Date: Apr 18, 2016 Author: Joe Kwederis and Greg Boehmer Deloitte & Touche LLP Source: Wall Street Journal (
click here to go to the source)
When most people step into newer cars, they're far more concerned with avoiding fender benders than with the possibility of a hacker remotely disabling the car's engine. But as automobiles are loaded with more technology and become increasingly connected through the Internet of Things to other vehicles, owners' homes, traffic signals, insurance companies, and more, our beloved and trusted cars are becoming just as vulnerable to cyberattacks as our indispensable computers and mobile devices.
Since 2014, cybersecurity researchers have demonstrated multiple ways to remotely manipulate the systems that control braking, acceleration, steering, and other critical functions in various makes and models of cars. Their findings prompted the FBI and the National Highway Traffic Safety Administration (NHTSA) to issue a public service announcement in March 2016 warning consumers and manufacturers of potential cyberthreats.
In addition to the palpable safety concerns, researchers have also highlighted potential privacy invasions: By exploiting weaknesses in wireless communications systems or in devices that connect directly to cars (such as smartphones, insurance dongles, or diagnostic tools), hackers could conceivably gain access to data stored on a vehicle that describes its owner's driving habits, current location, entertainment preferences, or daily schedule.
These cyber risks should concern more than just consumers and automobile manufacturers. Businesses that offer company cars, operate fleets, or that are considering the deployment of smart or self-driving vehicles are also at risk, especially if they are liable for passenger safety. Such enterprises may include logistics providers, telecom providers, car rental agencies, construction firms, and delivery services (e.g., pizza, flowers). Logistics companies in particular should confirm that the companies that manufacture and maintain their trucks are on top of cyber risks. The last thing a logistics provider needs is to have a cyberattack shut down its fleet for a day, which would not only lead to massive productivity losses and extreme customer dissatisfaction, but also to a significant decline in its return on assets.
Newer connected vehicles represent an emerging target for hackers because these vehicles are essentially rolling ecosystems of unsecured technologies. For example, the sensors that enable safety features such as adaptive cruise control, forward collision warnings, and lane departure warnings are largely manufactured without common security standards. Similar safety and convenience features have already been used in attacks to gain access to critical driving systems. When sensors communicate maintenance and driving data to auto manufacturers, dealerships, and insurance companies, the transmission of data among multiple networks and vendors creates even more risk of exposure and compromise. And as smart cars communicate with smart homes, home networks also become more vulnerable to attack.
Like safety features, the cellular, Wi-Fi, and SMS networks used to facilitate data transmission were not originally designed for secure communication; a 2015 study found that nearly 100 percent of today's cars include inadequately secured wireless technologies. As a result, wireless and Internet-based communications networks are among the most common entry points for hackers. Security researchers have already demonstrated the ability to infiltrate vehicle systems using SMS texting.
The volume and complexity of the software running in cars today raises many questions about its quality, security, and reliability. As cars become more connected, they become more technologically complex and yield ever new entry points for attackers. According to one widely reported estimate from Frost & Sullivan, some 100 million lines of code power the navigation, infotainment, telematics, diagnostics, anti-theft, wireless communications, and other systems in higher-end automobiles. (In comparison, the space shuttle contains only about 40 million lines of code.) Frost & Sullivan anticipates the number of lines of code in automobiles to grow by 30 percent over the next several years.
Fasten Your Cyber Seat Belts
To address security and privacy issues, auto manufacturers and their expanding partner and supplier ecosystems will need to become more secure, vigilant, and resilient. That will likely entail:
Instituting a cyber-risk governance model that includes a well-staffed vehicle cybersecurity function run by a dedicated leader with appropriate subject matter expertise and board/executive committee oversight.
Securing products by building cybersecurity into product and component design lifecycles from the outset and weaving secure coding practices into software development and deployment.
Creating mature capabilities for monitoring both the threat landscape and the security of automotive systems and components in real time.
Continuing to collect, analyze, and share cyberthreat intelligence.
Developing the ability to promptly neutralize, contain, and quickly recover from attacks when they occur by establishing a cross-functional cyberincident response capability.
Manufacturers and their partners will need to take additional measures to improve cybersecurity in this industry. These steps will likely include cultivating talent, adopting leading practices from other industries, and working with regulators and federal agencies. Currently, the NHTSA meets regularly with auto manufacturers' and their suppliers' technical leads to discuss cybersecurity initiatives, processes, risk assessments, and product design plans. The NHTSA also works closely with other federal agencies on automotive cybersecurity--a collaboration that could prove helpful to manufacturers' cybervigilance efforts.
In the meantime, lawmakers are preparing their own response. In July 2015, Massachusetts Sen. Edward Markey introduced the Security and Privacy in Your Car Act, which aims to develop federal standards for securing cars and protecting drivers' privacy. The legislation is currently under consideration by the Senate Committee on Commerce, Science, and Transportation. More recently, in March, Sen. Gary Peters of Michigan, a member of the aforementioned committee, proposed establishing a national automotive cybersecurity laboratory near Detroit.
Auto manufacturers' focus on safety has led them to develop features like rear cameras, collision warning systems, and anti-lock brakes that are popular with buyers today. The irony is that even as those and other systems have made cars safer, they've also made them more vulnerable to cyberattacks that could ultimately lead to the crashes manufacturers and drivers are trying to avoid. It's time for manufacturers to prioritize in-vehicle cybersecurity before cars get any more connected and complicated. After all, if a hacker manages to install a virus on a car's control network, the word "crash" may cease to be a metaphor.
