Newly released guidelines published by the Department of Transportation Tuesday intend to guide the growth of driverless cars, with the agency making an early push to shape cybersecurity standards that will ultimately protect future vehicles from hacks.
In short, the DOT’s latest foray into driverless car policy offers a collage of rough sketch best-practices, which may be applicable to original equipment manufacturers, or OEMs, and automakers, among others.
“I applaud DOT for taking the first step in documenting its cyber security guidelines; however, over the long haul, despite great defenses, testing, architecture, and policies, the inherent weakness is poorly written software code which cannot be legislated,” said Joseph Saunders, founder and CEO of RunSafe Security,“The burden will remain on the manufacturer to adhere to the best software development principles minimizing attack vectors and vulnerabilities.”
By furthering broadly written recommendations, rather than proposing law, the DOT is facilitating ongoing partnerships that already exist between “car manufacturers, cybersecurity companies and other key stakeholders,” according to Monique Lance, a director at Argus Cyber Security, an Israeli security firm closely monitoring the advancement of related policy.
Argus Cyber Security is one of the largest and most established firms specializing solely on vehicle cybersecurity. Last year, the Israeli-owned company raised a $26 million Series B funding round from a group of prominent tech investors. Argus Cyber Security works with “car manufacturers, their Tier 1 suppliers and aftermarket connectivity providers.”
One of the larger themes discussed in the guidance relates to fostering collaboration between multiple stakeholders, despite the fact that auto companies compete for the same market share.
“Manufacturers should be ready to share event reconstruction data to promote safety throughout the industry … Each industry member should not have to experience the same cyber vulnerabilities in order to learn from them,” DOT explains.
Research conducted by a variety of organizations predict the mass adoption of driverless vehicles in the U.S. will occur sometime between 2020 and 2030. By 2025, the driverless car market will be valued in excess of $42 billion, according to Boston Consulting Group. An estimated 92 percent of all vehicles sold will carry some semi-autonomous features by 2030, per a separate forecasts by Lux Research.
Beyond cybersecurity, the guidance lists a series of recommendations that work to widely govern the “collection, use, sharing, retention, and deconstruction” of recorded driver data. Relevant data shared between automakers, for example, must be stripped of personal identification information, or PII, similar to active protection already evident in the Cybersecurity Information Sharing Act.
“Manufacturers and other entities should follow a robust product development process based on a systems-engineering approach to minimize risks to safety, including those due to cybersecurity threats and vulnerabilities,” the guidance reads. “The identification, protection, detection, response, and recovery functions should be used to enable risk management decisions, address risks and threats, and enable quick response to and learning from cybersecurity events.”