How connected cars introduce new cybersecurity challenges
When it comes to the cybersecurity of new vehicles on the road, several converging trends should give us pause.
Though the automotive industry is working to meet the inherent cybersecurity challenges of “connected cars,” policymakers and consumers should also be aware of them because resolving them and gaining consumer acceptance is crucial to the commercial success of this automotive sector.
What are these trends and their implications?
First, the electrification of transportation means that most vehicles’ functions are increasingly electronically controlled and executed. Functions formerly actuated by hydraulics or mechanical means are increasingly governed by electronics, and those electronics are networked, as are the vehicle’s information and entertainment functions.
Second, each vehicle’s own network is increasingly dependent on the so-called cloud for information and software updates. In terms of network cybersecurity, the cloud itself is a network of networks. Functionally, the cloud represents the Internet of Things (IoT), which ostensibly will connect all devices.
Third, as collision mitigation software and inter-vehicular communication strategies mature, connected cars may increasingly behave as a single node in a network of vehicles.
Perhaps you see where I’m heading by identifying these trends.
Clearly, deploying cybersecurity for a vehicle that is functionally a single node in a network of vehicles is a complex challenge, especially when that network is connected to the cloud and a network of yet more devices and more networks. Thus, a multi-faceted cybersecurity challenge is upon us.
Hackers penetrate a connected car
The notion that hackers located anywhere can disrupt a specific connected vehicle’s functions and potentially cause bodily harm to the driver, his or her passengers and the people and vehicles around them is no longer an abstract one.
In fact, USA Today reported on July 17 that “for the second time, Chinese security researchers were able to hack a Tesla Model X, turning on the brakes remotely and getting the doors and trunk to open and close while blinking the lights in time to music streamed from the car’s radio …” Apparently, the security researchers sent malicious software via the vehicle’s web browser, enabling them to control the car’s brakes, doors, trunk and lights over both Wi-Fi and cellular connections.
“The second time”? Yes, in late 2016, according to Forbes, hackers had spoofed a Tesla’s ability to discern obstacles, making a Model S’s autopilot perceive that real objects in its path had vanished and that fake objects had appeared. And they managed to turn off the car mid-drive.
Tesla is no different from any other connected vehicle, but hackers apparently chose the headline-making brand to underscore their point: connected, electrified vehicles are vulnerable. And, therefore, passengers in those vehicles and any other vehicles near them are vulnerable as well. I hesitate to mention it, but the recent use of motor vehicles by terrorists to kill and injure innocent civilians adds to the concerns over cybersecurity for connected, and in particular autonomous, vehicles.
Taking responsibility for cybersecurity
While I believe various measures can make connected cars cyber-safe, who should take responsibility for doing so? The situation is complicated. The responsibility for making them cyber-safe goes well beyond the original equipment manufacturer (OEM) to include hosts of the cloud, third-party service providers, and aggregators of software code, to name just a few. The days of OnStar – General Motors’ proprietary, subscriber-based system for turn-by-turn directions and remote diagnostics – may be over.
In fact, coordinating a cybersecurity strategy and implementing needed steps among potentially responsible parties may well prove to be the most difficult challenge to meet. Because currently known cybersecurity measures, if properly implemented, may well reduce the risk to an acceptable level. It’s just that connected cars require more parties to coordinate and cooperate to make them feasible and safe.
Though I do not claim to have all the answers to these trends and challenges, a few obvious cybersecurity measures suggest themselves.
Applying known cyber measures
If you draw a bubble around an individual vehicle, certainly OEMs can apply cyber-hardening measures to protect the vehicle’s web browser, its internal network and the electrified systems in that vehicle to make it resistant to hacking.
Engineering situational awareness into a vehicle and its systems could mean, in a crude example, that it would be impossible to put the vehicle in park when it is going 60 miles per hour. Certain vehicular actions or responses could be engineered to be practically impossible under certain situations and conditions. Hard and fast rules of logic could be engineered into a vehicle’s systems to avoid obvious missteps or potentially harmful maneuvers.
But connected cars do not exist in a bubble and the whole point is to enable them to receive software updates or even commands from the cloud or in response to the proximity of other vehicles. So there arises a need to authenticate the validity of any updates or commands issued from the cloud or other sources, such as sensors in streets or highways.
Another challenge is that the cloud may communicate with vehicles using various protocols, with near-real-time speeds used for the most highly prioritized functions, such as steering and braking. Less important updates or commands could be given lower priority. But the party or parties responsible for sending commands, updates, or signals would have to ensure that those commands are uncorrupted. So it’s possible that blockchain technology or something akin to it might be employed to guarantee the integrity of such commands.
Finally, the common cybersecurity strategy of defense-in-depth, a layered approach, is likely to find traction in the connected car environment. In information technology, such an approach slows an attack, detects the problem and isolates it from doing harm through a variety of independent controls, systems or processes.
Clearly, connected cars offer advancements in safety, efficiency and convenience, but these benefits come with risk. Managing that risk in large, fast-moving, potentially dangerous vehicles in a way that consumers can (to a degree) understand and trust remains a significant challenge for industry.