Cyber security in the automotive world

January 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

In July 2015, Charlie Miller and Chris Valasek, two ‘digital security researchers’, showed the world how a 2014 Jeep Cherokee’s computer system could be remotely and wirelessly hacked while the Jeep was cruising at highway speeds. This event was just the latest automotive hacking exploit by this duo who also demonstrated their ability to hack automotive computers in a Toyota Prius and a Ford Escape wired with laptops set to take over the driver’s controls.

These recent and well publicised examples of automotive electronic control unit hacking are unsettling to say the least. More seriously, these events raise a number of obvious but important questions including whether safety-critical and electronically controlled automotive technology can really be hacked and, if this hacking is possible, what are motor vehicle manufacturers and government regulators doing to prevent hacking of ‘connected vehicles’ and their embedded electronic systems that, more and more dominate the modern automotive fleet?

The good news is that the automotive world is paying serious attention to these developments. For example, in October 2014, the National Highway Traffic Safety Administration, the federal watchdog charged with regulating motor vehicle safety in the US, published ‘A Summary of Cybersecurity Best Practices’. In this report, the NHTSA discussed and presented a review of cyber security best practices and lessons learned in the area of safety-critical electronic control systems. During the development of its list of ‘best practices’, the NHTSA looked outside of the automobile industry, in order to gain a better understanding of the key elements of a cyber security program, for an automotive application. Following this approach, the NHTSA considered cyber security information from government and industry sectors including information technology and telecommunications, industrial control systems and energy, medical devices, aviation, financial payments and the National Institute of Standards and Technology (NIST).

The NHTSA reported that “[n]o industry studied had a ‘solution’ to cyber security. Rather, issues were actively being worked and methodologies being developed along the lines of what could generically be called the best practices of cybersecurity”. NHTSA research of the various industries identified above has yielded the following ‘best practices’. Cyber security is a lifecycle process that includes elements of assessment, design, implementation and operations, as well as an effective testing and certification programme. The aviation industry has some similarities to the automotive industry. Leadership from the federal government can help the development of industry-specific cyber security standards, guidelines and best practices. Ongoing shared learning with other federal government agencies is beneficial. Use of NIST cyber security standards is a way to accelerate development of an industry-specific cyber security guideline. International cyber security efforts are an important source of information. Consider developing a cyber security simulator that can facilitate the identification of vulnerabilities and risk mitigation strategies. There should be cyber security standards for the entire supply chain. Foster industry cyber security groups. Use ‘professional capacity building’ to develop cyber security skillsets in system designers and engineers. Connected vehicle security should be end-to-end; vehicles, infrastructure and V2X communication should all be secure.

Additionally, and with the NHTSA’s encouragement, the major automotive original equipment manufacturers (OEMS) have recently formed an Information Sharing and Analysis Centre (ISAC) related to automotive cyber security issues. This ISAC is designed to allow industry members to jointly attack cyber security threats.

While the NHTSA and major OEMs are clearly paying attention to the issue, US lawmakers have also joined the effort. Legislation proposed by Senators Edward Markey and Richard Blumenthal in July 2015 would direct the NHTSA and the Federal Trade Commission to write minimum rules for automotive cyber security. These proposed rules would require automakers to establish real-time monitoring to immediately detect, report and stop hacking attempts in their cars. The Senate bill also suggests that automakers include ‘cyber dashboard’ stickers on every car to show drivers how they are protected and to disclose every connectivity feature to explicitly mention the company’s data collection practices in clear and plain language, along with the ability to disable data collection as it pertains to marketing and vehicle tracking. The Senate bill would prevent automakers from disabling key functions, such as navigation, if a driver were to opt out of data collection, but these proposed rules would not apply to vehicle safety systems like the Event Data Recorder used for managing and monitoring airbag deployment and other vehicle information in a crash.

This legislative activity follows Senator Markey’s February 2014 report that found the automotive industry’s cyber security measures to be inconsistent from company to company, calling the disparate approaches “for the most part... insufficient to ensure security and privacy for vehicle consumers”. The House Energy and Commerce Committee in the United House of Representatives is also conducting a review of its own. It is following up with automakers after receiving responses to cyber security questions sent in May to top US officers at 17 automakers and NHTSA.

Even the class action plaintiff lawyers have joined in on this issue. In Cahen et al. v. Toyota Motor Corp. et al., 3:15-cv-01104, from the US District Court for the Northern District of California, drivers in a proposed class action accused Toyota, Ford and GM of leaving their vehicles’ computers vulnerable to hackers. The case did not last long as it was dismissed on 25 November 2015 after the trial Judge ruled that the speculative risk of future hacking was not an ‘injury in fact’ necessary to sustain the case. The Judge also found that “Plaintiffs have alleged only that their cars are susceptible to hacking but have failed to plead that they consequently face a credible risk of hacking”.

While this recent spate of attention on automotive cyber security is a good thing, to say the least, the automotive industry is still operating without any law or regulation providing even minimum requirements that would prevent or minimise the hacking risks exposed by Charlie Miller and Chris Valasek. So, should you or the automotive industry be concerned about the risks presented by this issue?

The short answer is yes. As the industry continues to roll out an ever increasing level of electronically controlled safety, power train and infotainment safety systems, and as WiFi reliant vehicle to vehicle and vehicle to infrastructure technology emerges, the industry has an imperative to address this critical security issue with or without government participation. The industry should take the NHTSA’s recent advice by carefully considering and adopting some of the best practices already followed by other industries like aviation, and banking and finance.

However, while a reasonable level of concern is warranted there is also no reason to panic. Even Miller and Valasek conceded that hacking automotive electronics is no easy task. It took Miller and Valasek months of laborious coding work to develop the right code before they were able to rewrite the firmware of the 2014 Jeep Cherokee and take over the vehicle’s driving controls. And even after exposing this eye opening weakness, Fiat Chrysler was able to quickly release a software update to close the vulnerability in Jeep’s electronically controlled systems.

Thomas P. Branigan is a managing partner at Bowman and Brooke LLP. He can be contacted on +1 (248) 205 3316 or by email: tom.branigan@bowmanandbrooke.com.

Thomas P. Branigan

Bowman and Brooke LLP