The Department of Transportation (DoT) is taking a number of steps to address cyber security vulnerabilities in automotive vehicles but has yet to define its roles in responsibilities in case there is a cyber attack on a vehicle and how it would work with other federal agencies, according to a new report by the Government Accountability Office (GAO).
Automakers continue to use be more software code to support more and increasingly complex electronic systems and components, expanding the cyber vulnerabilities of vehicles, GAO says in the report, Vehicle Cybersecurity: DoT and Industry Have Efforts Underway, but DoT Needs to Define Its Role in Responding to a Real-world Attack (GAO-16-350). The report says that both DoT’s National Highway Traffic Safety Administration (NHTSA) and selected industry officials believe that these threats will increase as more autonomous features are added to vehicles and that autos include more connected technologies.
GAO says that until NHTSA develops a response plan, the agency’s “response efforts—regardless of the threat environment in which an attack is carried out—could be slowed as agency staff and other stakeholders may not be able to quickly identify the appropriate actions that NHTSA should take.”
The amount of software code in some vehicles is surprising. Citing the DoT, GAO says that modern luxury cars can have upwards of 100 million lines of software code whereas Boeing’s [BA] 787 Dreamliner passenger plane has about 6.5 million lines of code. The report says the amount of code in vehicles is only expected to increase.
The report notes that responsibility for the safety of vehicle systems occurs throughout the automotive supply chains and is stet by vehicle design requirements established by the automakers. NHTSA is the primary federal agency responsible for vehicle safety.
Since 2011 DoT has been conducting research into vehicle cyber security and in 2015 devoted $2.5 million to electronics and vehicle cyber security research, $200,000 less than in 2014, GAO says. The report cites NHTSA officials as saying their ability to do further research is dependent on the amount funding the agency is provided.
GAO also says that NHTSA is developing guidance to help automakers understand the types of cyber vulnerabilities that would constitute a safety defect and therefore require a recall. The agency has also established a council to assess the need for vehicle cyber security standards and regulations, the report says.
While research efforts have shown that vehicles can be hacked from the inside and remotely, which is the greatest concern, so far there have been no reports of remote cyber attacks on automobiles, GAO says. In cases where researchers have shown ability to remotely hack into vehicle electronic systems, they have been able to manipulate safety critical systems like the brakes, the report says.
Industry can do better in mitigating cyber vulnerabilities, GAO says, citing nearly half of the 32 industry stakeholders interviewed for the report as saying there is a “lack of transparency, communication, and collaboration regarding vehicles’ cybersecurity among the various players in the automotive supply chain.”
Another challenge for industry in bolstering vehicle cyber security is the cost of adding these protections amid already narrow profit margins, GAO says. For example, it says, “using hardware with added security protections can potentially be cost prohibitive to some automakers.”
GAO also cites industry stakeholders pointing out that historically there is a lack of cyber security expertise in the industry.
Industry is taking steps to improve its cyber posture, including an effort to establish information sharing organization, and the establishment of vehicle cyber security guidelines, GAO says.