Connected Car Security: Balanced Rules, Better Collaboration Needed

A cybersecurity incident for one automobile manufacturer affects everyone, the head of General Motors’ global product cybersecurity team said at an FTC Forum on connected car security today, as he urged a balanced approach to regulation and increased collaboration between the industry and government agencies to ensure connected car security.

“It’s not a question of if our industry will ever see a serious cyber [security] incident, but when,” GM Chief Product Cybersecurity Officer Jeff Massimilla said during a keynote address at the event.

As such, he said that GM is committed to putting in place U.S. National Highway Traffic Safety Administration (NHTSA) cybersecurity best practices issued last year, as well as continued work with the Automobile Information Sharing and Analysis Center (Auto-ISAC), of which he serves as vice chair.

Collectively, GM and representatives from the Federal Trade Commission and the NHTSA addressing the “Connected Cars: Privacy, Security Issues Related to Connected, Automated Vehicles” forum this morning agreed that the safety benefits of connected vehicles are so promising, it’s crucial for the technology to hit the market. With fatalities from traffic incidents seeing their largest increase in 50 years in 2015, there are huge benefits to consumers using the spectrum of IoT-enabled features, from automatic braking all the way to self-driving cars, to make driving safer.

“Why in the world are we so focused on this in the first place?” Nat Beuse, associate administrator for vehicle safety research for the NHTSA, said. “We’ve plateaued. We’re already facing what many describe as a crisis.”

Ensuring that the industry can protect consumers’ data (by 2020, connected cars will generate 30 terabytes of data every day) and the features of connected vehicles from hacks will require collaboration between private and public sectors, speakers agreed, including concerted efforts to dispel myths and ensure coordinated communication to educate consumers on what can be complex technology.

“Our role is to protect consumers’ personal and sensitive information, within a framework that allows continued innovation and growth,” said Maureen K. Ohlhausen, acting chairman of the FTC, adding that they needed to approach connected car security with “regulatory humility.”

Highlighting ways in which the industry and government are working together to provide connected vehicle guidance and best practices, the NHTSA’s Beuse said one of the projects they’re focused on is how to detect whether a vehicle has been intruded.

“It would be really hard, I would say impossible, if the entire industry and the government went around and tried to tackle every entry point into a vehicle,” he said.

Rather than trying to police innovation, he said, they’re relying on the vehicle itself to protect these entry points. He pointed to the importance of safeguarding OBD-II ports, on-board diagnostic software that has been a reported hacking target.

For GM’s part, it has re-engineered its vehicle design and development process to include cybersecurity in vehicles from the start, scanning and testing systems through the development process, and deploying a “red team” to do regular penetration testing of products, Massimilla said. The type of information generated by a vehicle varies, but the vast majority of data, he said, is neither transmitted outside of the vehicle nor retained in the vehicle’s system. In turn, security researchers have an easy-to-use process to find and communicate about vulnerabilities in vehicles, he said.

GM has completed 130 Chevrolet Bolt EV cars equipped with next-generation self-driving technology—one of which Massimilla showed a video of navigating the streets of San Francisco, including avoiding cars pulling out of parking spots, stopping for traffic lights and even braking for a raccoon.

“The auto industry has taken steps to address cybersecurity concerns before our customers experience an incident,” he said.