Over recent years, automakers have provided advanced technology within vehicles to help keep drivers safe while on the road. Today, over 50% of vehicles in the United Stated are connected and this number is likely to continue increasing every year. However, while voice activated technology, keyless entry, and other safety features may provide convenience and help reduce accidents, car buyers should be aware vehicles connected to the internet can be hacked in similar ways as a computer or mobile phone.
On July 21, 2015, Senators Edward Markey and Richard Blumenthal introduced The Security and Privacy in your Car Act (SPY Car Act) directing the National Highway Traffic Safety Administration and the Federal Trade Commission to establish security standards within connected cars to protect drivers and their data. Some highlights from the SPY Car Act include:
- Vehicle System Security. All entry points to a vehicle’s electronic systems must be equipped with reasonable measures to protect against cyberattacks, including isolation measures to separate critical and non-critical software systems
- Vulnerability Testing and Remediation. Such reasonable security measures shall be evaluated for vulnerabilities following best security practices, including appropriate applications of techniques such as penetration testing, and must be adjusted and updated based on the results of such evaluation
- Data Security. All driving data collected by a vehicle’s electronic systems must be reasonably secured from unauthorized access while data is stored onboard the vehicle, in transit from the vehicle to another location, and in any offboard storage or use
- Real-Time Attack Mitigation. All entry points to a vehicle’s electronic systems must be equipped with capabilities to immediately detect, report, and stop unauthorized attempts to intercept driving data or control the vehicle.
What Can Be Expected Within the Next Five Years?
The introduction of the SPY Car Act means automakers must begin to think and act more proactively about cybersecurity and take the necessary precautions to ensure connected vehicles are secure by the year 2018. As automakers begin to offer more connected services and improved content, data collection will exponentially increase as well as a hacker’s incentive to steal data.
Automakers must collaborate with the security community, become educated, and implement a holistic approach. The SPY Car Act also requires automakers to work more closely with security companies. Today, it is believed that automakers do not yet have the in-house knowledge to properly secure a vehicle. Prior to connected cars hitting the road, comprehensive security analyses such as risk ranking and vulnerability assessments must be conducted. OEMs must determine how internal systems are connected and the potential attack vectors, and then flag those that touch safety-critical systems as priorities. The industry is constantly evolving, and vulnerabilities are increasing. If automakers expect to have strong marks on their cyber dashboard, they cannot expect to accomplish it alone.
Interested in learning more about connected car security and what will be expected from automakers? Download our Whitepaper: Automakers Remain Passive as Government Takes Action.