicles will have at least one internet connection. Exacerbating this inherent risk is the fact that some autonomous vehicles are developed by companies that are not original equipment manufacturers. These companies modify a vehicle developed by an OEM by introducing software, sensors and other devices that enable the vehicle to perform autonomous functions. As a result, the autonomous operations are being built using software and hardware that is separate from, or in addition to, software and hardware designed by the OEM. The autonomous functions also use computer networks that were not designed for a high level of automation and remote access. This development bifurcation is a prescription for cybersecurity gaps.
There have been several high-profile automotive cybersecurity breaches in recent years. In one breach, German researchers spoofed a cell phone station and sent fake messages to a SIM card used by a vehicle’s telematics system (the system enabling the long-distance transmission of computerized information). This gave the researchers access to remote convenience features of the vehicle, allowing them to remotely unlock the vehicle’s doors. Several other cybersecurity breaches involved remotely taking control of essential features of a car; one such breach enabled an unauthorized party to take control of various functions of the vehicle by plugging a device into a vehicle’s on-board diagnostic port, where that pugged-in device was able to receive instructions remotely. In addition, in 2015, two unauthorized individuals hacked into a vehicle using its internet connection, and remotely stopped the vehicle on a highway. And in 2016, another vehicle’s WiFi connection was breached, enabling an unauthorized party to take control of its driving systems.
Any type of malware that can put a home computer or smartphone at risk can similarly threaten autonomous vehicles. For example, ransomware attacks that encrypt all of the data on a computing device can be modified to take control of or stop the operation of a vehicle unless payment is made. A user of an autonomous vehicle might not have the luxury of time to figure out a solution to a vehicle that is not operational due to ransomware. These cybersecurity breaches can result in intentional damage to people, the vehicle and other property.
Weaknesses of the 2016 Guidelines
The automated vehicle guidelines issued by the Department of Transportation last year identified cybersecurity as one area of concern, but did not go far enough in addressing cybersecurity risks. National Highway Traffic Safety Administration (2016), Federal Automated Vehicles Policy, Washington, D.C. (2016 Guidelines).
The authors of the 2016 Guidelines did understand the cyberattack cat-and-mouse game in which hackers exploit weaknesses in networks as long as they remain unfixed, and then identify and exploit other weaknesses in a serial manner. Accordingly, those guidelines provide a framework for companies to approach cybersecurity problems. They do not propose specific technological solutions, however. Rather, the 2016 Guidelines rely on platitudes and are too tentative. For example, they suggest that manufacturers “follow a robust product development process based on a systems-engineering approach to minimize risks to safety” and employ “established best practices for cyber physical vehicle systems,” but do not provide any meaningful guidance.
A separate report in October 2016 focuses on cybersecurity and provides additional suggestions, such as layered solutions to ensure that vehicles systems are designed to take appropriate and safe actions, even when an attack is successful. National Highway Traffic Safety Administration (2016, October), Cybersecurity best practices for modern vehicles, (Report No. DOT HS 812 333), §5. Washington, D.C. While this report provides additional guidance, it is still too tentative to meaningfully assure an adequate level of attention to the cybersecurity risk.
What Kinds of Solutions Should the 2017 Guidelines Identify?
The 2017 Guidelines should more forcefully propose a collaboration among autonomous vehicle manufacturers to address cybersecurity risks. They should also mandate the reporting of any cybersecurity attack to both the collaborative body and the government, to better share and address cybersecurity risks and solutions. In 2015, the automobile industry took a first step in this direction with the formation of the Automotive Information Sharing and Analysis Center, whose charter includes the transparent sharing of vulnerability detection and best practices. However, participation in the Auto ISAC is voluntary, and its recommendations are not binding, even on its members.
The 2017 Guidelines should also require isolated networks: one network for non-essential vehicle operations such as infotainment and telematics functions, and another network for essential vehicle operations. They should also restrict or prevent direct communications between these networks, to make it more difficult for hackers to take control of essential vehicle operations—such as steering and braking—merely by penetrating internet facing software and data—such as a vehicle’s browser, map or traffic data. Isolation may be achieved by implementing a separate physical network, or by using software that effectively isolates the network that controls essential vehicle operations from non-essential vehicle operations.
For software and firmware updates, which are already commonplace in electric vehicles, code signing using secure cryptographic keys—already in use by one vehicle manufacturer—should be required by the 2017 Guidelines.
Other possible cybersecurity solutions include requiring real-time attack detection and a real-time response. For example, when an attack is detected, the vehicle could be safely stopped and a clean version of the software or firmware could be reinstalled. Another solution would be to severely limit access to the internal control/diagnostic bus of the vehicle, which currently provides hackers with direct and easy access to the internal networks of vehicles.
Note to the Industry: Take More Forceful Action or Face Congressional Intervention
Autonomous vehicles are enticing targets for those carrying out cybersecurity attacks. Although the automotive industry has taken some voluntary action, it must take more meaningful steps to adopt cybersecurity measures; otherwise, the industry will face congressionally mandated cybersecurity protections.
For example, in March, the U.S. Senate introduced the Security and Privacy in Your Car (SPY Car) Act of 2017 (S.680, 115th Congress (2017)), a bill designed to improve vehicle security and privacy. If passed, the legislation will require, inter alia, the isolation of critical software systems, i.e., those required for the operation of the vehicle, from noncritical systems.