The future of cybersecurity for autonomous vehicles
Autonomous vehicles could radically improve the safety of our roadways, reducing automobile deaths by the tens of thousands, if not millions every year. Traffic congestion could be a thing of the past. Access for children, the elderly, and those with disabilities could be improved. Fuel efficiency could reduce carbon emissions by as much as 300 million tons per year.
Perhaps one day it will become almost unfathomable to imagine that humans once drove their own vehicles, without the assistance of AI (artificial intelligence) or robots. We’ll wonder how we survived a world where nearly anyone could get behind the wheel of a two-ton projectile barreling down the freeway. Drunk drivers, fanatical road-ragers, distracted teenagers: these are just a few of the many threats that could be eliminated with the development of autonomous vehicles.
The transition to fully automated and connected vehicles is not all sunshine and rainbows, however. In fact, an entirely new set of risks will rise from this new technology and it could have devastating effects. Just a few years ago, two security researchers demonstrated how they could take remote control of a Jeep Cherokee and shut down its transmission on the highway, resulting in Chrysler recalling 1.4 million vehicles.
The question now is not if, but when hackers will strike and what will the fallout be. One could argue this industry will be sought out by cyber criminals in record numbers. Why? Because people’s lives will be on the line. The stakes will be higher and the impact greater. Where there is vulnerability, there will be leverage; where there is leverage, there is money to be made.
So, how can the automotive industry prepare for these new threats? Here are a few things that need to be considered before we completely hand over the keys to our robot counterparts:
1. Focus on technology
Preventing a massive attack will require a measurable shift in our thinking. We can’t continue to maintain the status quo with this new industry. Otherwise, people could die, and public trust could vanish, crippling an industry before it even has a chance to get rolling.
In the words of Tesla’s Elon Musk, the single largest concern for autonomous vehicles is “someone achieving a fleet-wide hack.” Hackers wear many hats, but they tend to do one thing really well: exploit human behavior. Social engineering is the most prevalent method for cyber criminals to gain access to our computers, which is why there’s been so much focus on evaluating risk around people, processes, and behavior—training people to not make mistakes. With autonomous vehicles, there is no human behavior to exploit. There is no psychological element. The vehicle has no opinions or “a case of the Mondays,” so hackers will most likely focus their efforts on the technology and supply chain.
With that in mind, it’s never been more important for manufacturers to get it right the first time. And that requires building products with secure frameworks from the outset—rather than relying on adding patches or quick fixes later. That doesn’t mean companies can build it and forget it. Collaboration between the corporate IT- and product-security teams must be consistent and ongoing, ensuring that security solutions stand the test of time. It’s important to note that vehicles typically have longer lifespans than your Apple iPhone or mobile device, sometimes as long as 20 years or more. Manufacturers must ask themselves: how can we ensure this product doesn’t become vulnerable to attacks executed by the most rudimentary of hackers in 15 years?
2. Don’t cut corners
Securing autonomous vehicles will be expensive—and, it should be, because there’s little room for error. Fortunately for the automakers (not necessarily consumers), surveillance capitalism will subsidize the industry, allowing for more stringent processes and increased security measures without completely putting the financial burden on consumers.
Expect auto manufacturers to take a page right out of the Facebook handbook and monetize the information that’s gathered in each connected vehicle. Our cars will join the millions of IoT devices already connected to the internet and begin collecting information like our weight, driving habits, travel routes, temperature settings, and other types of data—ultimately selling it to the highest bidder. You won’t have to pay a million dollars for your self-driving car as long as you’re okay with it being sponsored by Twitter. You think ads on your Facebook wall are annoying now? Consider pop up ads on your dashboard from local auto mechanics every time your car reaches 3000 to 5000 mi.
3. Test, test, and test again
The way industries test for security vulnerabilities now is not sufficient for fully automated vehicles. We test just enough to reach a certain level of risk, but that won’t cut it in an industry where the vulnerability is higher and hacks can kill. Think about the thousands of components that individually connect to the internet. If a hacker gains access to a single electronic control unit among the array of sensors and computer systems, they could potentially navigate the entire network and possibly gain access to critical components that control the brakes or even acceleration, similar to the Jeep Cherokee incident.
Tests should be multi-layered, and they should treat the vehicle like a computer with wheels, with emphasis on safety-critical vehicle control systems. Not all threats can be avoided, but with proper testing, they can be identified in a timely matter, allowing for a more rapid recovery and reducing the potential for serious harm.
The autonomous vehicle industry has an opportunity to do what every other industry before it could not do: responsibly self-regulate before the government steps in and foists inadequate and distracting regulations on manufacturers. If manufactures don’t get ahead of compliance, we’re going to experience another mess like HIPAA, which has been inadequate and ineffective in providing security for healthcare organizations. HIPAA can be a real distraction for those who care about patient safety, and the same will be said for auto makers if they don’t find a path toward self-regulation.
The autonomous vehicle industry isn’t going to get a second chance if things go awry. Perhaps the recent Uber fatal car accident in Arizona should serve as a wake-up call for the industry. As soon as a self-driving car is held fully responsible for killing someone, the government is going to sweep in and derail any progress that’s been achieved with this potentially life-saving technology.
We are on the verge of one of the biggest technological shifts since the industrial revolution. Perhaps, a change that rivals the inception of the Internet. Who knows where this road will take us. But, one thing is for sure: we won’t get there if we don’t recognize the threats along the way.