The automotive industry
In just the past few years, the technology in our cars and trucks has improved considerably. Features like forward-collision warning and automatic emergency braking, enabled by advances in sensors and real-time data analytics, have made our vehicles and us, safer.
Autonomous vehicles, already in use in some cities, have the potential to further improve driver safety, by reducing the risk of human error. But with these new technologies come new risks—ones we must ensure are accounted for and minimized as vehicles are manufactured.
Cybersecurity guidelines for vehicles
Recently, the U.S. Department of Transportation (DOT) took a significant first step toward addressing these new risks by releasing draft cybersecurity guidelines for vehicles. They include a number of recommended practices, like limiting the ability to modify vehicle firmware and segmenting control systems, that should become standard for vehicle manufacturers. But while these guidelines provide a strong foundation, since they are voluntary, consumers still have no way of knowing how seriously a manufacturer adhered to the guidelines, if at all.
The government should provide consumers this transparency, just as they have required automakers to publicly display other safety features, like crash test ratings. With human lives at stake, cybersecurity cannot be considered separate than physical security.
DOT can address the issue by creating a security label for vehicles—akin to the MPG ratings required by EPA—which would display the results of a comprehensive security assessment. The guidelines recommend a similar test, but, again without requiring disclosure of its results, consumers have no way of knowing how safe–or not–their vehicle truly is. These assessments should be mandatory and should be conducted by a government-certified third party, examining the overall architecture of the vehicle, the critical components within the underlying code, the custom communications protocols and how well the vehicle reacts to active or passive attacks on sensors.
Establishing specific criteria for assessments
To establish the specific criteria for these assessments, DOT should convene a working group of automotive manufacturers and cybersecurity experts. This group can decide who should certify vendors as qualified to conduct these assessments, when and what information will be most useful for consumers.
Having helped many customers comply with cybersecurity regulations, including large U.S. vehicle manufacturers, I am especially conscious of regulatory burden and know that too much or the wrong type of regulation can distract from, rather than enhance, security. Requiring a security assessment is not over burdensome. It does not dictate the methodology manufacturers use to secure their vehicles and does not impose costly requirements; it does give consumers the transparency they deserve to understand how safe their vehicle is.
DOT first issued Federal Motor Vehicle Safety Standards in 1967 to ensure that “the public is protected against unreasonable risk of crashes occurring as a result of the design, construction, or performance of motor vehicles and is also protected against unreasonable risk of death or injury in the event crashes do occur.”
Cybersecurity should eventually fit in this same purview—on equal footing with seat belts and airbags. But for now, the government should take this short-term, intermediate step of giving consumers the accurate, verified information they need to make informed decisions. It’s one of the most effective measures they can take to improve vehicle safety across the board while having a relatively minimal impact on manufacturers’ bottom line.
About the Author: As Chief Security Officer, David Damato provides strategic product direction over module development for the Tanium Platform and manages the company’s internal security program. David brings a wealth of security expertise to Tanium, spanning incident response and forensics, vulnerability assessments, security program development, security operation and network and security architecture. Prior to Tanium, David most recently served as Managing Director at Mandiant, a FireEye company, where his team led incident response and post-breach remediation efforts at over 100 Fortune 500 companies. At Mandiant, David was also instrumental in developing new incident response services capabilities and establishing consulting offices both domestically and internationally. Prior to Mandiant, David led security consulting teams at PwC as part of its Washington Federal Practice and held IT roles at Raytheon focused on the management of internal and government networks. David frequently shares his expertise and insights at industry events and with the media.