The UK Government has launched “tough new government guidance” aimed at smart vehicle manufacturers to ensure products aren’t sold with easily exploitable vulnerabilities.
The UK Department of Transport Minister Lord Callanan launched the new guidelines on Sunday as part of a plan to encourage manufacturers to build security into vehicles from the outset and help “design out hacking”.
“Risks of people hacking into the technology might be low, but we must make sure the public is protected,” said the Minister.
“Whether we’re turning vehicles into wifi connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks," he added.
The guidelines are meant to address fears that hackers could target connected vehicles to steal personal data, steal cars that use keyless entry, or hijack vehicle technology for malicious reasons.
The guidance introduce eight principles, suggesting firms manage cyber security from the board down, conduct thorough cyber risk assessments across the supply chain, and ensure the security of systems over their lifetime. This includes having an incident response plan, an active program to identify critical vulnerabilities, and the ability to support data forensics.
Additionally, supply chain parties should provide independent validation of their security processes and products, and plan for how vehicle systems can securely connect with external devices and services.
They should also identify which automated functions depend on the accuracy or sensor or external data and ensure backup measures are available.
One of the principles suggests manufacturers adopt a “defence-in-depth” approach and follow the principle of least privilege in system design.
Manufacturers should also make it possible to “safely and securely update software and return it to a known good state if it becomes corrupt” and ensure systems are resilient to attack that causes sensors to fail.
“The system must be able to withstand receiving corrupt, invalid or malicious data or commands via its external and internal interfaces while remaining available for primary use. This includes sensor jamming or spoofing,” the document reads.
The UK’s guidelines follow a recent review of smart car cybersecurity by the European Agency for Network and Information Security (ENISA), which recommended the auto industry boost secure development practices and clarify uncertainties over liability of damages caused by security issues. It was concerned liability may fall between vehicle makers, software suppliers, drivers, and insurance companies.
The Queen’s speech in June introduced the UK’s Autonomous and Electric Vehicles Bill, which mandates insurance for self-driving vehicles to ensure any injured victims can quickly access compensation.
Notably, the UK’s effort to boost smart car cyber security is not currently framed as a law requiring manufacturers boost safeguards against hackers. In the US, a proposal to impose minimum cybersecurity and privacy standards on self-driving cars wasn’t met with enthusiasm by executives from Google, Delphi Automotive, General Motors and Lyft.