According to one estimate, by 2020, 75 percent of new cars will have Internet connectivity, and will consequently be vulnerable to hackers, U.S. Assistant Attorney General John Carlin said in a recent keynote address.
“Not long ago, we could hardly imagine cars would be opened by fingerprints, drive by themselves and feature forward-collision warning and automatic-emergency breaking. But by 2020, there could be 220 million so-called connected cars on the road, each with more than 200 sensors,” Carlin said when speaking at a Society of Automotive Engineers event in Detroit. “The same innovations that revolutionize the auto industry create vulnerabilities if not carefully deployed. Potential access to vehicle control systems could be used against us to undermine the very safety the technology was designed to provide.”
Last month, the FBI, along with the Department of Transportation and the National Highway Traffic Safety Administration, released a public service announcement warning that cars are “increasingly vulnerable to remote exploits” through USB, Bluetooth or Wi-Fi technology in the vehicle. The announcement warns that not only is any data shared on the vehicle’s computer susceptible, there is also the possibility of having a car exploited remotely to allow someone the “ability to manipulate critical vehicle control systems,” the announcement said.
“There is no Internet-connected system where you can build a wall that’s high enough or deep enough to keep a dedicated nation-state adversary or a sophisticated criminal group out of the system,” Carlin said. “You may have excellent cyber defenses, but recent experience has taught us that we are only as strong as our weakest link. Hackers will use any available route into your system, and today, the most efficient path may be through those you let inside otherwise excellent defenses—third-party trusted vendors, subcontractors and others who may not share your standards.”
However, Carlin went on to explain that there are numerous steps automotive engineers can take to mitigate the risk, protect their companies, and, ultimately, he said, protect the cyber security of the U.S. The first step is to design vehicles with security in mind. As cars are increasingly connected to the outside world via cellular, Bluetooth and other exposed entry points, control systems must be engineered from the outset with security in mind. That means building cyber security into all phases of product development, beginning with the concept and product design, Carlin said.
Next, companies must realize that malicious actors can always exploit outside vendors. Therefore, Carlin advised, companies must consider guidelines to govern third-party access to the network and ensure that contracts require vendors to adopt appropriate cyber security practices.
Another key step is to always strive to protect the company’s bottom line, particularly when it comes to risk management. Companies increasingly consider cyber insurance, and Carlin recommends evaluating how that may fit into a risk management strategy.
“Finally, do not go it alone. We are safer when we work together to track and share cyber threats and to identify trends and common weaknesses,” Carlin says. “I commend the industry for recently establishing its own sector-specific information sharing and analysis center—the Auto-ISAC—which serves as a hub for the industry to share, in real time, cyber threat information and countermeasures.”
Carlin did also note that collaboration between government and the private sector is critical to the country’s ability to successfully prevent, investigate and attribute cyber attacks. The U.S. government can, he continued, provide automotive engineers with information to protect the manufacturers’ networks. “We also may be able to take actions to disrupt and deter the attackers that you cannot take by yourself,” Carlin said.
What are your thoughts on cyber vulnerabilities that stem from the increasing connectedness of today’s cars? Secondly, how do you think Auto-ISAC can help the automotive industry?