Less than a week after one of the most massive cyberattacks in U.S. history, federal officials want to ensure that hackers won’t be able to invade the computers that increasingly control automobiles.
Guidelines issued Monday for automakers and developers by the National Highway Traffic Safety Administration acknowledge that protecting increasingly autonomous cars from cyberattacks will be an ongoing battle.
“In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” NHTSA Administrator Mark Rosekind said in a statement released with the new guidance. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.”
The NHTSA guidance suggests a layered series of protections that will prevent a vehicle from misbehaving, even when its cyber defenses penetrated.
The goal of the guidance is to make sure cybersecurity is a key part of designing cars in a world where hackers and foreign powers are hungry to reach into whatever electronic realm they can, for fun, profit or strategic advantage.
The motives of hackers are as varied as their goals. For some, it’s simply to overcome cyber barriers that are established to thwart them. For others, it could be to disrupt the U.S. transportation system.
“It’s like building a 10-foot wall, and somebody builds an 11-foot ladder,” said Paul Brubaker, chairman of the recently formed Alliance for Transportation Innovation.
That said, there are myriad ways to keep hackers from taking control of cars, according to Brubaker. Some of it should be adapted from the military and intelligence communities, areas with which he became familiar when serving as a deputy assistant secretary of defense.
“The knowledge exists to provide state-of-the-art cybersecurity protection to the fleet,” Brubaker said. “The question is, will the industry lean into their discomfort and embrace it?”
One challenge is simply defining “the industry.”
The players who are developing semi-autonomous and truly driverless vehicles include Google, which has vast experience in defending against hackers, and traditional automakers, whose focus has been more on selling cars than fending off cyberattacks.
“I think the department has given industry an excellent opportunity to step up to the plate,” Brubaker said. “I’d like to see some input from folks who are working in the software-defined network world as well as the software-defined radio world to help the department develop some more refined guidance.”
The cyber world had a sobering moment last year when two researchers successfully hacked into a Jeep Cherokee, disabling the brakes and transmission to demonstrate the vehicle’s vulnerability. They entered the car electronically through its self-parallel parking feature. Chrysler later issued a software patch to fix the flaw.
Just as federal officials put up outsized planters around government buildings to prevent attacks, and Internet companies have invested in ways to counter hackers, the goal of the guidance is to “harden the vehicle’s electronic architecture” against potential attacks.
To do that, there’s a lot of talk about being “risk based,” which basically means companies should be deliberate about figuring out where things might go particularly badly and focus on those first. The nonbinding guidance recommends that “safety-critical vehicle control systems” — such as brakes, acceleration and steering — should be the priority, along with “personally identifiable information.”
One key step is “creating an inventory” of “all vehicles and vehicle equipment that have some form of connectivity to each other or to other services,” the guidelines say.
Once risks are identified, companies should also put in place “rapid detection and remediation capabilities,” according to the voluntary best practices.
“If a cyberattack is detected, the safety risk to vehicle occupants and surrounding road users should be mitigated and the vehicle should be transitioned to a reasonable risk state,” the guidance says.
Which translates to: Figure out what’s happening and find a way to cut the danger fast. That’s easier said than done, which makes this such a fraught area.
Documenting threats and attacks, and sharing information with others in industry as well outside researchers and the public is key, the document says. Companies should use “penetration tests” to probe their own soft spots.
Based on its research, the NHTSA offered a list of specific dangers to avoid.
For example, software developers often have doorways into a car’s basic electronic systems, which are useful for fixing bugs. But those doorways should be locked down or sealed once the cars hit the road, the guidance says.
Also, the encryption keys or passwords that give access to car computers “should not provide access to multiple vehicles,” according to the federal guidelines.