In the first of a two-part column, Alexander Poizner talks about the very real dangers around cyber security as it relates to autonomous vehicle technology.
It’s fun to imagine a world of self-driving cars; after all, we’ve seen them in the Jetsons, Blade Runner and countless other shows and movies, but the realities surrounding autonomous vehicles and the potential damage inherent in their arrival make even the best science-fiction stories look tame. When we talk about autonomous vehicles, there is much more under the hood than you might think.
Society expects autonomous vehicles to be held to a higher standard than human drivers, but who, or what, actually has access to the car and the transportation system?
Autonomous vehicles are an engineering marvel, but there is an underbelly to this technology that isn’t understood or adequately addressed. It involves cybersecurity issues that can result in life and death situations or even lead to corporate and international espionage.
Now that we have your attention let’s look at this as a two-sided problem.
First, let’s talk about the devices themselves because autonomous vehicles are essentially moving computers that use large and complex sets of data to function. Not only is that data created and consumed by systems within the car, but it’s also generated, consumed and shared with and by the external infrastructure required to support that vehicle.
After all, this infrastructure is really a vast, interconnected network of static or centrally controlled IoT (Internet of Things) devices that is complicated to physically secure.
While there are several Regional Technology Development Sites in Ontario, working with academic institutions such as Durham College Autonomous Vehicle Applied Research, the cybersecurity solutions protecting both vehicle occupants and the municipalities that manage the road infrastructure are still in a conceptual phase.
So, we have two problems. People can hack into vehicles, and people can hack into the infrastructure supporting those vehicles resulting in a breach with potentially deadly consequences.
The critical problem revolves around trust. When you think about it, the entire system is a network of devices that must talk to each other in order for the system to work. Vehicles use internal systems to monitor the external environment around the vehicle, but there is also an entire system of external devices that includes smart traffic lights with sensors that measure traffic speed, direction and volume in order to connect to a broader network of smart devices to create a much more efficient traffic system.
In fact, a complete traffic grid consists of thousands of IoT devices that include permanent devices, such as street signs and traffic lights, various road and environmental sensors, as well as temporary devices that provide data on construction and road conditions.
All of these devices and the systems that control them need to integrate and communicate with one another and process, aggregate and analyze all of the data created to manage the collective system.
So permanent infrastructure, temporary infrastructure and individual vehicles must trust each other, and more specifically, the data they’re exchanging if the system is going to work. Let’s call this the “network of trust.” Now, the main threat is that cyber-attackers will try to disrupt that trust. They will look for weaknesses in the system and use those weaknesses for their own gain.
One of the most obvious reasons to do this is to create some kind of disruption with the ultimate goal to cause chaos, traffic jams, accidents, or even to instigate economic disruptions and civil unrest.
Other reasons, however, can be more subtle, such as hacking into some or all those smart devices to get some kind of malware or backdoor access into the vehicles or the infrastructure itself. As hard as it may be to believe, there is no single standard around cybersecurity for either autonomous vehicles or the infrastructure to support these across the automotive industry.
There are some decent security standards such as UNECE W.29 and ISO/SAE 21434 for automotive suppliers and manufacturers, but those standards do not deal directly with issues around autonomous vehicles’ cybersecurity, nor are uniformly applied or enforced.
The wild west
For autonomous vehicles and smart systems, it’s still the wild west. For example, Tesla conducts updates to their cars over the air. Think about the danger when an update is sent to hundreds of thousands of cars wirelessly.
The problem is, as we’ve seen with the recent issues from the SolarWinds breach that the whole supply chain can be compromised through updates, especially when parts of the code come from multiple independent parties. Malware and backdoors can be introduced at any time.
Given how many devices exist in a real autonomous and smart-grid network and how many separate systems are required to make those devices and the entire network function, you only have to access one piece of the system in order to potentially disrupt the whole.
In part 2, Alexander will discuss more forms of cyber-attacks, as well as measures we might actually be able to put in place to prevent them.
Alexander Poizner is an accomplished expert in security strategy, management, architecture and governance, he is coaching security executives and mentoring a new generation of security professionals, advancing awareness and understanding in business and leader communities.