Caroline Wong, Vice President, Security Strategy, Cobalt.io
Women in Security and Privacy (WISP) and KPMG recently hosted the “Maximum Overdrive: A Discussion on Self Driving Vehicles” event featuring a stellar panel of top tech, cyber, and automotive leaders. In an environment of rapidly changing regulatory requirements, industry standards, media coverage, and consumer trust, these experts helped to shed some light on what’s actually going on right now and what to expect in the future.
Sarah Pipes, Manager of Cyber Strategy and Governance at KPMG, kicked off the discussion by sharing a story of parking her own car in Brussels while working there on rotation - to the amusement of her local friend who has become used to everyone around her using their intelligent parking assist systems (IPAS).
Perception versus reality
Michelle Avary, Vice President of Automotive Products & Strategy at Aeris Communications and founder of Women in Automotive in Technology, set the stage by explaining SAE International’s Levels of Automation for Defining Driving Automation in On-Road Motor Vehicles. There are five levels of automation, starting at Level 0 (No Automation) and going up to Level 5 (Full Automation). One example of Level 2 automation is autonomous parking technology, as featured on The Oprah Winfrey Show in 2006. This is the same level of automation that Sarah’s friend in Brussels uses.
The problem with the SAE system is that the levels lead many to assume that driving automation is linear, and that’s not true. Uber's Steffi Bryson says that’s actually an inappropriate way to look at it. The linear frame of mind makes people think that a fully autonomous car will be on the market in the next 5-10 years, and that’s probably not what’s going to happen. Mobility as a service is much more likely to become part of the average person’s day-to-day experience (particularly if you live in certain cities). The most common question that Steffi gets is, “What happens when all the cars turn left at the same time?” This is, of course, a highly unlikely scenario and doesn’t represent the best starting point for a fruitful conversation. Chenxi Wang, founder of the Jane Bond Project, points out that “Humans make mistakes too. In some scenarios, machines are actually smarter.”
What are the risks?
The 2015 Jeep Cherokee hack exposed vulnerabilities in already existing and deployed cars. Bryson says, “We’re not talking about technology that’s going to be developed in the future. This applies to the cars people drive today.”
While the highly publicized story generated a fear in the public that Bryson argues has been associated with self-driving cars in a way that’s not accurate, everyone on the panel seemed to agree that the industry as a whole did learn lessons from the demonstration and have since adopted more security best practices. In August 2015, the Auto-ISAC was formed by automakers to establish a global information sharing community to address vehicle cybersecurity risks.
Whether we’re talking GPS routing, info-tainment, or safety critical systems, things don’t really become interesting until there’s connectivity involved. Consumers love connectivity. Wang warns, “Connectivity is orthogonal to autonomy. For security discussions you need to take that into consideration.” Wang believes that the most common risk does not actually lie in remote attacks, but rather in the integrity of the automotive software and the software supply chain controls that may or may not be in place. Just as cars source physical parts from different suppliers, software is often composed of many different third party components. “How do you know that the manufacturer who gave you this piece of software actually did their job in proper vulnerability management, security updates, etc.? All of that becomes a security risk.”
Hypothetically speaking, consider a scenario where a group of company executives are being transported in a self-driving car. This presents a potential opportunity for that company’s competitor to conduct a denial-of-service (DOS) attack on the car in order to cause those execs to be late to an important meeting, or worse.
As in every type of consumer software, there’s often a trade-off between ease of use and security. What happens when your car asks you if you want to install a software update? Do you choose to do it now or later? Hopefully you pick a time when the car is not moving. The slower, more expensive option would be to drive the car to the dealership every time you need a software update installed.
Avary adds, “You’ll never get the software right the first time. You can [and will have to] patch it later.” Over the air updates from car manufacturers present an interesting case. A car’s electronic control unit ultimately decides if a new software update is trusted or not. It is critically important that access to the keys controlling new software updates is appropriately restricted and does not make itself into the hands of a malicious individual or group. The scariest piece of the puzzle here is not the technology, it’s the human who controls it.
How to secure autonomous vehicles
As with any software product, the best approach to reducing the risk of software connected vehicles and vehicular systems is to assess and monitor during the product development lifecycle. “Are you doing pen testing? Are you bringing in outside experts to look at and assess the security before the system or vehicle is released to the public?” Wang asks. “To a security person, these things are common sense.” Monitoring to track software patterns and anomalies is also an important component to ensuring the security of automotive software while it’s in operation.
Another key security principle is to shut down access where it’s not absolutely necessary. One of the main vulnerabilities exploited in the Jeep hack was an open port on the Harman Uconnect system. “It was left open to allow access for testing, and should have been closed,” Avary mentioned. The Harman system contained the ability to communicate over Sprint’s cellular network, and the hack leveraged vulnerabilities existing on the wireless network that should also have been locked down.
Wang stresses the importance of the zero trust principle - “Just because this communication came from the system right next to you, treat it as a suspicious internet connection.” She recommends that vehicle technology makers vet and authenticate connections with the same security controls in place that are required for dealing with an untrusted internet connection.
What do we have to look forward to?
“The first time you experience an autonomous vehicle probably won’t be when you buy it,” insists Bryson. The cars we see on the road right now are not non-autonomous; they are not completely manual. Many of them already have capabilities that are connected, semi-autonomous, or assisted. Lane assist, parking assist, collision warning and avoidance systems, anti-lock brakes, cruise control - all of these features are widely available in cars right now.
Individuals who do not own a car will be able to get around a lot easier with the help of autonomous vehicles. Mobility services will especially benefit the elderly and the disabled. Car ownership is expected to decrease. “A lot of people won’t own cars anymore,” says Bryson. “Today, a privately owned vehicle costs about $1.60 per mile. That cost is expected to drop to $0.08 per mile for shared mobility as a service.”