Cybersecurity – a gating issue for safety in a connected and automated vehicle future

Introduction

Connected, partially and fully automated vehicles hold the potential to transform our lives, making real smart cities and ushering in undreamed-of efficiencies in the transport of people and goods by land and in the futures, air, and even space.  Where things go wrong, however, potential harms are much greater than those of historical data breaches around mobile devices, laptops, desktops and the cloud.

Potential harms range from driver distraction to Distributed Denial-of-Service (DDoS) and ransomware, to property damage and bodily injury, to death and debilitation of critical transport infrastructure. A counter-argument to cybersecurity and privacy concerns is that the economic benefits of automation are so huge and the numbers of lives potentially saved so numerous that to focus on anything that might delay mass adoption is to strive for the perfect over the good.”

Highlights

• “Economics will likely drive fleet adoption of full automation much sooner than for consumers”
• ”US and international law and policy governing connected and automated vehicles are decades old, focusing on physical safety and the avoidance of unfair and deceptive commercial practices”
• “It is the very connectedness of vehicles and decision making by software and sensors rather than by drivers that opens the door for cyberattack that in turn has the potential to compromise safety”
• “While cybersecurity and privacy guidelines are today voluntary, they will become mandatory sooner rather than later if software engineering’s ‘beta as production’ mindset undermines the more safety oriented mechanical engineering approach”
• “A counter argument to cybersecurity and privacy concerns is that the economic benefits of automation are so huge and the numbers of lives potentially saved so numerous that to focus on anything that might delay mass adoption is to strive for the perfect over the good.”

An eventful 24-months for products with 15-20 year lifetimes

• July 2015 FCA – World’s first vehicle cybersecurity recall
• March 2016 FBI – Motor vehicles increasingly vulnerable to remote exploits
• August 2016 FTC – What is your phone telling your rental car?
• March 2017 S. Senate – Spy Car Act proposal
• August 2017 S. Senate – IoT Cybersecurity Improvement Actproposal

Law and policy

US and international laws and policy governing connected and automated vehicles are decades old, focusing on physical safety and the avoidance of unfair and deceptive commercial practices.  They predate the rise of the digital realm with its new risks of cyberattack and data privacy breaches.

Unlike older physical safety standards such as ISO 26262 and NHTSA regulations, newer cybersecurity and privacy legislation is still at the proposal stage.   Initiatives include the U.S. Senate“ SPY Car” proposal and the “IoT Cybersecurity Improvement” proposal that could cover at least the 200,000 vehicles of the U.S. government’s own fleet.  Others are embodied in voluntary guidelines and best practices from industry and government bodies including SAE’s “Cybersecurity guidebook for cyber-physical vehicle Systems” [i], NHTSA’s “Cybersecurity guidelines for vehicles” [ii] and FASTR’s “Manifesto toward tomorrow’s organically secure vehicle” [iii].

Changing business models

With the rise of connectivity and automation, along with impending end-of-life of internal combustion engines, newer business models of logistics, ride sharing and subscription ownership are opening up and older businesses such as taxi services, car rentals, personal auto insurance, public transportation systems of all kinds, parking garages, gas stations and repair services are beginning to take note.  Fears over the potential for mass displacement of human workers by the increasing use of Artificial Intelligence (AI) and Machine Learning (ML) have already been voiced by figures such as India’s Transport Minister and oddly even by Tesla’s own CEO.

Today’s calculus

Fleet telematics, routing apps, insurance companies’ driver behavior monitoring angles, partial automation with Automated Driver Assist Systems (ADAS), Over-the-Air (OTA) software updates and early warning Vehicle to Everything (V2X) systems are already improving vehicle efficiency and safety. Moving up through SAE’s driver automation levels has the potential to cut time, fuel and driver costs as well as accidents, which are almost all driven by human error.   Economics will likely drive fleet adoption of automation much sooner than for consumers with operating costs driven largely by driver benefits and fuel usage.

It is the very connectedness of vehicles and decision making by software and sensors rather than by drivers that open the door for the cyberattack that in turn has the potential to compromise safety.  FCA’s recall of 1.4 million US vehicles in 2015 following a successful demonstration of cyberattack was prompted by NHTSA’s safety concerns since no mandatory US automotive cybersecurity or privacy legislation is yet in place.

Justice Sotomayor in her concurrence to the 2012 Supreme Court case “US v. Jones”[iv]warned of auto privacy concerns.  She noted that unauthorized access to vehicle GPS data alone could disclose “trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment center, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on.”Today’s cars record far more than just GPS and driving data, including potentially all audio and video within and around the vehicle as well as pinging surrounding devices for identification and tagging.

An end-to-end issue

A modern vehicle has around 100 million lines of code running on 100+ Electronic Control Units (ECUs), ranging from simple 8-bit devices to the powerful 64-bit processors that support AIand ML applications that interpret data from a plethora of sensors.  Intel estimates that a fully automated vehicle can generate up to 4TB of data per day.In cybersecurity, a defender must defend against all types of attack and an attacker need find only one weak point of entry.  Delivering end-to-end cybersecurity means paying attention not just to point areas like a single ECU, network device or SaaS provider but across:

·         Systems – from ECUs to the CAN, J1939 or Ethernet buses, to gateways or collectors, to the cloud, along with the back-end systems supporting updating, analytics, and diagnostics,

·         Solution stacks – from hardware to firmware, to hypervisor, container, OS, libraries, and apps across all suppliers and versions,

·         Product lifecycles – from design to General Availability (GA), through multiple upgrades and updates, to End-of-Life (EOL) that can be 15 to 20 years,

·         People and processes – no matter how great the hardware, software and cloud services designs are they may still be vulnerable to weak security practices around processes, rogue executives or employees and old-fashioned social engineering.

The challenge

There are many lenses through which to analyze and triage cybersecurity risk, its mitigation, avoidance, transference or even acceptance.  These include NIST’s Cybersecurity Framework (CsF) and various so-called “kill chain” methodologies.   Under laying them all is the sheer breadth and complexity of existing systems, their many owners and the constraints of final deliverable costs, time lines and access to expertise.   Leading companies need to be first to market or among the first in order to reach scale, attract and maintain media coverage, investment and employees with in-demand skills.  These competing priorities can be to the detriment of efforts at compliance and cybersecurity.

Attempting to add security by ripping out the past and replacing it with solutions created from the ground up are not generally practical.  Much of what is presented as new itself relies on components that are decades old, themselves potentially hiding hidden flaws that escape even the most vigilant inspection tools and teams.  Today’s cutting-edge new code can quickly become tomorrow’s “spaghetti”, when teams move on, once again hampering re-engineering based efforts.

Automation can be a big part of the answer.   Many contractors, managed services providers, and integrators over-emphasize staffing-based solutions.  Humans are needed in analysis and high-value tasks but are not the best placed to retrofit millions of lines of code for security unless delays, quality concerns or cost overruns are built into the Work Breakdown Structure (WBS) as clearly as Full-Time Equivalent (FTE) personnel.

Creative use of automation is the key, for example in applying Runtime Application Self Protection (RASP) into existing hardware footprints or adding AI-based Intrusion Prevent Systems (IPS) into networks.

Conclusions

The economic benefits of connectivity, automation and lives-saved are rightly the focus of vehicle OEMs and suppliers.   While cybersecurity and privacy guidelines are today voluntary, they will become mandatory sooner rather than later if software engineering’s‘beta as production’ mindset undermines the more safety oriented mechanical engineering approach.  Preventable security incidents can potentially undermine public confidence and the scaling, investment and hiring projections that so many companies rely on. Cybersecurity is truly a gating issue.The following three areas are the aptest for improvement:

·         1) Security by design and in needing a strong emphasis on external red teaming and penetration testing if only to minimize the hubris that can come with decades of industry automotive experience married to just a veneer of cybersecurity expertise,

·         2) Offering a lifetime of OTA software updates, avoiding unlimited vulnerability windows, and

·         3)Raising supply chain transparency, with industry-driven cybersecurity scorecards.

About the author

Simon is an industry recognized expert in cybersecurity, mobility and the Internet of Things (IoT), founder of Washington D.C. based cybersecurity startups RunSafe Security and 202 Partners.  He is a member of the Society of Automotive Engineer (SAE)’s IoT Cybersecurity Committee and a contributing author of their new book “Cybersecurity for Commercial Vehicles”.  RunSafe was developed as part of DARPA’s High-Assurance Cyber Military Systems (HACMS) program of cybersecurity for military vehicles, drones and medical devices.  Simon also worked with Apple and Samsung in hardening their mobile devices for DoD and government use.

Previously, he was VP of Sales at Kaprica Security (acquired by Samsung), Mobile Program Director, DMI, U.S. market leader in enterprise managed mobility and Director of Sales at Thursby Software, U.S. market leader in strong iPhone security.  Prior executive sales and management roles in the U.S. and Europe include Red Hat, HP, Capgemini, a $9B hedge fund, a $50MM U.S.-Indian dot com and a background in nuclear software engineering.  He holds a BS in Physics from U-Manchester, England, a MS in Law & Cybersecurity from U-Maryland Carey Law, CISSP, CEH and CIPP/US certifications.

References:

[1]  Fiat Chrysler Automobiles
http://media.fcanorthamerica.com/newsrelease.do?&id=16827&mid=1
[1]  Federal Bureau of Investigation
https://www.ic3.gov/media/2016/160317.aspx
[1]  Federal Trade Commission
https://www.consumer.ftc.gov/blog/what-your-phone-telling-your-rental-car
[1]  Senators reintroduce a bill to improve cybersecurity in cars

Senators reintroduce a bill to improve cybersecurity in cars

[1]Senators Introduce bipartisan legislation to improve cybersecurity of IoT devices
https://www.warner.senate.gov/public/index.cfm/pressreleases?id=06A5E941-FBC3-4A63-B9B4-523E18DADB36
[1] Society of Automotive Engineers (SAE) J3061
http://standards.sae.org/wip/j3061/
[1] U.S. National Highway Traffic Safety Administration (NHTSA)
https://www.nhtsa.gov/press-releases/us-dot-issues-federal-guidance-automotive-industry-improving-motor-vehicle
[1] Future of Automotive Security Technology Research (FASTR)
https://fastr.org/about-us/what-is-fastr-a-manifesto/
[1]“US v. Jones”
https://www.supremecourt.gov/opinions/11pdf/10-1259.pdf