With a chill in the air, I set off for San Francisco, largely enabled by software applications. I reserved my hotel, booked my flight and summoned my on-demand car service with a variety of apps. And then I saw an autonomous vehicle slowing to a stop at a traffic light, turn signal blinking and lidar emitter twirling, with a driver sipping coffee and eating a pastry behind the wheel, and realized I was observing the natural extension of the software-enabled trek I’d just completed to the 2017 Automotive Cybersecurity Summit.
A Dialogue for Securing Connected Cars
The event brought together players from across the automotive supply chain. Tier 1 and Tier 2 providers were conversing with big-name OEMs, exploring new topics, trends, and technologies advancing the world of connected cars. This event provided a glimpse inside the next steps as this evolving industry tackles cybersecurity in connected cars.
Safety Is Priority One for OEMs
There was a strong turnout from teams working on intelligent braking and stability control systems, all hoping to learn more about technologies and partnerships intended to safeguard passengers. These critical systems are essential for connected, semi-autonomous, and autonomous vehicles to be trusted on the roads. These safety and performance systems rely heavily on software and computer systems to calculate responses and communicate with other vehicle components. Teams working in this area recognize the implications of a system failure or malicious attack and used this summit as an opportunity to evolve their cybersecurity toolkit.
I found the sessions about V2X (vehicle-to-everything) communications especially engaging. It's one thing to have a connected car operate in a silo and another to have each vehicle’s decisions, intentions, and actions be communicated to the world around it, enabling other vehicles to make educated calculations based on the new information. Major players are beginning to extend their definition of "safety" to incorporate responsibility for the world around the vehicle.
Cybersecurity Has Automotive Tech Vendors Scrambling
As you’d expect from the title of the conference, automotive cybersecurity tied everything at the conference together. But the type of cybersecurity the industry plans to prioritize is still up for debate.
Many argued that preventing a Jeep-style hack of the electronic control unit (ECU) and controller area network (CAN) bus is the priority, to prevent vehicles from being remotely manipulated and people themselves from being stolen within the vehicle. Others focused on sensitive driver data stored within, and transmitted by, the vehicle’s infotainment and communications systems. Some focused on aftermarket security overlaid on top of connected vehicle systems, while others insisted that security by design with secure software development was essential to reducing the attack surface. A significant days-long discussion even developed around methods for mitigating data spoofing, as attackers seek to affect vehicle performance and system calculations at the data level.
Regardless, all agreed that enhanced cybersecurity in connected cars is necessary. The industry just needs to figure out how to pull together in the tug-of-war against malicious actors.
Are Regulations Playing Catch-up?
There’s little regulation for cybersecurity practices in the automotive industry today. In general, the established requirements for quality control and recalls that apply to physical components in vehicles don't necessarily extend to software components. Who is responsible for lost data, compromised vehicle functionality, or even injury and loss of life? What part of the automotive supply chain should be regulated, and how?
Do we need federal requirements, or state? Do regulations depend on the type of vehicle, the level of automation, its purpose, where the vehicle will be driving? Do we need enforceable regulation and law, or simply best practices and guidance? With contributions from the NHTSA and the fledgling Auto-ISAC, I participated in some discussions, but the road to consensus is liklely to be a long one.
Existing regulations, such as the EU General Data Protection Regulation (GDPR), compel security by design and penalize all players in the supply chain for any breach of EU citizen data. While GDPR doesn’t spell out automotive manufacturing requirements and the role of software cybersecurity, the implications of vulnerabilities in critical vehicle components are clear.
Application Security in Connected Cars Is a Constant
Despite the debate surrounding the approach to cybersecurity, the regulation of it, and the key players in its evolution, the conversations and sessions at the Automotive Cybersecurity Summit corroborated one truth: vulnerabilities in software, applications, and embedded technologies are the most easily accessible entry point for an attacker, and the most prominent threat to automotive cybersecurity.
With open source comprising a significant portion of the software deployed in today’s vehicles (and promising heavier influence in the vehicles yet to come), it’s clear that automated open source risk management will play an integral role in protecting connected cars, safeguarding sensitive data, and even saving lives. If we’re all looking to sip coffee and eat pastries while waiting for the light to turn green, we need to be sure that our connected car is safe and secure.