August 2, 2018

As technology becomes increasingly coupled with personal and commercial vehicles, cyber security concerns have increased among the general public, OEMs, and policy makers.  On July 24^th, The Wilson Center brought together experts in the field for a panel on Security and The Connected Vehicle, which covered connected vehicle (CV) and automated vehicle (AV) cyber security. The event highlighted the lack of preparedness of the auto industry to protect against cyber attacks, the inevitable insecurity of AV technology, and the importance of maintaining focus on this critical element of new mobility options.

The panel of industry professionals stressed the lack of preparedness to mitigate hacking threats, grouping security in two main issues of 1) securing vehicles, and 2) securing fleets. Government now needs to find the appropriate way to manage cyber security, which will prove to be a challenging balancing act.

Vehicles with connective technology such as remote communication capabilities and self-parking features have been on the road for many years with little attention or concern raised about cybersecurity issues. According to the Wilson Center event panelists, this means that many vehicles on the road are vulnerable to both in-vehicle and remote hacking.  The lack of public awareness also leads to consumers failing to take precaution.  Setting up personal profiles in a vehicle’s system, connecting personal devices such as mobile phones, and connecting to other vehicles and infrastructure add avenues for someone to access potentially personal data.  Failing to wipe activity when returning a rental car or selling a personal vehicle creates additional avenues for personal data breaches.

Cybersecurity must be addressed by OEMs with direction and oversight from the public and policy makers. In 2015, automakers finally organized in response to a 1998 Presidential Policy Directive aimed at protecting cyber-supported systems and formed the Auto-ISAC– the Information Sharing and Analysis Center (ISAC) for automakers.  At the Wilson Center event, Faye Francy of Auto-ISAC explained the rapid growth of the coalition from 14 founding members to about 47 current members in 2018, and the growing acceptance of OEMs to share information and crowd source mitigation techniques across the membership. Panelists said communication and collaborations between hacker communities is so robust that the industry must also learn to share and work together in order to counter attacks.

Policy-makers must be aware of the needs and risks for cybersecurity oversight with both existing and future vehicles on the market and using public roads for testing. While over regulating could decrease security, ignoring the problem completely will lead to potentially catastrophic situations. Developing policies to hold OEMs responsible for a certain amount of security on public roads thus presents a tricky juxtaposition. The more requirements or restriction posed, the more the public can understand and trust AV cybersecurity, but hackers will have the same information, giving them a jump-start. Even a performance-based approach presents additional risk by adding a gamification element to vehicle hacking. Instead, policymakers could impose limited liability policies to put hardware and software companies on the hook in cases of negligence could provide incentive, while leaving the specifics of the architecture vague.

The industry still has not fully addressed countless security risks in existing fleets that include CVs. Meanwhile, technology is moving forward and companies are already testing AVs, also equipped with CV technologies, on public roads. States and localities are developing their own policies for AV operation. Those policies along with impending federal legislation have opened up conversation about CV and AV cybersecurity as evidenced by the Wilson Center event. The differences between security for the two technologies lies not only in the fact that CVs are already on the market and security is surprisingly low while highly automated vehicles are still years out from fleet penetration, but also that the supply chain for the two technologies differs so substantially that methods and challenges to protecting vehicles from malicious or hobby hackers vary greatly.

The panel agreed that hackers will always be able to stay a step ahead of OEMs and software developers. As such, the goal must be to minimize the time it takes for companies to identify and fix security breaches. Hacked vehicles could pose significant risk to all road users given the potential to use a vehicle as a deadly weapon. It is up to OEMs, consumers, and policy makers to prioritize cyber security early on to maximize AV safety.