The U.S. government has proposed new regulation of highly automated vehicles while the industry works toward self-regulation.
On Monday, the Detroit News website reported that the U.S. government will attempt regulate autonomous vehicles. Such regulation will be available in an official document titled Federal Automated Vehicles Policy.
According to the article, “Regulators say they will use their existing authority to investigate and recall automated vehicles that pose a risk to public safety, and will look to Congress for the tools to aid in that enforcement and regulation.” For example, the mandated recall of 1.4 million vehicles by FCA in 2014, after Wired.com published a video showing a Jeep Cherokee being hacked while driven, represented the first recall of a product (of any sort) purely for cyber security issues. The automotive industry is now well aware that this can, and will, happen.
The Federal Automated Vehicles Policy is fairly high-level in detail, yet effectively outlines what the government will be looking for when investigating what they refer to as highly automated vehicles (HAV). Of particular interest to the security world is Section E (Cross-Cutting Areas of Guidance), subsection 4 (Vehicle Cybersecurity). The section discusses some high-level security considerations, with no specific requirements mentioned, but does recommend following guidelines and principles established by multiple entities, including organizations like the Society of Automotive Engineers (SAE), with hopes that “the entire process of incorporating cybersecurity considerations should be fully documented and all actions, changes, design choices, analyses, associated testing and data should be traceable within a robust document version control environment.”
Additionally, the guidance in the proposal states that “entities should report any and all discovered vulnerabilities from field incidents, internal testing, or external security research to the Auto-ISAC as soon as possible, regardless of membership. Entities involved with HAVs should consider adopting a vulnerability disclosure policy.”
Members of the Synopsys Software Integrity Group have been working diligently with SAE and the entire automotive community to help create guidance documents and standards to address cyber security, with a particular focus on developing testing methods to help identify and address security vulnerabilities. Within the last month this work has culminated in multiple draft documents addressing both security testing methods and security testing tools. The members of this group are committed to creating a consistent set of guidelines that the automotive community and governments can look to as automotive cyber security policies continue to evolve.
SAE is currently working toward a joint international automotive cyber security standard with ISO. That work will begin in the fall of 2016.
Mike Ahmadi is the Director of Critical Systems Security at Synopsys.