Part 2: Understanding the importance of cyber security.
Last time, we looked at how an autonomous vehicles and infrastructures need to work and how the various elements need to “trust” each other in order to effectively work properly. In reality it can be more complex. The SolarWinds security breach we mentioned last time, demonstrates how the entire supply chain is at risk from a potential security breach.
Imagine, for example, that someone wants to take control of even a small municipality by placing malware in one area of the system and, months later, is able to hold that entire region hostage until they pay a ransom to release it? The economic damage and potential for death and injury come into play as bargaining chips. Now, what would happen if they targeted a major city like New York, London or Toronto? What if China used malware to disrupt traffic in Taiwan as a prelude to a military attack?
Political thriller or real threat?
In the not-too-distant future, our urban networks will increasingly involve facial recognition, where high power cameras watch and record data that can determine who you are, where you’re going and, through AI, can even generate predictions for your future behaviour. You may think this is science fiction, but these technologies are already here.
External cameras are not the only threat to our personal privacy. Like our phones, most of us have used audio cues to tell our vehicle to connect to the Internet or to place a call. As our vehicles become extensions of ourselves, much in the same way as our phones have become, they will be continually listening to us, taking orders from us and learning more about us. The security and privacy of that information can be breached.
It isn’t hard to see how an adversary could use a breach to find and follow dissidents or public officials and gain access to their conversations, even taking control of their vehicles for nefarious purposes. Imagine a situation where a bad actor can find and verify that a specific person happens to be in a particular vehicle and then use that information to predict the perfect place to take control of the vehicle, locking the doors and driving it externally to a “safe” location where a kidnapping can take place. A scene from a spy novel? What if it involved a family separation where one parent decides to take their son or daughter against the will of the other parent and/or court system. The situation feels less far-fetched now, doesn’t it?
Vehicles become weapons
When it comes to autonomous vehicles, bad actors can even turn a vehicle into a weapon without physically taking over the vehicle. Imagine if they disrupted the visual inputs of the car or truck, changing the geometric pattern recognition to turn a stop sign into a yield sign or worse, an increased speed sign, causing the vehicle to rapidly accelerate through the stop sign and into oncoming traffic. What if the vehicle visual was re-trained to ID a boardwalk as an on-ramp, allowing potential terrorists to take over the vehicle and drive it into a group of pedestrians?
Autonomous vehicles and network security issues are more significant than we realize. This is why the entire system requires fail-safe countermeasures. For instance, we always need to know that a vehicle has correctly read road signage, but rather than relying solely on sign recognition via internal vehicle sensors, there should a signal transferred from that sign back to the vehicle to reinforce that the vehicle has correctly read that sign. Only then can the vehicle continue. Our network of “trust” becomes a network of “trust but verify.”
Yes, some of these situations outlined may lean toward science fiction, but most of these scenarios are very real. That’s why, as different municipalities prepare for autonomous vehicles, we need to understand these cybersecurity issues. There can be no doubt that our infrastructure is going to be a target of cyber-attacks because our adversaries see opportunities in the very things that we see as threats, and they’re setting up real-life labs to discover the best way to breach these systems.
Watching and waiting
Sophisticated adversaries, including foreign nations, will not immediately jump to action to take advantage of a breach. Instead, they will watch as our networks are being built and take their time to discover each potential vulnerability in the connected infrastructure network. It’s a reality that Russia and Iran are much further ahead in terms of their cyber warfare capabilities than most nations, and we have seen them repeatedly testing those capabilities as cyber warfare against their adversaries, whether we’re talking about the attacks on power plants in Ukraine, or we’re talking about attacks against oil refineries in Saudi Arabia.
We need to build autonomous vehicles and create a network capable of preventing and eliminating known and unknown threats and breaches. The ideal network would be a network of “zero trust,” where there is no external access provided and robust and automated cryptographic and entitlements management that allows the system to work, but this isn’t possible given the scope and scale required to build traffic infrastructures across vast regions. The cost is simply too expensive.
Our devices and vehicles are going to need cheap hardware and software to make the system affordable at the scale required. Think about entire computer vision systems in the car that are less expensive than the Raspberry Pi. Guess what, even cheap IoT devices will still be multi-billion-dollar projects for smaller municipalities.
Defense against breaches
The model of trust that we need to build must be rethought. We need to protect ourselves by working with academic institutions, municipalities, vehicle manufacturers and collectively, establish a secure “trust but verify” network that come as close to “zero-trust” as economically feasible.
This means engineering an integrated system including autonomous vehicles, and evaluating every piece within our infrastructure, testing the system from both an AI and cybersecurity perspective to ensure that nothing relies on a single trust factor. In other words, we need to be aware of the problems and work together to secure the system and keep us free from threats.
Alexander Poizner is an accomplished expert in security strategy, management, architecture and governance, he is coaching security executives and mentoring a new generation of security professionals, advancing awareness and understanding in business and leader communities.