A grassroots security movement called “I am The Cavalry,” has introduced a cyber safety program to encourage collaboration between researchers and automakers as vehicles become increasingly connected.
On Friday, the group presented an open letter (PDF) to the heads of automotive companies challenging them to acknowledge cyber security concerns that impact vehicle safety. In a detailed description of its “Five Star Automotive Cyber Safety Program,” I am The Cavalry outlined five critical capabilities that participating companies should demonstrate within their organization to improve security.
The program champions “safety by design” through implementation of security in the design, development and testing phase; collaboration with the research community, including publishing a coordinated disclosure policy for those wishing to report security vulnerabilities or issues; and that automakers provide assurance of timely security updates when issues are discovered.
As well, the program asks companies to provide proof that their systems utilize reliable logging and evidence capturing technologies to aid in safety investigations. Lastly, the initiative calls for segmentation and isolation of critical automative systems, such as those that control brakes or steering, from non-critical functions in cars.
On Tuesday, Joshua Corman, co-founder of I am The Cavalry and CTO of Sonatype, told SCMagazine.com in an interview that, of the five security areas presented to carmakers, segmentation and isolation concerned him the most.
“We have heard of several attempts to isolate critical safety functions [in cars], but many [manufacturers] use techniques that are easily defeated,” Corman explained. “We are trying to save them time. They are making investments, but we want them to make effective investments. We can accelerate that learning curve if we were to work together.”
Corman later added that the auto security program was conceived, not to point the finger at companies dealing with vulnerabilities, but to make sure that demonstrated security concerns in vehicles aren't exploited in the future by hackers with malicious aims.
“You are the masters of your domain, and we are the masters of our domain, but now our worlds have collided,” Corman said of the needed collaboration between the security and automotive industries.
In its open letter, I am The Cavalry referenced vehicle-to-vehicle communication, automated traffic flow, remote control functions and driverless cars as just some of the evolving technologies making their way to the public.
"We don't need to wait for bad things [to happen] before starting to take safety into our design [considerations]. It takes a very long time to develop technologies and get them in the market. What we start today may not manifest for several years," Corman said.
[An earlier version of this story incorrectly stated the name of the group "I am The Cavalry," and has been updated to reflect these changes.]