Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

// // //
9/22/2017
12:25 PM
Simon Marshall
Simon Marshall
Simon Marshall

Law Comes to Self-Driving Wild West

Legislation has begun focusing on the security needs of self-driving cars. Part one of a two-part article.

Earlier this month, bill number H.R.3388 passed the House, and now awaits comment from the Senate Committee on Commerce, Science, and Transportation, having already been read twice. Better known as the Self Drive Act, it seeks to define of a set of safety standards for autonomous vehicles (AVs) that can be administered by the Department of Transportation (DOT).

The bill is seen by onlookers as a push by the government to encourage the commercial development of the autonomous car sector. According to them the aim, quite literally, is to help sector stakeholders get rubber on the road. Car developers and manufacturers stand to benefit, but so should consumers, as this legislation is also credited as a lynchpin in reducing vehicular accidents caused by human inattention or negligence on the road.

When it comes to state-level laws and their enforcement, the picture is more fragmented. The National Conference of State Legislatures (NCST) just published an update showing how rapidly individual states are independently beginning to enact legislature focused on AVs. But it also illustrates to what degree policy is open to interpretation depending -- frankly -- on who should control what.

The way in which vehicle control is handed over to a computer -- whether as assistance to drivers or as a complete substitute for drivers -- is a simpler concept and it deserves utmost scrutiny. The Self Drive Act specifies that car developers and manufacturers may not introduce a vehicle to the road unless there's a comprehensive cybersecurity plan in place for intrusion detection and mitigation. What that consists of today is squidgy, because every manufacturer will have their own performance standards that they are willing to hold themselves accountable for.

Human drivers are theoretically seen as incompetent drivers compared to computer control systems, and so the belief is that computer assistance will cut the accident rate. And, the construction and mechanics of automobiles, trucks and semis, across fuel delivery, infrastructure, traction and steering systems that runs today's vehicles are the peak of about 125 years of engineering. We know computers are smart, but the big question is what happens when the computer is no longer in control?

AV security issues
Observers have been warning for some time that potential security weaknesses could jeopardize vehicle integrity. Tony Lock, distinguished analyst at Freeform Dynamics, has been studying this area. "There are few standards for securing cars, so in a Darwinian way, I guess we'll find out what works best," he told Security Now with a chuckle.

"The security industry is well aware that it's high time to fix this issue," he said. "But it snuck up on them [car manufacturers], and during the design process, security was not their first thought. Arguably, it's still not really crossed their minds."

With some manufacturers thus seen as back-filling on security -- but trying to improve systems before launch -- and yet the government pushing legislation forward, we may have an explosive situation in the making.

Malcolm Harkins, chief security and trust officer at Cylance, a firm that develops AI-based threat intelligence, is worried about how this dynamic looks. "This is a time-to-market issue and there is pressure on the car manufacturers to bring things to market in order to ensure profit, so that safety can sometimes, unfortunately, become a secondary priority," he said.

There's consensus that, if not the government, then manufacturer engineers and lawyers won't allow unsafe vehicles to be launched at all, despite encouragement for manufacturers to do that. A popular view is that 2020 will see the first vehicles hitting the road, since this would comfortably give the DOT the two years specified in the Self Drive act to define standards and get them in place beforehand.

But that assumes that the DOT can rely on manufacturers who themselves, because of the mutating nature of IT security threats, will have a hard time preparing for every such threat and exploit. We can assume, given a hacker mentality, that AVs will be a choice target for disruption. So it's hard to see right now if AVs can ever hit the road and really be perfectly safe.

Renaud DeRaison, CTO and co-founder of Tenable, a company that provides cyber risk management services, says that the regulatory balance is one-sided. "We live in an interesting world with over-regulation on one side and under-regulation on the other. For example, it takes months for the FCC to approve a firmware update to a smart smoke alarm. On the other hand, we could be in a situation where car manufacturers can push an update overnight. The gap between these two extremes is astounding."

The second part of this article will be published on Monday, September 25. Check back then for the conclusion.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2289
PUBLISHED: 2022-07-03
Use After Free in GitHub repository vim/vim prior to 9.0.
CVE-2022-2288
PUBLISHED: 2022-07-03
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
CVE-2022-2290
PUBLISHED: 2022-07-03
Cross-site Scripting (XSS) - Reflected in GitHub repository zadam/trilium prior to 0.52.4, 0.53.1-beta.
CVE-2022-2287
PUBLISHED: 2022-07-02
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
CVE-2022-34911
PUBLISHED: 2022-07-02
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the usern...