Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

9/22/2017
12:25 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Law Comes to Self-Driving Wild West

Legislation has begun focusing on the security needs of self-driving cars. Part one of a two-part article.

Earlier this month, bill number H.R.3388 passed the House, and now awaits comment from the Senate Committee on Commerce, Science, and Transportation, having already been read twice. Better known as the Self Drive Act, it seeks to define of a set of safety standards for autonomous vehicles (AVs) that can be administered by the Department of Transportation (DOT).

The bill is seen by onlookers as a push by the government to encourage the commercial development of the autonomous car sector. According to them the aim, quite literally, is to help sector stakeholders get rubber on the road. Car developers and manufacturers stand to benefit, but so should consumers, as this legislation is also credited as a lynchpin in reducing vehicular accidents caused by human inattention or negligence on the road.

When it comes to state-level laws and their enforcement, the picture is more fragmented. The National Conference of State Legislatures (NCST) just published an update showing how rapidly individual states are independently beginning to enact legislature focused on AVs. But it also illustrates to what degree policy is open to interpretation depending -- frankly -- on who should control what.

The way in which vehicle control is handed over to a computer -- whether as assistance to drivers or as a complete substitute for drivers -- is a simpler concept and it deserves utmost scrutiny. The Self Drive Act specifies that car developers and manufacturers may not introduce a vehicle to the road unless there's a comprehensive cybersecurity plan in place for intrusion detection and mitigation. What that consists of today is squidgy, because every manufacturer will have their own performance standards that they are willing to hold themselves accountable for.

Human drivers are theoretically seen as incompetent drivers compared to computer control systems, and so the belief is that computer assistance will cut the accident rate. And, the construction and mechanics of automobiles, trucks and semis, across fuel delivery, infrastructure, traction and steering systems that runs today's vehicles are the peak of about 125 years of engineering. We know computers are smart, but the big question is what happens when the computer is no longer in control?

AV security issues
Observers have been warning for some time that potential security weaknesses could jeopardize vehicle integrity. Tony Lock, distinguished analyst at Freeform Dynamics, has been studying this area. "There are few standards for securing cars, so in a Darwinian way, I guess we'll find out what works best," he told Security Now with a chuckle.

"The security industry is well aware that it's high time to fix this issue," he said. "But it snuck up on them [car manufacturers], and during the design process, security was not their first thought. Arguably, it's still not really crossed their minds."

With some manufacturers thus seen as back-filling on security -- but trying to improve systems before launch -- and yet the government pushing legislation forward, we may have an explosive situation in the making.

Malcolm Harkins, chief security and trust officer at Cylance, a firm that develops AI-based threat intelligence, is worried about how this dynamic looks. "This is a time-to-market issue and there is pressure on the car manufacturers to bring things to market in order to ensure profit, so that safety can sometimes, unfortunately, become a secondary priority," he said.

There's consensus that, if not the government, then manufacturer engineers and lawyers won't allow unsafe vehicles to be launched at all, despite encouragement for manufacturers to do that. A popular view is that 2020 will see the first vehicles hitting the road, since this would comfortably give the DOT the two years specified in the Self Drive act to define standards and get them in place beforehand.

But that assumes that the DOT can rely on manufacturers who themselves, because of the mutating nature of IT security threats, will have a hard time preparing for every such threat and exploit. We can assume, given a hacker mentality, that AVs will be a choice target for disruption. So it's hard to see right now if AVs can ever hit the road and really be perfectly safe.

Renaud DeRaison, CTO and co-founder of Tenable, a company that provides cyber risk management services, says that the regulatory balance is one-sided. "We live in an interesting world with over-regulation on one side and under-regulation on the other. For example, it takes months for the FCC to approve a firmware update to a smart smoke alarm. On the other hand, we could be in a situation where car manufacturers can push an update overnight. The gap between these two extremes is astounding."

The second part of this article will be published on Monday, September 25. Check back then for the conclusion.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.