With computer hacking making its way to our cars, some sort of regulation was bound to be created. Recalls have been occurring for many modern models due to exposed areas in today’s connected car coding, which includes upward of 300 million lines of code compared to a Boeing Jet 747, with roughly 75 million lines. Automotive vulnerabilities are at an all-time high and it begs the question, who is taking the necessary action?
On July 21, 2015 Senators Edward Markey and Richard Blumenthal introduced the first-of-its-kind legislation, named the Security and Privacy in Your Car Act (appropriately abbreviated, the SPY Car Act). The senators’ legislation directs the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards that will secure today’s connected car. There was no in-vehicle system regulation until the SPY Car Act.
The SPY Car Act is an unprecedented announcement, but many insiders feel it was overdue. As a whole the automotive industry’s cyber security posture new and therefore weak. It was not just the recent hack of Fiat-Chrysler Auto, which forced thousands of recalls, that spurred action. There have been numerous reports of Range Rovers stolen by hackers infiltrating remote key fobs and a vulnerability was exploited in BMW vehicles, allowing experimental hackers to unlock doors and open windows through BMW’s ConnectedDrive system. The threat is real, and with the SPY Car Act’s three-way approach, the threat will diminish. I believe the industry will have a steep challenge to create a fully secure system. While accomplishing this feat will be difficult, it is possible with help from the right partner.
The groundwork that envelops the SPY Car Act will play a critical role in creating a fully secure in-vehicle cyber security system, which is currently non-existent. Security and Privacy Standards are the two fundamental pieces of the Act that ultimately lead to a Cyber Dashboard for every new vehicle. The SPY Car Act will not be the complete answer to the difficult cyber security equation, but it will be a suitable first step.
The automotive industry is not renowned for establishing standards inside the vehicle. Given the influx of software added into the car, the industry has also witnessed unparalleled levels of fragmentation. The Security and Privacy Standards within the SPY Car Act will address the fragmentation issues, while giving auto makers a measurable tool to secure their vehicles.
The increased lines of software code that essentially drive a vehicle’s functionality come with an increase in the number of electronic control units (ECU). The SPY Car Act Security Standard will focus on those ECUs that link directly to critical systems, e.g., power steering or brakes. This section of the Act is called Isolation Measures and can save lives. There have been no recorded deaths related to vehicle hacking, and I believe that IF there is, it will be with a vehicle already on the road today. One can credit the SPY Car Act for this expectation.
In addition to the Isolation Measures, the SPY Car Act forces automakers to develop a “Detection, Reporting, and Responding to hacking” measure. This will be the most difficult element of the Act to follow. Currently there is no proven vulnerability tracking method. Automakers are now tasked with creating a completely foreign system. Yet another example of why collaboration is essential to following the SPY Car Act requirements.
The automotive industry is at a disadvantage compared to handheld devices because the automotive world is concerned with safety and privacy. Now that today’s vehicle is basically a computer with four wheels, driver data must be protected as well. On top of protecting driver data stored in the vehicle, drivers will have full transparency of the vehicle data that automakers are collecting. There will be opt-in/opt-out programs offered, and no marketing or advertising efforts will be conducted without the consent of the customer.
According to consumer research by Texas-based consulting firm Frost & Sullivan, safety is the number one factor consumers consider when purchasing a new vehicle. For today’s connected car, you cannot have safety without security, especially with all the ECUs needed to communicate with critical systems. With both the Security and Privacy pieces acting more as back-end, the Cyber Dashboard will be consumer facing. In the near future car shoppers will not only see the crash-test rating of vehicles, but they will see a security rating focusing on how equipped a vehicle is to protect against hacking and data theft.
It is unrealistic to consider the SPY Car Act will as the silver bullet to put vehicle hacking to rest. However, it is a much-needed foundation for securing vehicles of the future. Not only will the SPY Car Act implement needed cyber security standards, but it will also save potentially billions of dollars in recall and/or warranty costs. With notably more secured vehicles, automakers can now follow on the Tesla path and begin to issue critical firmware over-the-air (OTA) updates. Nearly all major automakers are using OTAs merely to update in-vehicle apps, but with secure channels to issue OTAs to critical systems, problems like GM’s ignition switch can be solved by the press of a button.
The SPY Car Act will not reshape the automotive industry as we know it today, but it will drastically improve the cyber security model. While automakers will be the decision makers and final approver of their systems, the niche security community will play a big role in assisting with system creation. While collaboration was inevitable, the security community can really thank the government for the SPY Car Act and the included system-development contracts that will come along with it.
The Act’s three-piece approach is the first step to creating a fully secure system, and the Cyber Dashboard is a nice touch that brings the consumer into the mix. Action needed to be taken, and the government stepped in. No lives have been lost yet, but a hacker only needs to be right once.