This article was written by Mark Schaub and Atticus Zhao
In our modern, interconnected world hacking is an ever present danger. Hackers can break into systems to steal information, bank details, bring down targeted websites, access government websites and a variety of other fiendish acts.
Imagine though, if instead of targeting desktop computers, websites or even mobile phones … that such hackers could target cars. We have tragically seen how cars can be used as weapons by terrorists.
In a world of driverless cars hackers could target fleets of cars – fleets comprised of 100s of cars with each car individually having over a 100 million lines of code and all collectively connected and exchanging data.
That is a lot of vulnerability and a lot of risk to contend with and for this reason cybersecurity is a core challenge for self-driving cars.
These are not theoretical risks. In 2015, the car manufacturer Chrysler announced a recall for 1.4 million vehicles after a pair of hackers demonstrated they could remotely hijack a Jeep's digital systems over the internet. There have also been reports of hackers and security researchers demonstrating their ability to remotely hack into connected cars and take control of key functions such as braking and acceleration.
A recent development has been that as the number of connected vehicles increases then such vehicles will be vulnerable to an attack by remote keyless entry.
The Internet of Things (IoT) is resulting in ever more devices being connected to the internet and self-driving cars will lead to a massive upsurge of connectivity. This connectivity to the internet greatly increases the potential for the car itself to become the target of cyber-attack.
The question is how to protect the vital systems of vehicles and the contained personal data from attack. In particular, systems and components governing safety of vehicles must be protected from malicious attack, unauthorized access, damage or anything that might interfere with or compromise any safety function.
No less an authority than General Motors CEO Mary Barra noted that cyber-incidents are a problem for every automaker in the world and is a public safety issue.  If it cannot be contained then cybersecurity risk could potentially threaten to derail the whole auto industry’s road map for autonomous vehicles.
This article will focus on vehicle cybersecurity issues such as (i) cybersecurity risks and legal challenges for connected and autonomous vehicles (CAVs), (ii) practice in leading jurisdictions in tackling vehicle cybersecurity, and (iii) current actions taken by Chinese government to cope with this issue.
Cybersecurity risks and legal challenges for CAVs
Complexity and vulnerabilities
A modern car has 50 to 150 electronic control units (ECUs) - basically tiny computers – each having as much as 100 million lines of code. Every 1,000 lines contain as many as 15 bugs that are potential doors for would-be hackers.
Potential vulnerabilities abound in driverless cars – in a vehicle’s wireless communication functions, within a mobile device connected to the vehicle through USB, Bluetooth or Wi-Fi, or within a third-party device connected via a vehicle diagnostic port. A hacker who accesses the critical systems of the vehicle could cause mayhem.
These vulnerabilities are compounded by the nature of the auto industry which is characterized as having a greatly fragmented supply chain – much greater than for a desktop computer or a mobile phone. Difficulties in developing countermeasures are exacerbated by automakers facing significant integration risks - the more than 100 ECUs per vehicle may be supplied by more than 20 different suppliers. Multiple components developed and manufactured by multiple suppliers increase the risk of compromised cybersecurity.
In other areas of production such as quality or product innovation automakers have been traditionally accustomed to being supported by their suppliers. However, when it comes to issues of cybersecurity it seems suppliers are even less prepared than automakers. In a recent survey, only 10 percent of suppliers rank cybersecurity as a priority for top management compared to 35 percent of automakers. Only 45 percent of suppliers consider cybersecurity of external partners (i.e. sub-suppliers) as being important to very important compared to more than 60 percent of automakers.
Vehicles are generally treated as being the product of the car manufacturer who in turn are normally considered responsible to ensure conformity with safety standards. This framework has worked well for non-connected, non-autonomous vehicles as manufacturers can ensure conformity of production and subject vehicles to fault-testing under real-world operating conditions. However, CAV technologies complicate this dynamic considerably.
As CAV technologies continue to develop rapidly, carmakers are faced with a complex supply chain of sensor producers, software developers and operating system providers. If liability for damage caused by defects in CAVs continues to rest with vehicle manufacturers then they will face a considerable burden in ensuring that best practices for cybersecurity are met by all suppliers. This will be even more challenging in the context of vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) interactions. In such operating environments, a hacker could cause an accident to a CAV due to a flaw in such V2V or V2I communications. In such case, will the third party CAV or infrastructure provider also be held liable?
A further complexity is that in a connected environment continuous software updates and patches for a considerable number of components (e.g. sensors, actuators, operating systems and networks) will need to be able to deal with any cybersecurity vulnerabilities. One obvious example is whether a vehicle manufacturer will have an on-going obligation to patch software vulnerabilities via software updates after their vehicles have been sold to consumers. Assuming a carmaker is required to do so then questions will arise as to how frequent updates must be made available to customers. How to regulate this issue between automakers, software suppliers and hardware suppliers?
It can also not be forgotten that end users themselves are a key link in the cybersecurity chain. However, although their well-being is directly at risk it appears that current user awareness in respect of cyber risk and cars remains low. These users can be the weak link – what will happen if a security incident is triggered by an end user installing unsafe software on a mobile phone or device connected to a car? Should end users be liable for such resulting incident? Jointly liable?
Practice in leading jurisdictions
Although vehicle cybersecurity may not be front of mind for all suppliers and users it has caught the attention of regulators in many jurisdictions. Despite this most automotive regulatory bodies have not yet concretely defined their approach towards cybersecurity issues. US, EU and UK authorities have issued guidance or best practices for tackling vehicle cybersecurity.
US federal government and Congress have been active in regulating the deployment of self-driving cars in the US. The US Department of Transportation's National Highway Traffic Safety Administration (NHTSA) has in particular paid attention to vehicle cybersecurity.
On 24 October 2016, NHTSA issued its non-binding Cybersecurity Best Practices for Modern Vehicles (“NHTSA Best Practices”) aimed at supporting manufacturers and software designers to improve motor vehicle cybersecurity and providing guidance as to how to prevent and withstand cyber-attacks.
The NHTSA Best Practices set out that NHTSA will focus on solutions to strengthen the vehicle’s electronic architecture against potential attacks and ensure vehicle systems take appropriate and safe actions, even when an attack is successful.
The NHTSA Best Practices also suggest that vehicle manufacturers and designers adopt a "layered approach" to reduce the probability of an attack’s success and mitigate ramiﬁcations of unauthorized access.
The key guidelines under the NHTSA Best Practices are:
1) Vehicle development process with explicit cybersecurity considerations
Follow robust product development process with the goal of designing systems free of unreasonable safety risks
Design specific process that gives explicit considerations to privacy and cybersecurity risks throughout the entire life-cycle of the vehicle
2) Information sharing
3) Vulnerability reporting policy
4) Incident response process
Establish a documentation process for responding to incidents, vulnerabilities and detected exploits
Outline roles and responsibilities for each responsible group within the organization and specify requirements for internal and external coordination
6) Risk assessment
7) Penetration testing and documentation
The NHTSA Best Practice also recommends steps and actions on fundamental vehicle cybersecurity protection, training for current and future work force and technical/non-technical individuals, considering aftermarket devices and serviceability of vehicle components by individuals and third parties.
In September 2017, the NHTSA released Automated Driving Systems 2.0: A Vision for Safety (“AV 2.0”) which replaced the Federal Automated Vehicles Policy issued by NHTSA in 2016. AV 2.0 recommends that the auto industry dedicate resources to assessing risk and testing vehicles for cybersecurity vulnerabilities.
In October 2018 and January 2020, the U.S. Department of Transportation released Preparing for the Future of Transportation: Automated Vehicles 3.0 (“AV 3.0”), and the Ensuring American Leadership in Automated Vehicle Technologies: Automated Vehicles 4.0 (“AV 4.0”) respectively. Both the AV 3.0 and AV 4.0 stress that the security and cybersecurity are critical for the development of a transportation system that safely and eﬀectively incorporates automated vehicles.
The EU is also providing guidance on vehicle cybersecurity.
On January 13, 2017 the EU Agency for Network and Information Security (ENISA) released the study “Cybersecurity and Resilience of smart cars” (“ENISA Guidance”), which identifies good practices and recommendations to ensure security of smart cars against cyber threats.
The 84-paged ENISA Guidance lists sensitivities present in smart cars as well as corresponding threats, risks, mitigation factors and possible security measures that can be taken.
In the ENISA Guidance, ENISA defines smart cars as systems providing connected, added-value features in order to enhance car users experience or improve car safety. It encompasses use cases such as telematics, connected infotainment or intra-vehicular communication. The ENISA Guidance covers passenger cars and commercial vehicles including trucks but excluding autonomous vehicles.
The ENISA Guidance points out that the protection of smart cars depends on overall protection of all related systems (i.e. cloud services, applications, car components, maintenance tools, diagnostic tools etc.). It also outlines where key vulnerabilities and risks lie in connected car systems and the threats, attack scenarios and mitigation factors manufacturers should take into consideration.
The recommendations apply not only to car manufacturers but also Tier 1 and Tier 2 suppliers, aftermarket suppliers, insurance providers and other auto industry stakeholders.
The ENISA Guidance further mentions that industry also needs to make efforts to clarify where liability may fall amongst car manufacturers, tier suppliers, vendors, aftermarket support operators and end users.
The good practice recommended under the ENISA Guidance is categorized in three aspects:
1) Policy and standards
Adherence to regulation - Industry actors shall adhere to regulations related to security and privacy.
Liability - Addressing the question of liability amongst tier suppliers, car manufacturers, vendors, aftermarket support operators and end users.
Car manufacturers and Tier actors shall ensure that appropriate technical measures exist allowing for tracing liability between actors
2) Organizational measures
Designating a dedicated security team and defining a dedicated Information Security Management System
Assessing the threat model and use cases, provide security and privacy by design and implement and test the security functions
Assessing security controls and patch vulnerabilities, define security update policies, perform vulnerability surveys, check security assumptions regularly during life-time, protect software update mechanism and raise user awareness
Security events must be securely logged and users must be informed of security events
Provide end-to-end protection in confidentiality to mitigate risk of attacks; vulnerabilities or limitations of standard security measures
Consider denial of service as a usual threat to communication infrastructures, not create proprietary cryptographic schemes but rather use state-of- the-art standards instead
Rely on cryptography experts, consider use of dedicated and independently audited hardware security modules, securely manage cryptographic keys and identify personal data
Define access control, adopt anonymity and de-couple measures to enforce the protection of private data as well as to define measures to ensure secure deletion of user data in case of a change of ownership
Use mutual authentication for remote communication and implement self-protection measures
On 6 August 2017, the UK’s Department for Transport issued new cybersecurity guidance for self-driving cars entitled the Key Principles of Vehicle Cyber Security for Connected and Automated Vehicles (“Guidelines”).
The Guidelines have been produced in response to the large (and growing) attack surface presented by CAV technology.
"Whether we're turning vehicles into Wi-Fi connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks," Transport Minister Lord Callanan said in a statement." That's why it's essential all parties involved in the manufacturing and supply chain are provided with a consistent set of guidelines that support this global industry."
The Guidelines, created with the Center for the Protection of National Infrastructure (CPNI), list the following key principles:
Principle 1: Organizational security is owned, governed and promoted at board level–this is aimed at creating and promoting a ‘culture of security’ within an organization
Principle 2: Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
Principle 3: Organizations need to provide product aftercare and incident response to ensure systems are secure over their lifetime
Principle 4: All organizations, including sub-contractors, suppliers and potential third parties, must work together to enhance the security of the system
Principle 5: Systems are designed using a defense-in-depth approach–security measures should be designed to cope with failures and breaches through defense-in-depth and segmented techniques
Principle 6: The security of all software is managed throughout its lifetime
Principle 7: The storage and transmission of data is secure and can be controlled
Principle 8: The system is designed to be resilient to attacks and respond appropriately when its defenses or sensors fail
It is understood that the list is designed to address public fears that hackers might be able to target connected cars, either to steal personal data or for other malicious purposes. The basic message from the UK Government is clear: this is an issue that needs to be treated seriously, and carmakers need to be dealing with security from a management level.
On 22 February 2017, the UK Vehicle Technology and Aviation Bill (the “VTA Bill”) introduced new insurance rules for self-driving cars. Under the VTA Bill, insurers would be primarily responsible for paying out damages arising out of accidents caused by automated vehicles.
However, the VTA Bill does not fully catch the distributed nature of cyber risk in the CAV supply chain. The Guidelines and other best practice are to fill the gaps to set cybersecurity standards and safety assessment procedures for CAV manufacturers and their premarket and aftermarket suppliers.
Status of Chinese government in coping with vehicle cybersecurity issue
China’s Cybersecurity Law (CSL) took effect on June 1, 2017, which is China’s first comprehensive law to address cybersecurity regarding establishment, operation, maintenance and use of cyber networks within China.
The CSL sets a series of requirements and obligations on “network operators” for cybersecurity, introduces a new concept of “critical information infrastructure” and specifies rules for providers of network products and services. For CAVs, it is likely treated as a new mobile device as it is connected to the internet or public communication networks (e.g. 4G networks) and thus the general rules and requirements established in the CSL should apply to the network operators or network equipment providers. However, the CSL seems remote to address the cybersecurity issue of CAVs.
On 29 December 2017, the Chinese government issued the final Guidelines for the Establishment of National Standards System of Telematics Industry (Intelligent & Connected Vehicles) (“Final Guidelines”), which aims to set national standards for China’s CAVs.
The Final Guidelines clearly state that function safety and cybersecurity are equally important for Intelligent & Connected Vehicles. Cybersecurity standards must be established to make sure the safety, security and reliability of vehicles. Requirements on risk assessment, security protection and testing assessment must be set out in the standards to be established in terms of vehicle communication system, data, the security of software and hardware and vehicle interfaces in order to protect the vehicle from attacking, interfering, damaging, illegal use and accidents.
The Final Guidelines provided for 95 standards to be established of which 20 standards relate to cybersecurity. They include, among others, general technical requirements on vehicle cybersecurity, guidance on vehicle cybersecurity risk assessment and general requirements on vehicle data security protection and privacy protection.
At present the Chinese authorities has not issued other regulatory paper or guidance specifically addressing the cybersecurity issue for self-driving cars.
Beginning late 2017, China appears to have sped up its efforts to establish a regulatory regime for self-driving cars but still lags slightly behind other leading jurisdictions.
The importance of government policy on self-driving cars is clear. Government has three main roles in regulating the development of self-driving cars. Firstly, it will need to balance the interests of the public with those of the industry; secondly, the government will have a role to facilitate greater collaboration within the industry; and thirdly, government will have a responsibility to establish and ensure a safe information-sharing environment. As such the Chinese government’s efforts to establish a regulatory regime for self-driving cars is very welcome.
In addition, industry can also play an important role in the development of policies for self-driving cars in this fast moving environment. Examples include the Alliance of Automobile Manufacturers and the Association of Global Automakers which published the Framework for Automotive Cybersecurity Best Practices in January 2016 which is referenced by the US NHTSA Best Practice. It is likely that the Chinese auto industry will in the near future also play a more active role in the evolution of China’s regulatory regime for self-driving cars. This will include in particular the creation and formation of guidelines.
 Cyber Security and Resilience of smart cars issued by the EU Agency for Network and Information Security on January 13, 2017.
 Shifting Gears in Cyber Security for Connected Cars – by Mckinsey & Company
 Shifting Gears in Cyber Security for Connected Cars – by Mckinsey & Company
 i.e., fully autonomous vehicles
 The VTA Bill is understood to be considered at Report Stage and Third Reading-https://services.parliament.uk/bills/2016-17/vehicletechnologyandaviation.html
 Shifting Gears in Cyber Security for Connected Cars – by Mckinsey & Company