David Miller, chief security officer, Covisint
David Miller, chief security officer, Covisint

A car without a steering wheel and pedals. Hands-free driving. These are some of the headlines increasingly surrounding the future of autonomous cars. Electronic sensors are monitoring traffic in all directions and a screen shows passengers the current route. This could be great news for people who simply don't like driving, or for enterprises running fleets of vehicles that would like to reduce operating and insurance costs. But what happens if an autonomous car, bus or truck is hacked? Sensors could be deactivated, accidents provoked, wrong directions given, or the vehicle could suddenly stop moving right in the middle of the highway.

This is why autonomous vehicles must be highly secure in and of themselves, all vehicle-related data needs to be transmitted through secured networks, and all individuals interacting with the vehicle need to be authenticated. And now is the time to be thinking about how to do it, as even hackers themselves are already issuing warnings.

Heightened risks

Driverless vehicles will be outfitted with new equipment, control units and data interfaces that allow driver-free operation. These will include laser range finders, cameras, ultrasonic devices, wheel sensors, GPS, and inertial measurement systems, as well as considerable on-board computing resources. All of these potential points of compromise will need to be secured at the risk of accidents or the thwarting of rules governing vehicle use. At the same time, vehicle access security will need to be strengthened at the risk of vehicle theft, cargo hijacking and even terrorism. In addition, all vehicle-related data will need to be secured across inter-vehicle communications, as well as device-to-vehicle, vehicle-to-vehicle and infrastructure-to-vehicle communications.

In the equally important area of privacy, many people are afraid of autonomous cars collecting their data and sharing it inappropriately, as well as having the data vulnerable to hackers. Hence protections and assurances need to be extended to vehicle owners and to passengers. At the core of this is how to go about identifying multiple distinct entities – persons, cargos and smart phones and other devices that are in a vehicle and perhaps interacting with it – and then applying the right kind of privacy protections as well as the correct levels of authorization. Specifications also need to be defined for erasing personal information from a vehicle once a passenger disembarks or when an owner transfers ownership of the vehicle.

Finally comes the question of where policies governing the vehicle and its use are made and stored. Is it in the vehicle where they can be changed or overridden? Or is it in a centralized virtual location in the cloud? Additionally, the question arises as to how an owner can change policies and push them to the vehicle.

Why an interoperability structure is essential

Clearly, there is a multitude of “moving parts” that need to interoperate in the autonomous vehicle ecosystem, including vehicles and their increasing number of digital components, and owners and passengers with their personal digital devices. There are also other vehicles to take into account, and there will be a certain amount of roadside infrastructure that will need to interact with the vehicle. 

It will require a comprehensive interoperability structure, or platform, to secure this dynamic ecosystem, and this structure needs the owner at its center, not the vehicle. Such a structure will let the vehicle know who is inside (or trying to get inside), and can provide different levels of authorization, connectivity and privacy protection depending on how the person is interacting with the vehicle. Essential functions of the structure include:
  • Risk-based authentication utilizing user-provided and system collected information, performed at log-in and each time an individual requests access to resources or performs transactions.
  • Centralized, cloud-based management of digital identities and rules governing authentication and vehicle usage.
  • A centralized secure token service to protect the vehicle and vehicle-connected devices each time an action is requested. This way, hackers would face two formidable hurdles: having to compromise the network, and also the token.

This structure can also provide a centralized audit point and notification service for vehicle owners. For OEMs, it can also serve as the basis for a future-proof security infrastructure.

How the autonomous vehicle will succeed

In today's world where data breaches and insecure devices are the norm, consumers may be wary of connecting yet another critical object to the cloud. Solving the security/privacy issue will be the largest gating factor to autonomous vehicle acceptance by individuals and enterprises, and it cannot be accomplished with the conventional, highly limited vehicle security models of the past.

Forward-looking OEMs engaging in connected initiatives are already looking towards a holistic interoperability structure approach, combining risk-based authentication; strong security for vehicles, components and networks; and centralized, cloud-based management.  When it comes to autonomous vehicles, would you entrust your family or your business to vehicles that are secured with anything less?