At the Automated Vehicles Symposium (AVS) 2017, I addressed a plenary talk to the ~1,500 attendees, stating that even though it is unanimously considered as paramount, cybersecurity is still an after-thought. Or at least it still feels like it. Indeed, for the last two AVS editions, the cybersecurity breakout session reported similar open challenges, but no real changes have been seen since. In order to move the security needle, we took a different approach and didn't organize a cybersecurity breakout session. Instead, we identified that the missing components were the lack of inputs coming from the community of experts. To be able to build a more resilient system, cybersecurity experts should know about the limitations of each subsystem, and possible "nightmare scenarios".
To kick off the discussion, we developed questions for each of the 25 breakout sessions (see http://www.automatedvehiclessymposium.org/program/2017-speakers/jpetit). Attendees could read and ponder the questions before sharing their thoughts with us in the breakout sessions.
We received the following inputs from participants:
1. Human Factors:
Some people ignore security patches, making their vehicles vulnerable to attacks. If the updates are not installed at a time the vehicle is not in operation, it is likely that the installation will not happen, thus making the vehicle vulnerable. But while not installing a patch on a desktop compromises information, not installing a patch on a vehicle could lead to a failure of the vehicle to operate properly putting the driver and other road users in danger. This problem is even greater in autonomous vehicles.
2. Public transportation:
Attendees concerned about public transportation systems voiced several concerns. They were worried about potential end-user vulnerabilities to financial attack through false delivery of service. They wondered how 3rd party organizations could provide accurate “ground-truthing” data for the public transportation infrastructure. And they wanted advice on how public transportation could incentivize pro-active penetration/security testing by the white hat hacker community.
3. Sensor fusion:
One participant proposed a robust sensor fusion technique in which two parallel encrypted systems fuse sensor data with two different algorithms that should output the same result. Any inconsistencies between the two sensor fusion systems would trigger an alert that the system might have been compromised. Another approach is to use two sets of sensors that use different technology and compensating features in order to detect attacks on sensors.
4. Automated heavy vehicles:
Truck makers are very concerned about the impact of attacks. One respondent said, “If semi-autonomous trucks can be hacked enough to stop them, a road could be blocked, a city disrupted, or the economy shut down. More even than cars, trucks pose a big threat.”
5. Actuators security:
"The real danger for autonomous vehicles does not come from the sensor data, but from all the actuators that are accessible from the car's computers,” voiced one engineer. “However, there may be simple ways to harden them against hacking. For example, before putting any actuator into automated mode, check the state of the HMI and a recent history of driver inputs to it."
After I gave the summary report, one attendee from the trucking industry shared his nightmare scenario. Imagine that it is 6 AM on a busy urban highway. Hackers cause a fleet of trucks to crash into each other, blocking the highway for an extended period of time as authorities untangle the wreckage. The entire time, news reports broadcast the wreckage and resulting traffic disruption with the name of his company prominently displayed for the world to see. This is exactly what was the call for input about! From his example, we learn that the timing component is important and the impact on branding too. This helps us frame a realistic attacker model to improve the risk assessment.