In our first article of this series, we explored the types of personal information that will be collected from autonomous vehicles and the need for trusted information systems. In this latest piece, we explore the risk of cyber security breaches and how these threats might be mitigated.
Cyber security is going to be a key consideration as autonomous vehicle technology develops – it’s not just an issue for the vehicles themselves but for the whole environment that will be developed to support such vehicles. How will our evolving smart cities ensure people, roads and buildings are protected from the threat of a cyber security breach?
While there are risks associated with inadvertent disclosure of information through poor cyber security, such as location information being inadvertently made available online, we’re going to focus on nefarious cyber security incidents. In other words: hacking.
The risks associated with hacking autonomous vehicles and the surrounding infrastructure is high and can result in serious damage to people and property.
THE STAKES ARE HIGH
Hacking could be motivated by a number of reasons. A perpetrator may be demanding a ransom or seeking to take control in a personal or domestic situation. We also know from recent terrorism events that vehicles can be used to cause significant harm to people and property. There are two main risks associated with hacking of an autonomous vehicle system or its surrounding infrastructure:
The risk of a third party taking control of the vehicle or the surrounding infrastructure
Imagine a vehicle being hacked and redirected to stop in the middle of a level-crossing as a train approaches. Likewise, smart city infrastructure could be hacked and used to tell all cars to proceed simultaneously at an intersection, causing a major collision. There are also serious risks in circumstances such as domestic violence situations if a person was able to redirect a vehicle to return to the place a person was trying to leave.
The risk of a third party accessing an individual’s personal information
Biometric information used to lock and unlock vehicles through facial recognition software could be hacked and used for other applications, such as logging into bank systems or even unlocking the front door to your house.
How can we ensure that systems are resilient against those who wish to take control of them maliciously?
HOW SHOULD CYBER RISKS BE MITIGATED?
Cyber security by design
Cyber resilience will be most effectively implemented and maintained if it is established in the design phase of the technology – not retrofitted at the end.
The Office of the Australian Information Commissioner - the Australian privacy regulator - recommends that security risks should be assessed in the early stages of a project by conducting an information security risk assessment (as well as a privacy impact assessment if personal information is involved).
Such strategies ensure that an organisation is aware of cyber security weaknesses, as well as strategies to mitigate those vulnerabilities through technology design.
While any kind of risk assessment process is valuable, it is particularly important in the context of technology systems. It’s been said that cyber security is a process of closing hundreds of doors, where a vulnerability in any one door can let a hacker into the system. In this context, implementing cyber security by design can have a massive impact in increasing cyber resilience for the whole system.
A good example of cyber security by design is a recommendation of the International Transport Forum in its report Safer Roads with Automated Vehicles? The report recommends that safety-critical systems in autonomous vehicles should be isolated from non-critical components and independent of connectivity to external networks. This means that connectivity issues are far less likely to affect the performance of safety-critical systems.
- Manufacturer cyber security plan
The United States is already on the front foot, with proposed legislation requiring vehicle manufacturers to have a written cyber security plan in place.
Among other things, the plan must:
- set out how the manufacturer detects and responds to cyber attacks, unauthorised intrusions, and false and spurious messages or vehicle control demands;
- appoint an officer responsible for managing cyber security;
- set out how the manufacturer limits access to autonomous driving systems; and
- set out the organisation’s processes for employee training and employee access to autonomous driving systems.
This proactive requirement is useful because it requires manufacturers to turn their mind to cyber security risks. It may also encourage them to design the technology with cyber security at the forefront, instead of a tack-on at the end.
Being at the forefront of cyber security developments
It would be unsuitable if the law attempted to set out prescriptive cyber security standards as it would fast become out-of-date. There is no doubt that cyber security strategies will be largely industry-regulated, with a push to being constantly vigilant for emerging threats and new safeguards.
However, government can continue to play a key role in driving this best practice by developing guidance and coordinating cyber security information sharing. It already does this through the technical tips given by Australian Signals Directorate’s Strategies to Mitigate Cyber Security Incidents and coordinating the sharing of cyber security knowledge through the Australian Cyber Security Centre. There will be scope to grow these initiatives and develop transport-specific cyber security as the technology develops.
CYBER SECURITY BEYOND THE VEHICLE
The cyber security of surrounding environments - smart poles, sensors, roads and other infrastructure - will need to be incredibly robust, particularly as it may be susceptible to interference from political actors. Smart cities will network our city in a way that means autonomous vehicles are less reliant on external stimuli and can act and react within the network.
CYBER SECURITY IS NOT JUST FOR THE SOFTWARE ENGINEER
Cyber security should not be left to software engineers and other technology specialists – it should form part of the governance frameworks of any company commercialising autonomous vehicle technology. The recent guidance published in the UK  for vehicle cyber security requires “organisational security to be owned, governed and promoted at the board level”.
Cyber security should be front of mind for any company procuring autonomous vehicle technology. Contractual frameworks should contain robust protections for valuable and safety-critical data and systems.
The management of cyber security will be a continually evolving process. The security of an autonomous vehicle must be maintained over its useable life - software updates and refreshes will need to be safely and securely implemented. Continuous monitoring of potential points of failure will be critical and emergency plans able to be invoked as soon as failure is detected. The ability to quickly return to a safe state of operations - and restore users’ confidence - once an incident has been resolved will be paramount to the uptake of the brave new world of autonomous vehicles and smart cities.
 The key principles of vehicle cyber security for connected and automated vehicles”, August 2017, accessible here.
Corrs Cyber is a rapid-response cyber security team, created to help organisations prepare for and recover from a cyber-attack or data security breach. Our multidisciplinary team provides access to data breach management specialists, including legal advisers, IT forensic investigation specialists, cyber risk and incident response consultants, and crisis and reputation management services. With the ability to respond to any type of cyber incident, the Corrs Cyber team offers a complete, solution-based round-the clock cyber incident service.
This article was originally co-authored by David Warren.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.