Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

9/22/2017
12:25 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Law Comes to Self-Driving Wild West

Legislation has begun focusing on the security needs of self-driving cars. Part one of a two-part article.

Earlier this month, bill number H.R.3388 passed the House, and now awaits comment from the Senate Committee on Commerce, Science, and Transportation, having already been read twice. Better known as the Self Drive Act, it seeks to define of a set of safety standards for autonomous vehicles (AVs) that can be administered by the Department of Transportation (DOT).

The bill is seen by onlookers as a push by the government to encourage the commercial development of the autonomous car sector. According to them the aim, quite literally, is to help sector stakeholders get rubber on the road. Car developers and manufacturers stand to benefit, but so should consumers, as this legislation is also credited as a lynchpin in reducing vehicular accidents caused by human inattention or negligence on the road.

When it comes to state-level laws and their enforcement, the picture is more fragmented. The National Conference of State Legislatures (NCST) just published an update showing how rapidly individual states are independently beginning to enact legislature focused on AVs. But it also illustrates to what degree policy is open to interpretation depending -- frankly -- on who should control what.

The way in which vehicle control is handed over to a computer -- whether as assistance to drivers or as a complete substitute for drivers -- is a simpler concept and it deserves utmost scrutiny. The Self Drive Act specifies that car developers and manufacturers may not introduce a vehicle to the road unless there's a comprehensive cybersecurity plan in place for intrusion detection and mitigation. What that consists of today is squidgy, because every manufacturer will have their own performance standards that they are willing to hold themselves accountable for.

Human drivers are theoretically seen as incompetent drivers compared to computer control systems, and so the belief is that computer assistance will cut the accident rate. And, the construction and mechanics of automobiles, trucks and semis, across fuel delivery, infrastructure, traction and steering systems that runs today's vehicles are the peak of about 125 years of engineering. We know computers are smart, but the big question is what happens when the computer is no longer in control?

AV security issues
Observers have been warning for some time that potential security weaknesses could jeopardize vehicle integrity. Tony Lock, distinguished analyst at Freeform Dynamics, has been studying this area. "There are few standards for securing cars, so in a Darwinian way, I guess we'll find out what works best," he told Security Now with a chuckle.

"The security industry is well aware that it's high time to fix this issue," he said. "But it snuck up on them [car manufacturers], and during the design process, security was not their first thought. Arguably, it's still not really crossed their minds."

With some manufacturers thus seen as back-filling on security -- but trying to improve systems before launch -- and yet the government pushing legislation forward, we may have an explosive situation in the making.

Malcolm Harkins, chief security and trust officer at Cylance, a firm that develops AI-based threat intelligence, is worried about how this dynamic looks. "This is a time-to-market issue and there is pressure on the car manufacturers to bring things to market in order to ensure profit, so that safety can sometimes, unfortunately, become a secondary priority," he said.

There's consensus that, if not the government, then manufacturer engineers and lawyers won't allow unsafe vehicles to be launched at all, despite encouragement for manufacturers to do that. A popular view is that 2020 will see the first vehicles hitting the road, since this would comfortably give the DOT the two years specified in the Self Drive act to define standards and get them in place beforehand.

But that assumes that the DOT can rely on manufacturers who themselves, because of the mutating nature of IT security threats, will have a hard time preparing for every such threat and exploit. We can assume, given a hacker mentality, that AVs will be a choice target for disruption. So it's hard to see right now if AVs can ever hit the road and really be perfectly safe.

Renaud DeRaison, CTO and co-founder of Tenable, a company that provides cyber risk management services, says that the regulatory balance is one-sided. "We live in an interesting world with over-regulation on one side and under-regulation on the other. For example, it takes months for the FCC to approve a firmware update to a smart smoke alarm. On the other hand, we could be in a situation where car manufacturers can push an update overnight. The gap between these two extremes is astounding."

The second part of this article will be published on Monday, September 25. Check back then for the conclusion.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
CVE-2021-43776
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
CVE-2021-41243
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...