The National Highway Traffic Safety Administration (NHTSA), part of the US Department of Transportation recently issued their much anticipated Federal Automated Vehicles Policy. This 116-page document is guidance, not mandatory rule-making to "guide manufacturers and other entities in the safe design, development, testing, and deployment of HAVs [Highly Automated Vehicles]."
The guidance in this document is a good first step, although it is only a first step. This will hopefully encourage the car makers to take cyber security and privacy as seriously as they do safety. The guidance suggests that auto makers apply "established best practices for cyber physical vehicle systems" while offering few suggested resources. A logical starting point is the Automotive Information Sharing and Analysis Center (ISAC) Automotive Cybersecurity Best Practices released in July 2016. Or they could start by viewing Jonathan Petit’s presentation from the Automated Vehicle Symposium 2016.
An important concept brought forward by the guidance document is that safety, privacy and cybersecurity need to be designed in from the start. This is a key lesson learned from other industries. Trying to add security at the end of the development cycle is largely ineffective and always inefficient. NHTSA also stresses that the automotive supply chain needs to be following the same process as well by stating:
"Manufacturers should insist that their suppliers build into their equipment robust cybersecurity features. Manufacturers should also address cybersecurity, but they should not wait to address cybersecurity until after they have received equipment from a supplier."
This is an excellent point. In many cases, the car makers are not requiring any cybersecurity measures beyond a penetration test and/or a static code vulnerability scan, if they even require those basic tests. Having a secure system design with insecure electronic control units (ECUs) is an ineffective strategy.
Data collection and sharing is another area addressed in the guidance that will potentially improve cybersecurity. NHTSA urges the car manufacturers to collect sensor inputs and other data useful in diagnosing accidents. An unstated advantage of this data collection could also be the enhanced detection of security breaches. One often hears that there has been no malicious hack on a connected vehicle, but since most vehicles do not have the event logging hardware required to detect these hacks, it is a difficult claim to substantiate.
Once a vulnerability or hack is recorded and discovered, the guidance asks for the car makers to share that information with their competitors through the Auto ISAC. NHTSA even recommends that rule-making be considered which requires the documentation and reporting of the "test and evaluation process and methods used" to be made available not just for the government purposes, but for public use as well.
Automated vehicles will become a huge benefit to society by reducing traffic accidents and fatalities, lowering emissions, easing traffic congestion and increasing mobility for the elderly or infirm. But these benefits can be derailed and delayed by poor cybersecurity execution. If automakers follow the Feds' guidance, they will at least be taking an excellent first step toward creating a more secure automated vehicle.
Blog originally posted September 23, 2016 on blog.securityinnovation.com