A trade group representing the makers of unmanned drones, cars, airplanes, boats and other vehicles is teaming up with a cybersecurity company to develop voluntary security standards for the autonomous vehicles market.
Today, representatives from the Association for Uncrewed Vehicle Systems International (AUVSI) and Fortress Security announced they are forming a working group that will develop the standards over the next year.
In an interview, Tobias Whitney, vice president of strategy and policy at Fortress Security, and Michael Robbins, AUVSI executive vice president for government and public affairs, said the framework would be built around five broad use cases. Those cases include scoping internal controls and effective cyber hygiene for autonomous vehicle suppliers; mapping product security to transparency and security standards, like software and hardware bills of materials; applying effective encryption and authentication tools around remote operations and connectivity; looking at third- and fourth-party suppliers in the supply chain; and creating clearer lines between technologies with military and commercial applications.
Whitney said the working group will be geared towards companies with “skin in the game” and that work in the autonomous vehicle industry, as well as those that “understand their markets, understand their customers but also understand [security], they can understand the implications of a security exploit that impacts the operations of their technology.”
He also acknowledged upfront that the framework is an attempt by the industry to coalesce around voluntary standards before governments decide to regulate, with Whitney saying it was being done to “get out ahead of something that might be mandated.” He pointed to industries like the electric, and oil and gas sectors that weren’t proactive enough setting up their own cybersecurity rules, only to have the government do it for them when high-profile incidents (the 2003 Northeast Blackouts and the Colonial Pipeline ransomware attack) created public pressure for regulation.
With concerns about the safety and reliability of autonomous cars and other vehicles on the minds of many Americans, a similar incident in the autonomous vehicle space could open suppliers up to harsher rules.
“We don’t want to be in a situation where we’re not having informed people in the room that understand the risks … the last thing you want to be is in a situation where something potentially does happen, some type of security risk does come into fruition and there’s a potential knee-jerk reaction and standards or mandates that may or may not reflect some of the best practices within industry.”
Fortress Security maintains a database matching ICS products to various security standards, and in the past has partnered with American Electric Power and other entities in the energy sector to develop information-sharing programs and resources for energy sector suppliers.
Robbins said that past experience with other sectors was key to their decision to partner with Fortress on their project and the working group has a dozen AUVSI member companies confirmed as participants. He declined to name them at this time but said they were committed to making membership public at some point.
“As uncrewed systems develop their technology and are continuously integrated into society, whether it's autonomous trucks on highways or drones doing critical infrastructure inspection or sidewalk robot deliveries … we believe that we have an existential risk to the industry by not proactively addressing cybersecurity,” said Robbins.