A look at what to expect and how to ensure Connected and Automated Vehicles (CAVs) remain cyber-safe.
October marks Cyber Security Awareness Month, a time when it is important to raise awareness about potential issues related to computers and security.
The risks pertain to industries across the board, but perhaps the auto-industry is not one that quickly comes to mind. With the introduction of Autonomous Vehicles (AV), the issue of cyber security in the auto industry is a very real one.
At the New Car Dealers Association of BC (NCDA), we are big believers in the wonders of technology and how they can help enhance user experience. From electric to more fuel-efficient vehicles, the technologies we’ve seen over the last few years have been absolutely remarkable. And with that, we’re excited to see where the world of AVs takes us. But the introduction of AVs is not without the inherent risks that could potentially come from these technologies.
In 2019, the AV industry experienced a significant shift in the technologies and regulations, which made it increasingly possible for Canadians and businesses to own and operate Connected and Automated Vehicles (CAVs). AVs and CAVs have the very real potential of creating cyber security risks that we have never seen before. But the risks are not inherent to just these types of vehicles — all newer vehicles use computers and technology to enhance user experience.
In March 2020, Transport Canada published Canada’s Vehicle Cyber Security Guidance, which offers guiding principles to help ensure vehicles are cyber-safe for Canadians. Building on existing cyber security best practices, the Cyber Guidance uses a risk-based approach to help automotive industry stakeholders mitigate and manage vehicle cyber security risks. The guide focuses on four major principles it encourages organizations to consider.
1. Identify how to manage cyber security risks
The guide recommends that organizations develop formal governance frameworks that clearly identify roles and responsibilities related to managing cyber security risks. This will ensure a process is formally in place, should any issues related to cyber security come up.
A risk-based approach also requires organizations to adopt a documented risk management strategy to address risks to ensure safety of critical systems and personal information. Organizations should implement risk-based security controls in the chance there is a cyber security attack.
CAVs pose another interesting risk — they have an increasingly non-traditional supply chain. This means ensuring that there is a security procedure in place across the entire chain. The guide suggests that all organizations work together to enhance vehicle security and engage in cyber security sharing forums, to ensure a direct line of contact.
2. Protect the vehicle ecosystem with appropriate safeguards
The guideline suggests a layered approach when it comes to cyber security. This includes having security controls, data security using cryptographic techniques, secure communications, secure software development, and secure updates. With a multi-layered approach, organizations can ensure that they are being as cautious as possible to protect consumers.
The guide acknowledges a concern in the area of privacy protection. The current laws will make it challenging to apply them to CAVs, as there are a number of stakeholders that will have varying degrees of responsibilities complying to Canadian privacy laws. There will be unprecedented amounts of data on passenger movements and mobilities, which raises concerns about data over-collection.
A main takeaway from this section is the emphasis on training the workforce. An effective cyber security defense requires a knowledgeable workforce to properly carry out the systems in place.
3. Detect, monitor, and respond to cyber security events
One of the most important ways in which to handle cybersecurity is early detection of threats. Organizations need to have measures in place to rapidly detect, monitor, and analyze potential threats and vulnerabilities. The guide also suggests that regular security audits take place to ensure all cybersecurity measures within the ecosystem are effectively working. It’s really all about prevention.
Organizations should maintain an incident management plan to conduct regular exercises to prepare for and respond to cyber security threats. It needs to be clear: define the steps, roles, and processes to respond to any potential threats.
4. Recover from cyber security events safely and quickly
Should the worst-case scenario occur, and a cyber security event take place, this guidance recommends a number of steps organizations should take. This includes a post-incident analysis and system diagnostics to figure out where the vulnerabilities lie, and the lessons learned.
The guidance recognizes that eliminating all threats when it comes to the risks with CAVs is not feasible or realistic; there are simply too many risks in place. Instead the focus becomes on learning through periodic reviews and audits of security systems.
Though the thought of AVs and CAVs is exciting, it is clear that it is not without some very real concerns to cyber security. But we are likely about a decade away from sales to the public, so I hope to see leaps and bounds in the cyber safety of these incredible vehicles.