Computer viruses can cause frustration and, in certain cases, may have grave consequences. It can leak private information, steal money and hold connected devices hostage. These threats are present in today’s cars, and the automotive industry fights to ensure connected cars do not become the target of malicious cyber attackers.
However, this is not an easy task. The car’s internet-connected systems and the internal networks running within it must be secured. These are responsible for basic functions like infotainment and, in a growing number, critical driving tasks like steering, braking, and acceleration. The potential for disaster is great when hackers have control.
Several automakers have addressed this issue. Jeffrey Massimilla, General Motors’ first dedicated cyber security official, was appointed in 2014. The company invited a few hackers, commonly known as ‘white-hat’ hackers, to help find security loopholes in the vehicles. This was to fix any insecurities. The company will reward those who successfully ‘break into the vehicles. Dan Ammann, GM President, told the Detroit News. “We’ll show them the products and programs we plan to establish these Bug Bounties.” “Then, we’ll place them in a comfortable setting — feed them with pizza and Red Bull — and let them go.
However, these Bug Bounty programs are not new. This was GM’s second round, but other automakers have also run similar programs. According to the bug’s severity and potential consequences, FCA discussed the possibility of assessing vulnerabilities through “triage”.
This is a good sign that the automotive industry takes cyber security seriously, but many have a common concern: Should we launch automated vehicle technologies when hackers are a possibility?
Bookends provide stability
The industry is working to address safety and security to get around this problem. These words can have the same meaning in some languages. As such, there is confusion about how they are used in practice. But, according to Chuck Bookish (Director of Automotive Business Development at Green Hills Software), they are not the same thing and serve different but equally important purposes in protecting your vehicle. Bookish refers to safety and security “as the bookends of a robust system.”
Safety is what a system should do. A screen that needs to be updated at 60 frames per minute may not be capable of updating at a rate of 59 frames per seconds. It doesn’t necessarily mean that a sensor input must be measured 100 times per minute, but it could occasionally be as high as 99 times per second. He says it must be done correctly and precisely. There are functional deadlines that must always be met. These functional deadlines define the tasks that must be completed within a system in order to meet safety goals.
Safety is the basic principle that dictates what operations a system must perform. Hackers will often look for weaknesses and find ways to make the system do things they were not intended to. Although the system is operating in a safe manner, security must be addressed to ensure safety. Bookish continues, “I see security as the other side of the bookshelf. It defines the limits of what is available.” This is why mandatory access control is so important. It allows access only to what is necessary and nothing else.
He suggests that cyber security should be based on the principle “least privilege”, which means that a module can only access the information it needs to fulfill its original purpose. Bookish says that hackers may attempt to gain access to information, but can’t do so because they aren’t given it. “One side of the bookshelf contains safety features, which define what must be done. The other side of the bookshelf is security. Security defines the limits of what is possible. These bookends make a system robust and well-constrained that does all it needs to do.