Where current cybersecurity guidelines fall short
Illustration: Aïda Amer/Axios
Amidst legislative stalling, a consortium of twelve manufacturers has developed a framework for automotive cybersecurity best practices.
The big picture: At first glance, their guidelines hit the right points — incorporating security into design, developing risk assessment and incident response strategies — but current security solutions are not sufficient against increasingly sophisticated threats.
Background: The Self-Drive Act, a bill that didn't make it through Congress, required “manufacturers of highly automated vehicles to develop written cybersecurity and privacy plans for such vehicles prior to offering them for sale.”
- However, it fell short of prescribing specific guidelines for how security systems will ensure those objectives.
- In developing their own safety and cybersecurity guidelines, automakers were trying to keep drivers and passengers safe — and also aiming to satisfy regulators who, in the absence of industry action or input, could impose rules that may be less favorable to companies.
What's happening: Today, most security solutions rely on rules, logic and signatures to detect threats, but this means they can only detect known threats. Contemporary security systems essentially do the bare minimum to comply with security guidances.
- This is one reason current security measures are not the best place to start in designing a framework. Any time hackers develop new viruses or malware, cybersecurity programs play catch-up.
What's needed: To go beyond compliance and prevent hackers before they compromise security measures, manufacturers need to develop systems that will enable them to meet these still-unknown threats.
- Examination of vehicle system behavior anomalies could be a solution. If a hacker tries to install malware into a vehicle's ECU, the system would detect activity in the ECU that should not be taking place.
- In another scenario, if a vehicle's ECU is acting in an irregular manner, that could mean that malware is present. The system could be programmed to block vehicle operations until the threat is addressed, preventing the malware from acting.
The bottom line: Cyber threats are increasing as more vehicles become connected, and as connected vehicles become more sophisticated. Current solutions are not advanced enough to satisfy the spirit of even the strictest security and privacy guidelines. Updating the solutions and frameworks should go hand in hand.
Yossi Vardi is the CEO of SafeRide Technologies, an automotive cybersecurity startup.