The automobile industry has published its first set of in-car security best practices, but the slow development times mean the industry still has a long way to go.
The modern automobile has all the computer technology of your typical small business.
Cars typically have 70 to 100 electronic control units, or ECUs, and 10 million to 150 million lines of code running on their various systems. The entertainment consoles in the dashboard often allow USB and Bluetooth connectivity, which has provided researchers with an inviting path to these systems.
Little surprise, then, that automobiles are increasingly seen as computers on wheels.
Unfortunately, there is a downside to the technology. In 2010, a group of security researchers from the University of California, San Diego and the University of Washington did a comprehensive survey of vehicle systems and found significant vulnerabilities in the ECUs operating in a typical car.
Five years of car system analysis—from tire-pressure sensors to entertainment consoles—led up to the 2015 hack of the Jeep Cherokee to take control of various systems and shut down the transmission of a car on the highway, an event that forced Fiat Chrysler Automobiles to recall more than 1.4 million vehicles.
“Originally, a car was seen as an island. … You simply put new devices onto that island, and as long as they were inserted correctly, the system was secure,” said Rod Schultz, vice president of Rubicon Labs, a maker of secure internet of things (IoT) systems. “Now, we see that we are connecting devices, and every single ECU is potentially being connected to a network. So you can no longer assume that these devices will be secure.”
A year after the Jeep hack, automobile manufacturers are still trying to develop a solution to the complex problem of securing vehicle computer systems. The parade of vulnerabilities and issues has forced the auto industry to change, albeit slowly.
In 2015, just before news the Jeep Cherokee hack hit the internet, a global coalition of auto makers created the Automobile Industry Information Sharing and Analysis Center (Auto-ISAC). The group of 15 global automobile manufacturers represents 98 percent of the vehicles on the road in the United States.
On July 21, the Auto-ISAC published its best practices for the industry based on input from more than 50 automotive cyber-security experts. The document argues that manufacturers focus on seven security principles: risk assessment and management, threat detection and protection, incident response, collaboration with third parties, better governance, and security awareness and training.
“Automakers have many safeguards already in place to protect against cyber-threats, and the industry will continue to evolve to match emerging technology and the changing threat landscape,” Tom Stricker, vice president of product regulatory affairs for Toyota Motor North America and the chairman of the Auto-ISAC, said in an email interview. “Security will continue to be a top priority as automakers incorporate new technology into vehicles to meet consumer demands.”