NHTSA Says It's Working to Mitigate Vehicle Cybersecurity Risks
NHTSA’s David Strickland, administrator for the National Highway Traffic Safety Administration (NHTSA) testified during a U.S. Senate Committee on Science, Commerce, and Transportation hearing on May 15 regarding the challenges advanced electronics represent in modern and upcoming vehicles. A number of other individuals attended the hearing and testified on this subject as well.
In his testimony, Strickland noted that electronics are enabling a wider range of technologies in the vehicle, from systems that can communicate with outside electronics and those that control more advanced safety systems (for example those that can automatically take control of the vehicle prior to potential accidents), and to autonomous vehicles (early examples of which are undergoing testing).
Regarding vehicle electronics security, Strickland said NHTSA faces the need to develop general requirements for electronic control systems in vehicles to ensure they can’t be compromised. The agency said it established the new Electronics Systems Safety Research Division that will focus on these efforts. Strickland added NHTSA has requested $2 million in its 2014 budget for research in the area of vehicle cybersecurity.
“At this point there has never been an unauthorized accessing of a vehicle on the road today,” Strickland said. “A person would need physical access to a vehicle in order to get control of a particular vehicle’s functions. However, recognizing that in the future there will be chances for software linkages and Internet downloads in a vehicle. We have a very rigorous program looking at reliability, looking at the proper standards of encryption, and how we deal with certificate packages and all those other issues. We don’t want to be behind the eight ball on this and we're relying on the not only the work we have been doing with the automakers but also the work in other parts of the industry, the FAA (Federal Aviation Administration), to find a path forward through these security issues.”
Strickland went on to say that for NHTSA’s vehicle-to-vehicle communications research, the goal is to provide defenses that ensure a driver can’t lose control and that a vehicle’s electronic system can’t be corrupted to send faulty data. Strickland said NHTSA is working with auto manufacturers and other companies to develop a conceptual framework for dealing with these issues. He added that NHTSA is developing countermeasures to prevent credentials required to access vehicle security systems from being compromised. He also said the organization is developing protocols designed to share data when a vehicle system detects behavior designed to subvert it.
Select other individuals testifying during the hearing on the subject of cybersecurity included the University of Michigan Transportation Research Institute’s (UMTRI’s) Peter Sweatman and John D. Lee, Emerson Electric Quality & Productivity Professor at the Department of Industrial and Systems Engineering at the University of Wisconsin‐Madison.
The University of Wisconsin-Madison’s Lee noted just how much of a modern vehicle depends on computer code. He said a typical luxury car requires more than 100 million lines of code to function. He also noted that software and electronic account for 40% of the car’s cost and 50% of warranty claims.
UMTRI’s Sweatman said that cyberattacks, or simple human error, could lead to “large-scale disruption and harm” when involving automated vehicles moving at high speeds. To prevent these problems, he said U.S. government agencies will need to work with industry partners to develop “breakthrough” capabilities for testing and certifying automated systems. He added that responsibility for safe operation of autonomous vehicles and related systems should be shared by industrial partners such that no individual company or organization bears an “unreasonable” level of liability.