January 27, 2021

Volume XI, Number 27

Advertisement

January 27, 2021

Subscribe to Latest Legal News and Analysis

January 26, 2021

Subscribe to Latest Legal News and Analysis

January 25, 2021

Subscribe to Latest Legal News and Analysis

Cloud Security Alliance Releases Guidance for Securing Connected Vehicles

The increasing connectivity of vehicles has raised questions about how to maintain the security of connected vehicles.  In response, the Cloud Security Alliance released on May 25, 2017 a 35-page research and guidance report on Observations and Recommendations on Connected Vehicle Security.  The Cloud Security Alliance is a not-for-profit organization dedicated to promoting a secure cloud computing environment and whose members include individuals and technology leaders such as Microsoft, Amazon Web Services, HP, Adobe, and Symantec.  The comprehensive report includes a background on connected vehicle security design, highlights potential attack vectors, and provides recommendations for addressing security gaps.

The report discusses the multitude of ways that our vehicles are connected to the Internet, including through diagnostic tools, infotainment systems (such as satellite radio, traffic services, etc.), and remote entry and startup.  Vehicles also communicate with other vehicles, with infrastructure and with applications, providing information such as vehicle position, speed, acceleration, and braking status.  And, as the development of driverless cars continues, those vehicles will need to rely on communications with traffic lights, other vehicles, and pedestrians to maintain the safety of our roadways.  Vehicles have also begun to be integrated into other IoT devices, such as Amazon Echo and NEST, which allow consumers to use those applications to remotely start, set environmental controls for, or track the location of vehicles.

As a result of this interconnectedness, the security risk to connected vehicles and the ecosystems that support them is great.  In controlled situations, hackers were able to turn off the transmission of a Jeep Cherokee and reduce the speed of a Tesla Model S.  Hackers could hijack a vehicle’s safety-critical operations, track a vehicle (and its occupants), or disable a vehicle, despite actions taken by the driver.  The Cloud Security Alliance’s report provides a chart of approximately twenty possible attacks against connected vehicles.

The report provides recommendations for securing connected vehicles and their environments, including:

  1. Securing vehicle platforms by, among other things, implementing strong segmentation between safety-critical and non-safety-critical features, securing and speeding up the software update process, filtering interface traffic, considering potential add-on technologies and the necessary platform security controls to guard the vehicle’s sensitive systems, and adding controls to ensure data cannot be spoofed or manipulated prior to transmission.
  2. Securing traffic infrastructure by ensuring that the infrastructure components cannot be used as launching off points for malicious actors to gain access to vehicle platforms; monitoring and auditing traffic infrastructure, including attempted physical access, privilege escalation, or access to restricted files; keeping an inventory of all connected roadside unit devices; implementing malware detection; and including redundancy controls.
  3. Using the Security Credential Management System (“SCMS”) designed and implemented by the Department of Transportation as the security foundation for connected vehicles, and implement methods to address gaps in that system.

The report suggests that achieving the goal of safe connectivity will require the automotive community to work in concert with a host of other companies, such as original equipment manufacturers, departments of transportation, infotainment providers, application developers, and others whose software or devices are and could be involved with connected vehicles.

Advertisement
© 2020 Covington & Burling LLPNational Law Review, Volume VII, Number 147
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Catlin Meade, Cybersecurity lawyer, Covington
Associate

Catlin Meade advises clients across a broad range of cybersecurity and government contracts matters, including government and internal investigations, compliance with cybersecurity and data breach regulations, and SAFETY Act applications.

Representative Matters

  • Counsel to multiple companies in responding to data and cybersecurity incidents.
  • Advised a leading defense contractor on a multi-million-dollar prime-subcontractor dispute in connection with a NATO contract.
  • Key member of team that successfully represented a large government...
202-662-5889
Kurt Wimmer, Data privacy and cybersecurity lawyer, Covington
Partner

Kurt Wimmer is the U.S. chair of our Data Privacy and Cybersecurity practice, and is past chair of the Privacy and Information Security Committee of the American Bar Association’s Antitrust Section. He is rated in the first tier by Legal 500, designated as a national leader in Chambers USA, and is included in Best Lawyers in America in four areas. Sources for Chambers USA describe him as "a leading person in the field" and "extremely gifted at what he does."

Mr. Wimmer represents major social media companies, global technology...

202-662-5278
Advertisement
Advertisement