Technology has made today’s vehicles the safest in history. Similarly, advancements in engine technology have made today’s vehicles the most fuel efficient. While technology is making vehicles last longer and be more environmentally friendly, it is also making them increasingly complex. Today’s connected vehicles can have as many as 50 to 100 embedded microprocessors, depending on the model, using up to 300 million lines of software code; compare this to a 747 jumbo jet, with only 75 million lines of code.
This complexity is introducing vulnerabilities that never before existed. Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions. As vehicles continue to become more integrated with wireless technologies, there are more avenues through which a hacker can introduce malicious code, and more avenues through which a driver’s basic right to privacy can be compromised. These wireless technologies require wireless entry points (WEPs) or ways that vehicle electronics can be accessed remotely, ranging from tire pressure monitoring systems (TPMS) to access via the OBD II port.
Dawn of a New Era
A watershed moment occurred in the automotive industry July 21, 2015, when Senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) introduced a first-of-its-kind bill S.1806 — the Security and Privacy in Your Car Act of 2015 (generically known as the SPY Car Act). The bill would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish minimum federal standards and safeguards to protect the data, security, and privacy of drivers. In addition, NHTSA must conduct a rulemaking to require the fuel economy labeling that manufacturers attach to motor vehicles to display a “cyber dashboard” with a standardized graphic to inform consumers about the extent to which the vehicle protects individuals' cybersecurity and privacy beyond the minimum requirements. The bill, which is currently being reviewed by the Commerce, Science, and Transportation Committee of the U.S. Senate, was in reaction to the much publicized hacking of a Jeep Cherokee via the SUV’s Internet-connected radio head unit, which, following this incident, was fixed by FCA.
The emerging debate around vehicle security promises to intensify. At least one lawsuit has already been filed against three automakers. The lawsuit, filed in the U.S. District Court for the Northern District of California, alleges the automobiles are open to hackers who can take control of critical vehicle functions and endanger the safety of the driver and passengers. The suit claims that vehicles without proper electronics safeguards are “defective” and worth far less than similar, non-defective vehicles and seeks unspecified monetary damages and injunctive relief.
Industry Dialogue and Consensus Needed
The SPY Car Act bill directs NHTSA to conduct a rulemaking to issue motor vehicle cybersecurity regulations to protect against unauthorized access to electronic controls or driving data. The regulations must require vehicles with accessible data or control signals to be capable of detecting, reporting, and stopping attempts to intercept such driving data or control the vehicle.
One countermeasure would incorporate isolation procedures to separate “critical software systems” from “noncritical software systems.” The legislation describes critical software systems as “software systems that can affect the driver’s control of the vehicle movement.” Another countermeasure, known as “security through obscurity,” would be to limit access to entry points, such as the OBD II port. Opponents point out that this will do little to harden the system against attack and will reduce consumer choice, undermining current safety and environmental compliance programs. They instead argue that an open design principle is a better solution, since it will allow new technological innovations to help secure vehicle data.
In the final analysis, a balance must be reached to ensure continued fleet access to OBD data without compromising privacy and security. Access to vehicle data via OBD II ports allows companies to improve fleet safety by identifying drivers who need training and monitoring. In addition, direct access to vehicle data via an OBD II port will streamline regulatory compliance reporting and provide an auditable trail to ensure compliance. This direct access provides a full and rich vehicle set versus other restricted vehicle data access methods. Since an OBD port is universal, it will ensure that safety monitoring programs and regulatory compliance can be implemented across the entire fleet, regardless of vehicle brand.
There are a number of stakeholders in the “OBD ecosystem.” In addition to government regulators and automotive OEMs, important OBD stakeholders include fleet managers, fleet management companies, aftermarket suppliers, and industry associations. An industry dialogue needs to commence to allow all OBD stakeholders provide input.
Let me know what you think.
Originally posted on Automotive Fleet