The U.K.’s Department for Transport recently issued new cyber security guidance for self-driving cars entitled The Key Principles of Vehicle Cyber Security for Connected and Automated Vehicles.
“Whether we’re turning vehicles into Wi-Fi connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber attacks,” Transport Minister Lord Callanan said in a statement. “That’s why it’s essential all parties involved in the manufacturing and supply chain are provided with a consistent set of guidelines that support this global industry.”
The document, developed with the Center for the Protection of National Infrastructure (CPNI), lists the following key principles:
- Organizational security is owned, governed and promoted at board level
- Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
- Organizations need product aftercare and incident response to ensure systems are secure over their lifetime
- All organizations, including sub-contractors, suppliers and potential third parties, work together to enhance the security of the system
- Systems are designed using a defense-in-depth approach
- The security of all software is managed throughout its lifetime
- The storage and transmission of data is secure and can be controlled
- The system is designed to be resilient to attacks and respond appropriately when its defenses or sensors fail
Security Standards for IoT
High-Tech Bridge CEO Ilia Kolochenko told eSecurity Planet by email that the announcement is a positive step for automotive cyber security. “Connected cars, and the IoT industry in general, need governmental regulation and enforcement of strict security standards,” he said. “However, we need much more detailed practical guidelines with contribution from leading cyber security experts, practitioners and researchers, not just a set of generalized best practices.”
“Moreover, a violation of the guidelines must be severely sanctioned, otherwise car vendors, and especially their suppliers, will likely ignore them,” Kolochenko added.
That last point is key — in the U.S., the Automotive Information Sharing and Analysis Center (Auto-ISAC) released a similar set of best practices last July, though the organization took pains to state, “The Best Practices are not intended to, nor should be interpreted to, obligate individual members of Auto-ISAC, Auto Alliance, or Global Automakers to take specific action or measures.”
Similarly, the U.S. National Highway Traffic Safety Administration (NHTSA) issued a set of cybersecurity best practices for vehicles [PDF] last fall.
“Cyber security is a safety issue, and a top priority at the Department,” U.S. Transportation Secretary Anthony Foxx said at the time. “Our intention with today’s guidance is to provide best practices to help protect against breaches and other security failures that can put motor vehicle safety at risk.”
Tricking Self-Driving Cars
The U.K. announcement comes soon after University of Washington researchers determined that self-driving cars can be fooled simply by adding stickers to street signs.
In one case, Car and Driver reports, the researchers were able to cause a self-driving car’s vision system to identify a stop sign incorrectly as a 45 MPH speed limit sign just by putting a few small stickers on the sign.
The impact of a mistake like that could be deadly — and in all cases, the researchers noted, the attack would only require access to a color printer and a camera.
“This is an excellent example of underestimated fragility of autonomous cars,” High-Tech Bridge’s Kolochenko said. “Even if we assume that a vehicle is unhackable remotely, there are many trivial methods that can be used to manipulate and trick the car.”