NHTSA chief vows action this year on cybersecurity

[kscarbel2]

Automotive News / January 19, 2016

The nation’s top auto safety regulator said his agency will take action this year to address automotive cybersecurity issues, as the spread of connectivity technologies threatens to expose vehicles to new paths of attack.

The National Highway Traffic Safety Administration (NHTSA) currently lacks regulations for the security protocols governing the roughly 100 million lines of software code used to control many functions in modern cars [and commercial trucks].

As Wi-fi hotspots, satellite radio and other network connections to vehicles become more common, NHTSA administrator Mark Rosekind said, the agency must define its role in how the security of those systems should be managed, and what tools it needs to ensure the safety of connected vehicle systems.

Rosekind says the effort has the backing of Transportation Secretary Anthony Foxx, though it’s still unclear what type of action the agency will take.

“I don’t know if there’s going to be regulation or standards, or what that’s going to look like,” Rosekind said on the sidelines of a NHTSA cybersecurity event today, “but I don’t think there’s any question that we have to get action on cybersecurity this year.”

Auto cybersecurity was thrust into the spotlight last summer when researchers Charlie Miller and Chris Valasek, working with a magazine reporter, exploited a network vulnerability in the infotainment system of a Jeep Cherokee to demonstrate that they could remotely take control of functions such as its steering and brakes.

Automakers fear that NHTSA regulations for cybersecurity could take years to formulate, and may stifle innovation in the meantime. At the same time, they don’t dispute that security is a critical issue as vehicles become increasingly connected to the Internet, and as autonomous driving technologies enter the marketplace.

Potential threats

At today's meeting, panelists identified a variety of potential threats, including so-called ransomware, or malicious software designed to extort money from vehicle owners by crippling the vehicle’s software controls until a ransom is paid.

Another topic of discussion was how to patch vulnerabilities in vehicle infotainment systems -- the gateway used in Miller and Valasek’s Jeep hack -- and whether features should be disabled until security updates can be installed.

Rosekind said NHTSA organized the daylong event to bring together automakers, suppliers, government officials and researchers, in part to help define the agency’s role in overseeing auto cybersecurity.

“Clearly we are the agency that could create mandates if they were needed,” he said.

Safety-critical issues

He acknowledged the concerns about barriers to innovation but said safety was a paramount concern. For safety-critical issues where industry-wide adoption is required, “that’s where you need regulation,” he said. “In some areas of safety, you need 100 percent adoption.”

[kscarbel2]

This news relates to the evolving nature of heavy trucks. The telematics systems now being used by the truckmakers, which allow ECU updates via WiFi networks, are vulnerable. Most people fail to keep their router firmware updated, making it easily vulnerable to hackers. And even when updated, WiFi by nature is still vulnerable.

After that, the truckmakers are talking about over-the-air updates through a cellular network, another easily hackable situation.