A ‘door-open’ warning as a vehicle cruises at highway speed is very worrisome. But if the alert doesn’t match reality, a cyber hack could be the culprit.
“It’s all about contextual information. So if you’re driving at 70 mph (112 km/h) and you see a signal from the body computer that a door is open, that’s probably a signal out-of-context. There’s something going on there,” said Bruce Coventry, Chairman of TowerSec, a supplier of cyber security software for vehicles with research and development headquarters in Tel Aviv, Israel.
A vehicle’s tire pressure monitoring, onboard diagnostics, anti-theft, and other vehicle systems operating via an electronic control unit with wireless capability provide possible entry points for hackers.
“As a company, we’ve explored and exploited all of these entry points,” said Coventry. “From a security perspective, we see many weak and vulnerable vehicle systems interacting with stronger systems. And a smart hacker goes after the weakest links--weak encryption, weak algorithms, and unprotected interfaces.”
Coventry and other persons involved with cyber security were panelists at a recent Society of Automotive Analysts discussion hosted by the Automotive Industry Action Group in Southfield, MI.
To date, the most notorious cyber attack on a vehicle had two hackers controlling a Jeep Cherokee via wireless access. This high-profile hijack with a hapless, willing driver inside the vehicle ended with the SUV sliding into a grassy ditch after the hackers remotely cut the brakes.
That July 2015 event prompted Fiat Chrysler Automobiles’ voluntary safety recall to update software on approximately 1.4 million U.S. vehicles equipped with certain radios.
“The good thing about the Jeep [incident] is it gave the car companies an ROI (return on investment) measure for taking actions to prevent hacking. If you assume just a $100 cost per car, you’re talking about $140 million,” said panel moderator John McElroy, a journalist and analyst.
Tom Winterhalter, the Federal Bureau of Investigation’s supervisor for the Detroit division’s cyber squad, said engineers should be designing for ‘what if’ occurrences. “What happens if I try to inject a different type of data packet, or connect the wires differently, or change the voltage, change the current—what is the impact?” asked Winterhalter, who worked as an ASIC engineer designing computer chips for Compaq and Hewlett-Packard prior to the joining the FBI.
A comprehensive plan for protecting vital information is a necessary undertaking for businesses, said attorney James Giszczak, Chair of the Data Privacy and Cybersecurity Practice Group at the McDonald Hopkins law offices in Bloomfield Hills, MI.
“Every organization that has information is a [hacker] target--whether that’s confidential, proprietary information, or whether it’s employee information,” said Giszczak. “We have all these buckets of data to protect: our employee data, our customer data, our trade secret information. Are we protecting all of this appropriately?”
Every worker throughout the supply chain should be trained in how to handle documents and data, and that includes information stored on the cloud.
Elaina Farnsworth, CEO of Mobile Comply, a Troy, MI-headquartered firm specializing in connected vehicle education and certification, said information technology specialists are not the only ones in an organization that need to be strong in the tactics of securing data.
“The most important thing you can do internally and externally is to convey the appropriate information and train your workforce and vendors to understand what the risks really are and how to mitigate the risks,” said Farnsworth.
Mobile Comply, the Connected Vehicle Trade Association, and SAE International have partnered to provide connected vehicle professional certification programs covering aspects such as industry best practices, communication protocols, and security.
Training and certification hinges on being able to channel competency throughout a company’s workforce by having the right conversations with the right people, said Farnsworth. “The goal is to have the group understand the basic, best practice of how to protect themselves against threats,” she said. “And if there is a compromise, how to respond to that compromise.”