The connected vehicle and telematics market is increasingly data-intensive, which has raised a number of security and privacy concerns in the automotive industry, for insurance companies and among consumers. While a number of efforts are underway to help ensure the safety of these telematics and other systems, approaches by automotive OEMs and telematics providers remain uncoordinated and lack any sort of standardization.
There are now mobile apps and vehicle systems that could potentially allow hackers to unlock car doors or even control safety systems remotely.
In 2016, NHTSA issued guidance on cybersecurity for vehicles, recommending a layered approach to reduce the probability of attacks, as well as timely detection and rapid response to potential cybersecurity incidents. So far, the federal government has not created any new regulatory authority around vehicle cybersecurity, but it could be coming if industry efforts are seen as insufficient.
Any security approach will require balancing safety with access requirements. There is already some indication that OEMs are hoping to restrict OBD-II access (in a few cases, they have made it physically difficult to keep a dongle-type device plugged into the port during vehicle operation).
While this could make the data more secure, it would impede mandated access to emissions information, as well as aftermarket and third-party provider access to vehicle operational and maintenance data. That debate will likely get much louder as the universe of telematics technologies expands.
"There were early attempts by the manufacturers to simply block access to the OBD port, but those approaches have matured," says Ben Miners, vice president of innovation at Intelligent Mechatronic Systems (IMS), which offers the DriveSync connected car platform. "No they are managing the secure delivery of information from their own back-end servers, which at least puts control of the content with the manufacturers or a contractor."
That's why the aftermarket is trying to have an active voice in this discussion. The Auto Care Association has been working with vehicle manufacturers and other industry trade groups to create a secure vehicle interface (SVI) standard that could be turned into an official Society of Automotive Engineers (SAE) standard.
"It would allow data communicated through the OBD port or through a wireless method to be transmitted from the vehicle such that vehicle systems are protected but data is available to be used," says Aaron Lowe, senior vice president of regulatory and government affairs at the Auto Care Association. "That would provide security, but still allow the industry to have access to the diagnostic data."
That collaborative effort should hopefully keep open access part of the discussion. "There seems to be willingness to look at some methods like SVI to make sure it happens in a way that doesn’t close off the OBD port," Lowe says. "It’s challenging but we think we are addressing those challenges.
Security best practices
In 2016 the U.S. Government Accountability Office (GAO) issued a report on vehicle cybersecurity recommendations. It found that current technologies leave vehicle systems vulnerable to cyber attacks. Those problems have been exacerbated by a lack of transparency, communication and collaboration when it comes to cybersecurity across the auto supply chain.
The auto industry is taking steps to improve security. The Automotive Information Sharing and Analysis Center (Auto-ISAC), for example, was formed to collect and analyze threat data. A large number of vehicle and equipment manufacturers are ISAC participants, and NHTSA sees ISAC as a key part of having a rapid response system in place to address vehicle cyber attacks. Auto-ISAC has issued a best practices document that encourages the use of established cybersecurity guidelines in automotive design, including NIST SP 800-61, NIST SP 800–150, and ISO/IEC 27010.
NHTSA also has taken steps to address cybersecurity, but its role is still unclear – particularly now that there has been a change in administrations and the new head of NHTSA has yet to be identified. The agency did not plan to make a determination on the need for new government standards or regulations until 2018.
There have already been proposals for new regulations, though. In 2015, Senators Richard Blumenthal (D-Conn.) and Ed Markey (D-Mass.) proposed legislation that would require NHTSA and the Federal Trade Commission to establish federal standards for vehicle data security and privacy in the wake of several well-publicized incidents of vehicle safety and security vulnerabilities. Those included research demonstrations that showed hackers could remotely control vehicle systems (including car stereos, windshield wipers, and brakes) while the car was in motion. Those tests led Chrysler to recall 1.4 million vehicles.
Current security approaches vary by company. Among the key practices identified by the GAO are:
• Conducting risk assessments
• Incorporating security-by-design principles
• Creating domain separation for in-vehicle networks
• Implementing a layered approach to security
• Conducting penetration testing
• Conducting code reviews
• Developing over-the-air update capabilities
For aftermarket telematics providers, there also are some good best practices. Plug-in devices should minimize the amount of data held within the device itself. The device should also initiate all communication (it shouldn’t accept any communications from outside sources).
Data should be transmitted over secure and encrypted network connections. In the case of IMS for example, the carrier network communicates with the IMS system via a VPN tunnel using 256-bit AES encryption.
"Having the vehicle initiate the communication prevents outside parties from hammering the device or the vehicle," Miners says. "It helps lock things down on the vehicle side."
The European Union Agency for Network and Information Security (ENISA) also issued guidance on vehicle security that largely maps to what the GAO found. ENISA encouraged the use of standards-based cryptography rather than development of proprietary approaches, and emphasized protection of personal driver data. ENISA also launched a Cars and Roads SECurity Expert Group to evaluate the problem.
As far as existing standards, NHTSA has recommended that the auto industry consider the ISO 27000 series of security standards, and best practices like the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense,” and SAE International’s J3061 Recommended Practice Cybersecurity Guidebook for Cyber-Physical Vehicle Systems.
According to NHTSA’s report: "The automotive industry should follow a robust product development process based on a systems-engineering approach with the goal of designing systems free of unreasonable safety risks including those from potential cybersecurity threats and vulnerabilities. Companies should make cybersecurity a priority by using a systematic and ongoing process to evaluate risks."
Consumer education also will be important. The Auto Care Association is launching such an effort this year around management and ownership of vehicle data. "Our theme is that when you purchase a car you should have the ability to own the data on the car and be able to control where and who has access to it," Lowe says.
"There are some elements of telemetry data that are in a gray space," Miners adds. "Whether the owner or the manufacturer owns that data will still need to be explored and tested more thoroughly. Is information on battery health that can be used to improve battery management techniques generated by the owner or the vehicle? I don't have a clear answer on that."
So far, security standardization efforts have been voluntary on the part of the automakers and other telematics system providers. If industry-led efforts to standardize and ensure security and privacy in increasingly connected vehicles move too slowly, it's likely that new regulations will emerge.
Lowe says the SVI could be submitted to SAE this year. As for federal regulation, it's unclear what may be coming. "We don't know who the next NHTSA administrator is going to be, and we have to wait and see," Lowe says. "Things are changing daily in Washington. We are hoping we can work cooperatively with the staff at NHTSA, as we have in the past."
"By 2020, 90 percent of the vehicles being released will have the ability to communicate, and that's a benefit to the industry," Lowe adds. "But if we don't have access, it could be detrimental."
Subscribe to Aftermarket Business World and receive articles like this every month….absolutely free. Click here.
