Increasing reliance on computer systems and internet connectivity in cars is opening up a whole new area of consumer risk, with proto-hacks demonstrating everything from radio takeovers to navigation systems hijacking. To address this growing but still somewhat little understood area of cybersecurity, a volunteer association known as I Am The Cavalry is calling for the adoption of five key capabilities that create a baseline for safety relating to the computer systems in cars.
In an open letter addressed to CEOs in the automotive industry, the group noted that “modern vehicles are computers on wheels, and are increasingly connected and controlled by software and embedded devices. These new technologies enable innovations designed to increase vehicle safety and bring other positive features. Vehicle-to-vehicle communication, driverless cars, automated traffic flow, and remote control functions are just a few of the evolutions under active development. New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation. The once distinct worlds of automobiles and cyber security have collided. In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.”
The framework has been dubbed the Five Star Automotive Cyber Safety Program, to mimic the nomenclature of physical safety guidelines for the industry:
- Safety by Design – developing automotive computer systems with security in mind.
- Third-Party Collaboration – publishing a clear vulnerability disclosure response policy that works with security researchers.
- Evidence Capture – logging information that may assist with an investigation should one be necessary.
- Security Updates – providing a mechanism for consumers to receive updates to computer systems quickly and easily as issues are found and fixed.
- Segmentation and Isolation – ensuring that issues in non-critical systems do not impact the performance of critical systems.
“I think the proposed framework clearly states important principles and intent in a plain, sensible and workable way,” said Tony Sager, chief technologist for the Council on Cyber Security. “It puts information-sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement. “
The letter has also been published as a petition with a request for members of the public to show their support for car safety.