Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

9/22/2017
12:25 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Law Comes to Self-Driving Wild West

Legislation has begun focusing on the security needs of self-driving cars. Part one of a two-part article.

Earlier this month, bill number H.R.3388 passed the House, and now awaits comment from the Senate Committee on Commerce, Science, and Transportation, having already been read twice. Better known as the Self Drive Act, it seeks to define of a set of safety standards for autonomous vehicles (AVs) that can be administered by the Department of Transportation (DOT).

The bill is seen by onlookers as a push by the government to encourage the commercial development of the autonomous car sector. According to them the aim, quite literally, is to help sector stakeholders get rubber on the road. Car developers and manufacturers stand to benefit, but so should consumers, as this legislation is also credited as a lynchpin in reducing vehicular accidents caused by human inattention or negligence on the road.

When it comes to state-level laws and their enforcement, the picture is more fragmented. The National Conference of State Legislatures (NCST) just published an update showing how rapidly individual states are independently beginning to enact legislature focused on AVs. But it also illustrates to what degree policy is open to interpretation depending -- frankly -- on who should control what.

The way in which vehicle control is handed over to a computer -- whether as assistance to drivers or as a complete substitute for drivers -- is a simpler concept and it deserves utmost scrutiny. The Self Drive Act specifies that car developers and manufacturers may not introduce a vehicle to the road unless there's a comprehensive cybersecurity plan in place for intrusion detection and mitigation. What that consists of today is squidgy, because every manufacturer will have their own performance standards that they are willing to hold themselves accountable for.

Human drivers are theoretically seen as incompetent drivers compared to computer control systems, and so the belief is that computer assistance will cut the accident rate. And, the construction and mechanics of automobiles, trucks and semis, across fuel delivery, infrastructure, traction and steering systems that runs today's vehicles are the peak of about 125 years of engineering. We know computers are smart, but the big question is what happens when the computer is no longer in control?

AV security issues
Observers have been warning for some time that potential security weaknesses could jeopardize vehicle integrity. Tony Lock, distinguished analyst at Freeform Dynamics, has been studying this area. "There are few standards for securing cars, so in a Darwinian way, I guess we'll find out what works best," he told Security Now with a chuckle.

"The security industry is well aware that it's high time to fix this issue," he said. "But it snuck up on them [car manufacturers], and during the design process, security was not their first thought. Arguably, it's still not really crossed their minds."

With some manufacturers thus seen as back-filling on security -- but trying to improve systems before launch -- and yet the government pushing legislation forward, we may have an explosive situation in the making.

Malcolm Harkins, chief security and trust officer at Cylance, a firm that develops AI-based threat intelligence, is worried about how this dynamic looks. "This is a time-to-market issue and there is pressure on the car manufacturers to bring things to market in order to ensure profit, so that safety can sometimes, unfortunately, become a secondary priority," he said.

There's consensus that, if not the government, then manufacturer engineers and lawyers won't allow unsafe vehicles to be launched at all, despite encouragement for manufacturers to do that. A popular view is that 2020 will see the first vehicles hitting the road, since this would comfortably give the DOT the two years specified in the Self Drive act to define standards and get them in place beforehand.

But that assumes that the DOT can rely on manufacturers who themselves, because of the mutating nature of IT security threats, will have a hard time preparing for every such threat and exploit. We can assume, given a hacker mentality, that AVs will be a choice target for disruption. So it's hard to see right now if AVs can ever hit the road and really be perfectly safe.

Renaud DeRaison, CTO and co-founder of Tenable, a company that provides cyber risk management services, says that the regulatory balance is one-sided. "We live in an interesting world with over-regulation on one side and under-regulation on the other. For example, it takes months for the FCC to approve a firmware update to a smart smoke alarm. On the other hand, we could be in a situation where car manufacturers can push an update overnight. The gap between these two extremes is astounding."

The second part of this article will be published on Monday, September 25. Check back then for the conclusion.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...