Autonomous Vehicles Cybersecurity Best Practices

Elon Musk, the founder of Tesla Cars, predicts that in two years there will be fully autonomous vehicles on the roads. What does “fully autonomous” actually mean? Are some aspects of car operation already autonomous? 

The National Highway Traffic Safety Administration (“NHTSA”) of the U.S.A. published a Preliminary Statement of Policy Concerning Automated Vehicles on May 30 2013. The NHTSA defines vehicle automation as having five levels:

No-Automation (Level 0): The driver is in complete and sole control of the primary vehicle controls – brake, steering, throttle, and motive power – at all times.

Function-specific Automation (Level 1): Automation at this level involves one or more specific control functions. Examples include electronic stability control or pre-charged brakes, where the vehicle automatically assists with braking to enable the driver to regain control of the vehicle or stop faster than possible by acting alone.

Combined Function Automation (Level 2): This level involves automation of at least two primary control functions designed to work in unison to relieve the driver of control of those functions. An example of combined functions enabling a Level 2 system is adaptive cruise control in combination with lane centering.

Limited Self-Driving Automation (Level 3): Vehicles at this level of automation enable the driver to cede full control of all safety-critical functions under certain traffic or environmental conditions and in those conditions to rely heavily on the vehicle to monitor for changes in those conditions requiring transition back to driver control. The driver is expected to be available for occasional control, but with sufficiently comfortable transition time. The Google car is an example of limited self-driving automation.

Full Self-Driving Automation (Level 4): The vehicle is designed to perform all safety-critical driving functions and monitor roadway conditions for an entire trip. Such a design anticipates that the driver will provide destination or navigation input, but is not expected to be available for control at any time during the trip. This includes both occupied and unoccupied vehicles.

A joint policy update to the Preliminary Statement noted above was issued by the Department of Transportation and the NHTSA in 2016. (*1) The key aspect of the update was the following: 

DOT and NHTSA policy is to facilitate and encourage wherever possible the development and deployment of technologies with the potential to save lives. To that end, NHTSA will use all available tools to determine the safety potential of new technologies; to eliminate obstacles that would prevent or delay technology innovations from realizing that safety potential; and to work with industry, governmental partners at all levels, and other stakeholders to develop or encourage new technologies and accelerate their adoption where appropriate. 

The rapid development of emerging automation technologies means that partially and fully automated vehicles are nearing the point at which widespread deployment is feasible. Essential to the safe deployment of such vehicles is a rigorous testing regime that provides sufficient data to determine safety performance and help policymakers at all levels make informed decisions about deployment. Industry plays a key role in this process by both conducting such testing and in providing data that establish the safety benefits of automation technologies that exceed the current level of roadway safety. Within six months, NHTSA will propose best-practice guidance to industry on establishing principles of safe operation for fully autonomous vehicles (vehicles at Level 4 on the scale established in NHTSA’s 2013 preliminary policy statement).

Some of the most significant concerns with autonomous vehicles are cybersecurity and privacy Protection. In July of 2014, a group of U.S. automakers created Auto Information Sharing and Analysis Centre (“AISAC”). The aim is for its members to identify and share information about threats and vulnerabilities regarding connected vehicles and to analyze those threats and vulnerabilities and come up with solutions. Connected vehicles already exist today in some form of level 2 on the scale established in NHTSA’s 2013 preliminary policy statement. And researchers recently have demonstrated how cyber security is already a primary concern in some of today’s vehicles. In 2015 researchers demonstrated “how attackers could take complete remote control of a 2014 Jeep Cherokee’s braking, steering, and other critical systems from 10 miles away while the vehicle was traveling at 70 miles per hour. The exploit resulted in Chrysler recalling some 1.4 million vehicles so it could mitigate the vulnerability exploited by the researchers for the demo.” (*2)

On July 21, 2016 AISAC published its executive summary Automotive Cybersecurity Best Practices.  It is an update on its Framework for Automotive Cybersecurity Best Practices published in January 2016 the Alliance of Automobile Manufacturers and the Association of Global Automakers. The following topics are covered: 

Governance

- Define executive oversight for product security.

- Functionally align the organization to address vehicle cybersecurity, with defined roles and responsibilities across the organization.

-Communicate oversight responsibility to all appropriate internal stakeholders.

- Dedicate appropriate resources to cybersecurity activities across the enterprise.

- Establish governance processes to ensure compliance with regulations, internal policies, and external commitments.

Risk Assessment and Management

- Establish standardized processes to identify, measure, and prioritize sources of cybersecurity risk.

- Establish a decision process to manage identified risks.

- Document a process for reporting and communicating risks to appropriate stakeholders.

- Monitor and evaluate changes in identified risks as part of a risk assessment feedback loop.

- Include the supply chain in risk assessments.

- Establish a process to confirm compliance by critical suppliers to verify security requirements, guidelines, and trainings.

- Include a risk assessment in the initial vehicle development stage, and reevaluate at each stage of the vehicle lifecycle.

Security by Design

- Consider commensurate security risks early on and at key stages in the design process.

- Identify and address potential threats and attack targets in the design process.

- Consider and understand appropriate methods of attack surface reduction.

- Layer cybersecurity defenses to achieve defense-in-depth.

- Identify trust boundaries and protect them using security controls.

- Include security design reviews in the development process.

- Emphasize secure connections to, from, and within the vehicle.

- Limit network interactions and help ensure appropriate separation of environments.

- Test hardware and software to evaluate product integrity and security as part of component testing.

- Perform software-level vulnerability testing, including software unit and integration testing.

- Test and validate security systems at the vehicle level.

- Authenticate and validate all software updates, regardless of the update method.

- Consider data privacy risks and requirements in accordance with the Consumer Privacy Protection Principles for Vehicle Technologies and Services.

Threat Detection and Protection

- Assess risk and disposition of identified threats and vulnerabilities using a defined process consistent with overall risk management procedures.

- Inform risk-based decisions with threat monitoring to reduce enterprise risk by understanding and anticipating current and emerging threats.

- Identify threats and vulnerabilities through various means, including routine scanning and testing of the highest risk areas.

- Support anomaly detection for vehicle operations systems, vehicle services, and other connected functions, with considerations for privacy.

- Outline how the organization manages vulnerability disclosure from external parties.

- Report threats and vulnerabilities to appropriate third parties based on internal processes.

Incidence Response and Recovery

- Document the incident response lifecycle, from identification and containment through remediation and recovery.

- Ensure an incident response team is in place to coordinate an enterprise-wide response to a vehicle cyber incident.

- Perform periodic testing and incident simulations to promote incident response team preparation.

- Identify and validate where in the vehicle an incident originated.

- Determine actual and potential fleet wide impact of a vehicle cyber incident.

- Contain an incident to eliminate or lessen its severity.

- Promote timely and appropriate action to remediate a vehicle cyber incident.

- Restore standard vehicle functionality and enterprise operations; address long-term implications of a vehicle cyber incident.

- Notify appropriate internal and external stakeholders of a vehicle cyber incident.

Improve incident response plans over time based on lessons learned.

Training and Awareness

- Establish training programs for internal stakeholders across the motor vehicle ecosystem.

- Include IT, mobile, and vehicle-specific cybersecurity awareness.

- Educate employees on security awareness, roles, and responsibilities.

- Tailor training and awareness programs to roles.

Collaboration and Engagement with Appropriate Third Parties

- Review information and data using a standardized classification process before release to third parties.

- Engage with industry bodies, such as the Auto-ISAC, Auto Alliance, Global Automakers, and others.

- Engage with governmental bodies, including the National Highway Traffic Safety Administration, NIST, Department of Homeland Security, United States Computer Emergency Readiness Team, Federal Bureau of Investigation, and others.

- Engage with academic institutions and cybersecurity researchers, who serve as an additional resource on threat identification and mitigation.

- Form partnerships and collaborative agreements to enhance vehicle cybersecurity.

A number of issues and questions arise from these best practices guide: 

1. The practices are not mandatory and there is no mechanism for enforceability.

2. What is the cost of implementing the best practices and will the auto makers voluntarily incur these costs? 

3. There is no timeline for implementation. 

4. If the best practices are implemented in the U.S., will auto makers voluntarily implement the practices in Canada and comply with existing Canadian laws? 

5. Will foreign automobile manufacturers follow suit?  

Endnotes

(*1) www.nhtsa.gov/staticfiles/rulemaking/pdf/Autonomous-Vehicles-Policy-Update-2016.pdf

(*2) http://www.darkreading.com/vulnerabilities---threats/auto-industry-isac-releases-best-practices-for-connected-vehicle-cybersecurity/d/d-id/1326347