There exists a direct relationship between our reliance on technology and the potentially detrimental impacts of cybersecurity compromises. The more integrated and dependent we become as a society on computing, the more relevant the cybersecurity risks become. Transportation will be the next great test case we face, one which potentially puts our lives at risk.
Computing technology is a powerful tool. One which we are embracing more and more every day in our lives to build, experience, and evolve our world. Communication, manufacturing, and transportation industries are just a few of the domains being revolutionized. But as we connect and extend more control to devices which intersect life-safety roles, the cybersecurity weaknesses can play a more visceral role in our lives. Nowhere will this be more apparent than the changes taking place in the transportation industry. Our cars, planes, and trains, are becoming smarter, connected, and more autonomous.
For some time, computers have played a passive role in monitoring critical systems in order to optimize or report problems in our transportation devices. But as we evolve, we demand more. Nowadays, computers are taking a more active role and given direct access to control vehicle navigation, steering, speed, and braking controls. Take for example the simple auto-park features in newer cars. It seems harmless, as it occurs at very slow speeds, but consider the access on-board computers must have to successfully get the vehicle into that tight spot. The conveyance sensors determine the path, identify obstacles, take control of the steering, acceleration, and braking. Basically, the computers must access to all the critical functions of the vehicle. This has the potential for greater efficiency, safety, usability. But it can equally create disastrous situations.
Researchers are hacking the software, networks, and hardware systems in cars and gaining access to these systems. What happens when malicious attackers do this to a vehicle? They could cause a fatal accident. Now think bigger. What happens when malicious attackers do this to hundreds or thousands of vehicles simultaneously? Disaster.
Much of the current vulnerability research is limited to a single vehicle, with the attacker in close proximity. Recently a 14 year-old hacked a car with $15 worth of off-the-shelf equipment. Vulnerability experts were able to hack a Tesla Model S to make the doors open while the vehicle was being driven.
The researchers are typically inside the vehicle, connecting into a planes controls through the on-board entertainment system or accessing a car’s computers via the diagnostic port for example. Vulnerabilities also extend to flaws in software doing unexpected things and external control networks such as traffic routing systems. A crash of an Airbus transport plane has been attributed to a software bug which did a “wipe” of critical engine control data, killing the 4 test crewmembers. A recent report found hackers could ‘Crash Trains’ using a cyber attack.
But this is not where the research will stop. Cars, trains, and planes are connecting to the Internet and private remote networks in greater numbers. What is taking place by researchers today with direct access to a vehicle, may eventually be done remotely by a hacker halfway around the world.
Manufacturers, governments, and consumers must think hard about potential consequences, as they may be life-threatening. This is not a denial-of-service attack making a webpage unavailable. These are people’s lives at stake and must be approached with the appropriate level of seriousness and forethought. Consumer Reports recently called on members to pressure Congress for more protections
Privacy is also an issue. An unflattering report from U.S. Senator Ed Markey, evaluated 16 manufacturers and found “a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”
Vehicles today have evolved to become a miniature electronic ecosystem, with nodes, networks, multiple processors, actuators, sensors, input interfaces, and displays. Each vehicle must have the right architecture, controls, and resiliency to defend itself, just like a modern enterprise. It is very challenging and largely unexplored territory.
The good news is many vehicle companies are concerned. They are exploring, investing, and working hard to understand the problem. But we too, as consumers and the government bodies chartered to protect the public, must also be actively involved in the discussion. We all have a stake in this matter, must set the right expectations, and hold accountable manufacturers to deliver and operate safe products, both at the point of sale and across the vehicle’s lifetime. The next few years will be critical in setting the stage as manufacturers are pressured by heated competition to deliver new automated capabilities, seek to meet any emerging regulatory requirements, and struggle with making sure their products are safe from ever more sophisticated cybersecurity threats. We all may be in for a bumpy ride.
IT Peer Network: My Previous Posts