Data should be transmitted over secure and encrypted network connections. In the case of IMS for example, the carrier network communicates with the IMS system via a VPN tunnel using 256-bit AES encryption.
"Having the vehicle initiate the communication prevents outside parties from hammering the device or the vehicle," Miners says. "It helps lock things down on the vehicle side."
The European Union Agency for Network and Information Security (ENISA) also issued guidance on vehicle security that largely maps to what the GAO found. ENISA encouraged the use of standards-based cryptography rather than development of proprietary approaches, and emphasized protection of personal driver data. ENISA also launched a Cars and Roads SECurity Expert Group to evaluate the problem.
As far as existing standards, NHTSA has recommended that the auto industry consider the ISO 27000 series of security standards, and best practices like the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense,” and SAE International’s J3061 Recommended Practice Cybersecurity Guidebook for Cyber-Physical Vehicle Systems.
According to NHTSA’s report: "The automotive industry should follow a robust product development process based on a systems-engineering approach with the goal of designing systems free of unreasonable safety risks including those from potential cybersecurity threats and vulnerabilities. Companies should make cybersecurity a priority by using a systematic and ongoing process to evaluate risks."
Consumer education also will be important. The Auto Care Association is launching such an effort this year around management and ownership of vehicle data. "Our theme is that when you purchase a car you should have the ability to own the data on the car and be able to control where and who has access to it," Lowe says.
"There are some elements of telemetry data that are in a gray space," Miners adds. "Whether the owner or the manufacturer owns that data will still need to be explored and tested more thoroughly. Is information on battery health that can be used to improve battery management techniques generated by the owner or the vehicle? I don't have a clear answer on that."
So far, security standardization efforts have been voluntary on the part of the automakers and other telematics system providers. If industry-led efforts to standardize and ensure security and privacy in increasingly connected vehicles move too slowly, it's likely that new regulations will emerge.
Lowe says the SVI could be submitted to SAE this year. As for federal regulation, it's unclear what may be coming. "We don't know who the next NHTSA administrator is going to be, and we have to wait and see," Lowe says. "Things are changing daily in Washington. We are hoping we can work cooperatively with the staff at NHTSA, as we have in the past."
"By 2020, 90 percent of the vehicles being released will have the ability to communicate, and that's a benefit to the industry," Lowe adds. "But if we don't have access, it could be detrimental."
Subscribe to Aftermarket Business World and receive articles like this every month….absolutely free. Click here.