Security should be baked into autonomous and connected vehicles from the start, technologists said Wednesday during a panel discussion at the Global Cities Teams Challenges Super Action Cluster Summit.
The group of vendor representatives, researchers and government policymakers noted the danger of not considering cybersecurity from the earliest stages of planning and deploying vehicle networks as part of today’s smart city efforts.
Email was initially created without security in mind and we’ve paid for it ever since by continually bolting fixes onto it, said Isaac Potoczny-Jones, research lead at Galois. But the complexity of connected vehicle systems has created pushback on the issue of cybersecurity, he noted.
“Innovative areas like this have a real challenge in baking nonfunctional requirements like cybersecurity into the basis of their systems,” Potoczny-Jones said. “But just because there’s no value today in attackers targeting these systems that there won’t be value tomorrow. We don’t know what we’re up against tomorrow. Things change. They will start to target these systems.”
The auto industry first started taking security seriously in 2015, when Chrysler recalled 1.4 million vehicles equipped with Uconnect dashboard computers following a feature in Wired showing how two hackers were able to remotely disable a Jeep on the highway.
Connected vehicle developers should think of cybersecurity, usability and privacy as foundations upon which the technology is built, Potoczny-Jones said.
“Cars are really hard to secure to begin with. It’s a system of systems,” said Lorie Wigle, general manager of IoT Security Solutions at Intel, adding that just one weak link in the chain could bring the whole thing down.
“The supply chain piece is incredibly important here,” she said. “So many of the subsystems come as integrated wholes from the supply chain and so again there’s a really strong requirement for the car maker to be looking at supply chain security and how those pieces are coming in in a secure fashion and integrated together in a good way.”
The development timeline favors attackers, she said. Once these components are created, they remain on the market for a long time — technologists need to operationalize security.
“It’s not good enough that the car have security when it ships because five years later, the threats can evolve beyond what we can even imagine right now and we need a way to keep the security current,” Wigle said. “The more connectivity we build in, the more automation we build in, the greater the attack surface is.”
At Intel, Wigle noted they’re looking to build security safeguards into their hardware.
At these early stages, government, too, can play a crucial role in reporting security issues, said Sean Docken, a chief technical analyst of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the U.S. Department of Homeland Security.
DHS operates a program called Protected Critical Infrastructure Information (PCII) that allows agencies to temporarily shield information about their systems from Freedom of Information Act Requests and regulator requests when a security incident arises.
“It allows us to help you protect that information so we can help you fix it,” Docken said.
In 2016, Docken reported DHS received 14 PCII incident reports related to transportation. Most of the 290 reports received that year were related to the highly-regulated energy sector because those agencies are required to report incidents when they arise, he noted, but the department expects this number to grow as these systems are developed.
ICS-CERT provides resources to help governments procuring smart city technology, including boilerplate contract language, free online training and assessments, and technical documents.
“That’s about it for me,” said Docken, wrapping up his presentation. “The only other thing I would say is, if you’re going to do your research with cars and you want to do hacking attempts on them, please don’t do it on a live highway.”