The UK government has published key principles for connected and autonomous vehicles, aimed as a guide for automakers, suppliers, and developers looking to deploy self-driving cars in the future.
The eight principles are:
- Organizational security is owned, governed and promoted at board level.
- Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain.
- Organizations need product aftercare and incident response to ensure systems are secure over their lifetime.
- All organizations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system.
- Systems are designed using a defense-in-depth approach.
- The security of all software is managed throughout its lifetime.
- The storage and transmission of data is secure and can be controlled.
- The system is designed to be resilient to attacks and respond appropriately when its defenses or sensors fail.
Most of the principles (and sub-principles) are focused on car security. All software developed for a connected car needs to be actively maintained, upgraded, and automakers should ensure that even legacy software remains protected if some cars still use it.
Make data tough to crack
Data sent to and from an autonomous vehicle should be encrypted and, to reduce the likelihood of a cyber-attack, the government urges automakers to reduce a number of possibilities for attackers to penetrate the car’s software. Waymo CEO John Krafcik said it is already taking most of its technical services offline, using the cloud only for necessary traffic updates.
“Connected vehicles are the future of our transportation infrastructure and are highly vulnerable to attack,” said Sir David Omand, former Director of GCHQ and strategic advisor to Paladin Capital Group. “We have already seen demonstrations of remote hacking of vehicles. We must ensure that as the UK adopts these transformative technologies that we are protected from potentially catastrophic threats to the safety of our society.”
The government wants to see more collaboration between partners and more rigorous analysis by all parts of the automotive industry. It also wants automakers to create several fail safes for the hardware (sensors, Lidar, radar) and software, in case a physical or cyber attack takes one of the systems offline.
“We applaud the UK government for taking preemptive action, and by zeroing in on preventing cyberattacks as critical for the adoption of self-driving cars on a mass scale,” said David Barzilai, chairman and co-founder of Karamba Security.
“But in one area, we don’t feel these guidelines go far enough toward effectively preventing car hacking. Cars are not servers or mobile phones that can sustain the risk of hidden security bugs. The time it takes to remediate such bugs in production, while hackers exploit them and create damage, can compromise consumers’ safety.”
The UK has been one of the first to set out autonomous laws, but driverless tests on highways are still two years from happening. That puts the country behind some of the U.S. more progressive states, China, and Germany.