by Associate Christopher Achatz and Summer Associate Ashlee Difuntorum
In the next five years we will see more and more self-driving vehicles, or autonomous vehicles, hit the market. An “autonomous vehicle” is a vehicle capable of navigating roadways and interpreting traffic-control devices without a driver actively operating any of the vehicle’s control systems. Although self-driving vehicles have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel, concerns remain that could delay widespread adoption. Of particular concern are data privacy and security risks. This article addresses the cybersecurity issues of self-driving vehicles. We have also published an article discussing privacy issues of self-driving vehicles, which can be found here.
The numerous points of entry into a self-driving vehicle’s computer system give clever thieves and cyber terrorists multiple opportunities to take control of vehicles. For example, in 2010, one man in Austin, Texas triggered horns and disabled the ignition systems in more than 100 non-autonomous vehicles by hacking into an auto dealer’s computer system.1 Additionally, in 2015, two cybersecurity researches hacked into a vehicle’s internal network and paralyzed it on a highway.2 While hackers like these can control non-autonomous vehicles through entry points like internal network systems, entertainment systems, hand-free cell-phone operations, and satellite radio, self-driving vehicles are even more vulnerable to attacks, because they have all of those entry points plus many more.
The automotive industry has addressed the issue of cybersecurity of self-driving vehicles by creating a series of Automotive Cybersecurity Best Practices (“Automotive Best Practices”).3 The Automotive Information Sharing and Analysis Center (“Auto-ISAC”) issued the Automotive Best Practices, which guide how individual companies can implement the previously released “Enhance Automotive Cybersecurity” Principle. The Automotive Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response training, and collaboration with appropriate third parties. In effect, the Automotive Best Practices prompt participating members to enhance the security of self-driving vehicles by managing cybersecurity at the product level. The Automotive Best Practices are listed below.
In addition to the automotive industry, the federal government has also issued non-binding guidance to the motor vehicle industry for improving cybersecurity issues of autonomous vehicles. The National Highway Traffic Safety Administration (“NHTSA”) first issued guidelines in October 2016 (“NHTSA Best Practices 1.0”).4 Specifically, in an effort to reduce the probability of a successful cybersecurity attack, those cybersecurity best practices promote a layered approach to vehicle cybersecurity. For example, the NHTSA Best Practices 1.0 suggests that the automotive industry creates a culture of leadership where they can handle increasing cybersecurity challenges, mechanisms for information sharing, a documented process for responding to incidents, and more. Furthermore, the NHTSA has warned that if the industry does not follow the guidelines, cybersecurity vulnerabilities will likely occur, and that such vulnerabilities may be considered safety defects compelling a recall.5 The NHTSA Best Practices 1.0 have been listed below.
In September 2017, the NHTSA updated its guidelines (NHTSA Best Practices 2.0).6 Like the first version, this updated version recommends that the industry dedicate resources to assessing risk and testing vehicles for cybersecurity vulnerabilities. However, this updated version puts even more emphasis on the importance of responding to incidents than the first version. For example, NHTSA now recommends that entities have a documented process for transitioning to a minimal risk condition when a problem is encountered and consider methods of returning self-driving vehicles to a safe state immediately after being involved in a crash. Additionally, unlike the first version, the updated version includes guidelines for state legislatures and highway safety officials. The NHTSA recommends that those entities document how they intend to account for all applicable Federal, State, and local laws in the design of their vehicles and self-driving vehicles. The NHTSA Best Practices 2.0 have been listed below.
The estimated amount of savings in the U.S. that will be caused by the adoption of driverless cars.7
The number of vehicles NHTSA’s enforcement authority recalled in July 2015 due to cybersecurity vulnerabilities.8
The number of states to date that have introduced and passed legislation relating to self-driving vehicles.9
The percentage of fatalities on U.S. roads in 2014 that were caused by human error or faulty decision-making.10
Automotive Best Practices enacted by the Auto-ISAC, including some of the various specifications:
2. Risk Assessment and Management:
3. Security by Design:
4. Threat Detection and Protection:
5. Incident Response and Recovery:
6. Training and Awareness:
7. Collaboration and Engagement with Appropriate Third Parties:
NHTSA Best Practices 1.0:
1. Vehicle Development Process With Explicit Cyber Security Considerations:
2. Leadership Priority on Product Cybersecurity:
3. Information Sharing:
4. Vulnerability Reporting Policy:
5. Incident Response Process:
7. Risk Assessment:
8. Penetration Testing and Documentation:
NHTSA Best Practices 2.0
1. System Safety:
2. Operational Design Domain:
3. Object and Event Detection and Response:
4. Fallback (Minimal Risk Condition):
5. Validation Methods:
6. Human Machine Interface:
7. Vehicle Cybersecurity:
9. Post-Crash Self-Driving Vehicle Behavior:
10. Data Recording:
11. Consumer Education and Training:
12. Federal, State, and Local Laws:
Best Practices for Legislatures
Best Practices for Highway Safety Officials
Factors the NHTSA will consider in determining whether a cybersecurity vulnerability compels a recall:
Questions to consider when addressing cybersecurity issues of self-driving vehicles:
1. Wired, Hacker Disables More Than 100 Cars Remotely (Mar. 17, 2010), https://www.wired.com/2010/03/hacker-bricks-cars/.
2. Wired, The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse (Aug. 1, 2016), https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/.
3. Automotive Information Sharing and Analysis Center, Automotive Cybersecurity Best Practices Executive Summary (July 21, 2016), https://www.automotiveisac.com/best-practices/.
4. National Highway Traffic Safety Administration, Cybersecurity Best Practices for Modern Vehicles (Oct. 2016), https://www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf.
5. Federal Register, Request for Public Comments on NHTSA Enforcement Guidance Bulletin 2016-02: Safety-Related Defects and Emerging Automotive Technologies (April 1, 2016), https://www.federal register.gov/documents/2016/04/01/2016-07353/request-for-public-comments-on-nhtsa-enforcement-guidance-bulletin-2016-02-safety-related-defects.
6. National Highway Traffic Safety Administration, Automated Driving Systems: A Vision for Safety (Sep. 2017), https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13069a-ads2.0_090617_v9a_tag.pdf.
7. Morgan Stanley, Autonomous Cars: The Future Is Now (January 23, 2015), http://www.morganstanley.com/articles/autonomous-cars-the-future-is-now
8. National Highway Traffic Safety Administration, Cybersecurity Best Practices for Modern Vehicles (Oct. 2016), https://www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf..
9. National Conference of State Legislatures, Autonomous Vehicles: Self-Driving Vehicles Enacted Legislation (October 23, 2017), http://www.ncsl.org/research/transportation/autonomous-vehicles-self-driving-vehicles-enacted-legislation.aspx.
10. ABA Section of Administrative Law, The Fast Lane: Autonomous Vehicles and the Liability Landscape (Spring 2016, https://www.americanbar.org/content/dam/aba/publications/administrative_regulatory_law_newsletters/tq_spring_ 2016. authcheckdam.pdf.