2018 delivered a boom for automobile technology and connectivity, accelerating recent trends for connected cars. Consumers now expect the devices they purchase to be more integrated and provide more functionality than ever before, and more and more manufacturers are incorporating these technologies into new vehicles. In response, the modern car often includes the services of a digital chauffeur, navigator, scheduler, receptionist, and personal assistant. Artificial intelligence is being felt in all aspects of today's vehicles. Cars often contain software to provide on-board diagnostics and alert operators to potential maintenance and safety issues. Further, automobiles are expected to communicate with the driver's other personal devices and the applications and software services contained thereon, including email, calendars, music apps, and other entertainment. But as cars increasingly become more personal and integral to the driver, the risks of cyberattacks and cyber-thefts also increase.
To maximize connectivity and functionality, a car's systems and software must connect and communicate with other systems. As manufacturers and regulators now agree, this integration creates doorways into the car's own network that can be vulnerable to cyberattacks. As evidenced by the headlines of high-profile attacks plaguing other industries, a security breach can damage a company's reputation and value. Cyberattacks affect a company's personnel and talent as they can result in firings and resignations. Moreover, a company that is not planning for cyberattacks can be exposed to regulatory investigations, civil claims from business partners, shareholders, and employees, and even class action lawsuits.
The complexity of a car's network and functionality make navigating cybersecurity practices difficult. However, we set forth below some guideposts that are emerging in this new area for you as your company thinks about how to best protect both its consumers and itself. In this article, we set forth what we believe to be some of the most significant developments in risks for automobile cybersecurity in 2019, and what you should be thinking about to address them as your company heads into the new year.
Cybersecurity Issues and Best Practices
We now know that cybersecurity is an arms race (good guys versus bad guys) with respect to corporate networks, and connected cars are no different than other industries and governments that have been the subject of cyberattacks. As hard as companies are working to implement new security policies and technology to keep up with new and emerging threats, hackers are working diligently to undermine them. However, knowledge of the current issues, and what the best practices are to address them, is the first step to protection.
1. Consumer Apprehension and Creating a Culture of Security
As much as consumers are demanding more software functionality in their cars, effective data security is no longer the sole responsibility of the information technology department – customer service, in-house counsel, marketing, public relations, and most importantly, senior and operational management of the organization must also play a critical role. And it's not just consumers – regulators are also demanding that senior management become involved in and accountable for data security. Creating the right culture can be jeopardized if there is not a top-down message and implementation of data security. Companies should be sure to properly educate and train all relevant employees with respect to their role in the cybersecurity program. Engineering, information technology, research and development, and production teams should all be given appropriate resources and knowledge to effectively manage their involvement in the data security efforts of the organization. Effective buy-in, training, and messaging (both internally and externally) will serve the dual purpose of enhancing the data security of vehicles and component parts while also bolstering the company's reputation and goodwill in the marketplace.
2. Eliminating Vulnerabilities by Design
In the last two years, government agencies, industry groups, and consumer organizations have increasingly pushed for security to begin on the drawing board. Accordingly, security by design is now a priority of the Auto-ISAC and federal regulators, namely the National Highway Traffic Safety Administration and the Federal Trade Commission. No longer can cybersecurity be an afterthought as in years past. Security should be designed with the nature and sensitivity of personal information and other data taken into consideration. Security design reviews and product testing should be conducted throughout the development process. Secure computing, software development and networking practices should address the security of connections into, from, and inside the vehicle.
3. Car Safety and Threat Protection
Companies need to be proactive against safety threats by continuously monitoring and detecting new and constantly emerging vulnerabilities and threats. Companies should start by utilizing a rigorous risk assessment methodology for identifying potential threats, vulnerabilities and risks to data and data security. This process catalogs and prioritizes the various sources of cybersecurity risk; implements a decision-making process to manage the identified risks; involves other partners in the supply chain; implements risk mitigating controls; and monitors the evolution of risks and risk mitigation in a continuous improvement cycle. Knowledge of the potential harm, in turn, enhances and feeds information to the incident response teams and allows for the earlier addressing of concerns. Early detection is the best way to reduce harm to consumers and to lower the cost of any attack.
4. Preparing for the Inevitable and Incident Response
In 2018, several high-profile security breaches affected the auto industry, including thieves hacking wireless key fobs to steal cars in the U.K. Hackers were also able to access vehicle owners Amazon accounts through the app in the car's connected dashboard. Although cyberattacks are progressively becoming a "when" rather than an "if," an effective incident response program will enable organizations to quickly respond to incidents such as these, thereby mitigating (or hopefully avoiding!) harm to the organization, business partners, and consumers. Manufacturers should include methods to deliver periodic security patches and updates to consumers. An incident response policy should identify in advance members of the response team, including IT security and forensics, engineering, legal, management, stakeholders, and public relations/ communications. The policy provides guidance and details relating to the roles and obligations of the team members.
5. Security Collaboration and Engagement
Over the last year, engineers and executives are having more conversations with hacktivists to collaborate and develop best practices for minimizing threats. Organizations should work closely with suppliers, industry associations, governmental agencies, academic institutions and researchers, and other business partners as part of a well-rounded cybersecurity program. Whether it is the finished vehicle or a component part, most companies relevant to the data security ecosystem will rely on suppliers that play a role in data security. Hardware, software, development tools, assembly, integration and testing may all be provided by one or more suppliers. Companies impacted by this scenario should conduct appropriate due diligence and risk assessments with respect to their suppliers, both at the commencement of, as well as periodically throughout, the relationship. Contractual provisions should also be utilized to address data security requirements for relevant suppliers, particularly suppliers of software and applications you incorporate into your vehicles.
Manufacturers and regulators appear to now agree that planning for cyberattacks requires a comprehensive and holistic approach, as no one software application or technical component is a silo as was more common in years past. Virtually all facets of the organization, and sometimes third parties as well, will need to be involved to properly plan, implement protections, and prepare for cyberattacks. The regulations and laws governing this area are constantly in flux, as new legal developments seem to change the legal landscape daily. However, taking action now, including by planning for the issues raised above, will keep your company one step ahead of the attackers as we all head into 2019
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.