SMITH BRAIN TRUST – Consider the electro-mechanical '57 Chevy. A push of the gas pedal pulled a cable and opened a butterfly valve, and you were accelerating. Now, driving is completely computerized – as recently showcased in the Consumer Electronics Show in Las Vegas and the 2017 North American International Auto Show in Detroit.
Automakers can make cars that talk to each other, and driverless technology has one expert predicting that kids born in 2017 will never drive a car. In the meantime, BMW's HoloActive Touch system presents "a free-floating display that's operated by finger gestures and confirms the commands with what the driver perceives as tactile feedback." And, Volvo's 90 series will facilitate conference calling in case you're caught in traffic en route to a critical meeting.
But there's a dark side to the Internet of cars era, demonstrated in part when hackers took control of a highway-bound Jeep Cherokee. The 2015 demonstration prompted Chrysler recall more than a million vehicles.
"Securing the modern automobile is tricky. [The cars] are as – or even more – complex as the F-35 fighter jet," said Tim Weisenberger, ground vehicle project specialist for technical programs at SAE International, during the 13th annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective. The forum was organized by the University of Maryland's Robert H. Smith School of Business and School of Public Policy. "Auto engineers are new to this cybersecurity game, dealing with bits and bytes in real time at 70 miles per hour, and the driver could be somebody's grandmother. ... A fighter jet at least has a highly trained pilot."
Hacking, for example, through Bluetooth or infotainment suites and into electronic control units (ECUs) can disable brakes, accelerate speed or cause other havoc. But there's no single-product answer because a vehicle has as many as 100 interconnected ECUs and more than 100 million lines of code sourced from multiple suppliers.
SAE's first of its kind "Cybersecurity Guidebook for Cyber Physical Automotive Systems" addresses this factor with a "vendor-agnostic" approach, says Weisenberger. "This means the guide is directing auto engineers to 'not choose specific technical approaches,' but to follow guidelines to 'what are the approaches, tools and methodologies' for them to apply within their individual vehicle networks… Everybody's network is different," he says.
"We're talking about 15 different major auto manufacturers and a noodle soup of tier 1, tier 2 and tier 3 supply chains," he says. "Think of two Jeep Renegades parked next to one another. They're actually two unique products because they're assembled through just-in-time methodologies sourced by all sorts of different suppliers." Subsequently, SAE (formerly known as the Society of Automotive Engineers) experts "find it real tough to get to any nitty gritty detail of a specification."
As SAE experts are updating the guide, auto engineers are using it integrate cybersecurity with safety and reliability into the car-making process. While this addresses what's built in on a car, aftermarket "add-ons" or dongles that plug into the onboard diagnostic port (OBD) presents a separate cyber-risk front, Weisenberg said. Examples are Progressive Insurance's "Snapshot," which tracks driver-safety habits and Verizon's smart-car "Hum" product.
The House Committee on Energy and Commerce recently requested that National Highway Traffic Safety Administration initiate an industry-wide effort to develop a plan of action for addressing risks associated with OBD add-ons. "Suffice it to say, auto manufacturers are leery of these products," Weisenberger said. "But there's not much they can do to impact the security of them."
GET SMITH BRAIN TRUST DELIVERED
TO YOUR INBOX EVERY WEEK