The world is abuzz with driverless cars! They’re going to change the world! We are all aware of the growing column inches that they receive (this article included) and there is great hope for this emerging technology.
But there is also plenty of concern about the safety and security of these vehicles – and quite rightly so. We have seen many reports of these cars being hacked, and human life is at risk, so you would assume that security is of paramount concern to manufacturers. You would assume, wouldn’t you?
I did my MSc in Information Security project on the security of driverless cars. Amongst other things, I looked at published attacks on these vehicles – and it threw up two disturbing, if not frightening, findings.
Firstly, the attacks performed so far on driverless (and connected) cars have been possible due to all too familiar failings. You may have heard of these vehicles being described as computers on wheels, and this is a fair description. Whatever else is going on under the hood, they still work as a collection of many computers (Electronic Control Units or ECUs) that communicate around the car over wires (primarily the Controller Area Network or CAN bus).
There are lots of ways for an attacker to try and get into the system: from media players, USB ports and WIFI to name but a few. Researchers have looked at these systems and found flaws that have enabled them to conduct even the ultimate of attacks, which is to remotely connect to a car and take control of physical systems such as steering and brakes. One of the most high-profile of these was the 2015 Jeep attack that resulted in the recall of some 1.4 million vehicles.
So why are we seeing familiar issues in a new technology? Checkoway et al. raise a possible explanation in their 2011 paper on automotive attack surfaces. In it, they talk of history repeating the lessons learnt from the past.
When computers were first introduced, it was without the ubiquitous connectivity that we enjoy today. It was when connectivity was added that vulnerabilities started to emerge. In a similar way, when the internet was conceived, the underlying protocols were designed without the threat of attackers being front and center.
But it’s all OK, we learnt the lesson – it is a bad idea to bolt-on security, it needs to be baked in from the start. We did learn the lesson, didn’t we?
It is here that we get to the most shocking part of my project. The Ponemon Institute surveyed the state of cybersecurity in the automotive industry in 2015 and 2016, providing some sobering insight. In the 2015 survey, they reported that security is not in the Software Development Lifecycle (SDLC) and that only 41% of developers agreed that ‘secure software is a priority for their company’.
The 2016 report showed some improvement but worryingly only 15% of those surveyed felt that security was an integral part of their processes, and a further 47% believed that security was an add-on afterthought.
These results could go some way to explaining the extent of vulnerabilities and exploits seen in recent years in connected and autonomous cars. It may also explain why the mistakes of the past appear to have been repeated. If security had been top of the agenda for manufacturers, then I imagine we would have seen robust architectures from the outset, rather than the iterative improvements that we now see following more and more compromises. We are familiar with this scenario; a market development occurs and all parties rush out products with security taking, excuse the pun, a back seat.
So what can be done? The horse has bolted the stables and we are on the less than desirable position of adding security on again. A brave manufacturer would start with a clean sheet, design a security-focused system and ensure that security was in the driving seat (last one, I promise).
For me though, the survey results raise some more fundamental questions around the importance of human behavior to security. We have moved on from the days of information security being the preserve of IT; most now accept that it is an important issue for the company as a whole. CISOs are no longer merely IT experts, but also business managers in their own right.
To this, I would like to add a third dimension as a necessary pillar of their expertise/repertoire – that of a social-scientist. Dourish and Anderson’s 2006 paper, ‘Collective Information Practice’, published in the Human-Computer Interaction journal examines the view that security is not just about technology, and that social and organizational culture play a key role too. If these Ponemon findings are any reflection on the culture of the automotive industry’s attitude to security, then much needs to be done.
Only by having a culture where security is paramount do we get the level of security that life-critical systems such as driverless cars deserve. It would be very interesting to see how these results compare to other safety critical industries, such as aircraft manufacturers.
If we accept that human behavior is crucial to information security, then how you influence the human behavior in your organization (perhaps with a thoughtful blend of carrot and stick) is also crucial to your information security performance.
We know that successful management of information security requires a comprehensive approach to many business areas (just look at the extent of controls in Annex A of ISO 27001 for example). But it is human behavior that underpins and drives the outcomes of our efforts. If this is the case, then these survey results are of concern as we approach the world of the driverless car.
I wholeheartedly support the arrival of autonomous vehicles, but I would welcome a marked improvement in these survey results in the coming years. If not, I just hope that there is still a steering wheel in these cars when I finally get inside one.
Simon Butler is a cybersecurity researcher at the Centre for Doctoral Training (CDT) at Royal Holloway, University of London. Simon completed the MSc Information Security in 2017 before joining the CDT. He has wide experience of working in security, both for government agencies and also in the corporate world as a security consultant. His research areas of interest include the security of driverless cars, which was the topic of his MSc project, and also in emerging blockchain technology.