Earlier this week Sen. Markey (D,MA) introduced S 1806, Security
and Privacy in Your Car Act of 2015, or SPY Car Act of 2015. While this
bill was introduced on the same day as the notorious
Wired article about the Jeep Cherokee hack was published, this bill marks the
culmination of an ongoing
interest by Markey on this topic.
Definitions
The bill starts out by adding some new cybersecurity related
definitions to 49
USC 30102. The following terms were added:
∙ Critical software systems;
∙ Driving data;
∙ Entry points; and
∙ Hacking.
Of the four the first and last two are most critical from a control
system cybersecurity perspective.
The term ‘critical software systems’ was specifically
limited to “software systems that can affect the driver’s control of the
vehicle movement” {new §30102(a)(3)}. This means that other control systems
related to signals, lights, locks and windshield wipers for example are
excluded from the definition.
‘Entry points’ are those means by which someone can access
driving data or through which control signals can be sent into the system. The
term is specifically defined to include wired or wireless connections.
The term ‘hacking’ is given pretty broad definition as “the
unauthorized access to electronic controls or driving data, either wirelessly or
through wired connections”. There is no discussion of who (the auto
manufacturer or vehicle owner) can provide authorized access.
Cybersecurity
Standards
The bill then goes on to add a new section to 49 USC, §30129 addressing
cybersecurity standards that would apply to vehicles manufactured two years
after regulations implementing this new statute take effect. Three areas are
covered in these standards:
∙ Protection against hacking;
∙ Security of collected information;
∙ Detection, reporting, and responding to hacking.
The protection against hacking provisions require that the
covered vehicles are {new §30129(a)(2)}:
∙ Equipped with reasonable measures to protect against hacking
attacks;
∙ Incorporating isolation measures to separate critical software
systems from noncritical software systems;
∙ Evaluated for security vulnerabilities following best security
practices, including appropriate applications of techniques such as penetration
testing; and
∙ Adjusted and updated based on the results of the evaluation.
The information security provisions of the new section deal
with protecting the data collected by onboard ‘electronic systems’. The
provisions include protecting data stored in the vehicle, in transit to
undefined other locations, and in storage in those off-vehicle locations. The protected
data is not limited to that obtained from ‘critical software systems’.
The final standard pertaining to hacking is the most broadly
written. It states {§30129(a)(4)}:
“Any motor vehicle that presents an
entry point shall be equipped with capabilities to immediately detect, report,
and stop attempts to intercept driving data or control the vehicle.”
Once the regulations are written implementing these
standards, violations of the standards could result in a civil penalty “of not
more than $5,000 for each violation” {§30129(b)}. This paragraph references 49
USC 30165 for the application of this penalty so it is clear that the
penalty could be assessed on each vehicle or part of a vehicle covered under
the violation for up to a total of $5 million.
Privacy Protections
Section 4 of the bill relies on the Federal Trade Commission
to provide additional privacy protections. The FTC is required to develop
regulations addressing the following automotive information protection
requirements {new 15 USC 57d}:
∙ Notice of the collection, transmission, retention, and use of
driving data collected from such motor vehicle;
∙ The option of terminating the collection and retention of driving
data;
∙ Continued access to navigation tools or other features or
capabilities; and
∙ Prohibition of the use any information collected by a motor
vehicle for advertising or marketing purposes without affirmative express
consent by the owner or lessee.
Moving Forward
I think that thanks to Charlie Miller and Chris Valasek
there is an increased understanding of the potential severity of the problem.
This will be reinforced when they give their talk about the Jeep Cherokee hack
at Black Hat next month. There will be some more hearings; probably including a
command performance by Miller and Valasek with an FCA executive sitting at the
table next to them. But some sort of legislation like this will almost
certainly move forward during the 114th Congress.
Markey is a member of the Senate Commerce, Science and
Transportation Committee which is tasked with considering this bill and the
Subcommittee which will take the lead on this legislation. So he is in a good
position to move this bill through the Committee side of the equation. It
remains to be seen if he can convince Chairman Thune to work to move the bill
to the floor.
With the surface transportation bill starting to move
forward in the Senate, it would not be unusual for Markey to try to get this
added to that bill as a floor amendment. It is a bit early in the process for
this to be effective, but it would provide an interesting gauge of how well
this type of bill would do on the floor of the Senate.
Commentary
The first problem that I see with this bill is that it
relies on the DOT in consultation with the FTC to establish control system
security regulations for automobiles. While I understand that DOT is
responsible for automotive safety (and this is clearly a safety issue) I don’t
believe that they have the necessary in-house expertise to establish and
enforce workable automotive control system cybersecurity regulations.
While DHS has generally been given responsibility for
cybersecurity regulations, I don’t think that anyone there has given any
serious thought to control system cybersecurity regulatory issues. TSA, which
has the transportation security mandate, certainly has not and their surface transportation
security folks have over the last five years or so demonstrated a marked inability
to get around to writing mandated security regulations.
What probably needs to happen here is that the bill needs to
include ICS-CERT as a consultive partner on this regulatory scheme and that
organization needs to be beefed up with some regulatory expertise to actually
be of help in this type of situation. While we are talking about ICS-CERT we
need to consider that they are going to have to add some expertise in automotive
control systems as they are obviously going to have to be dealing with
automotive control system issues going forward.
The next problem is the unnecessarily limited definition of ‘critical
software systems’. In fact, limiting the problem to ‘software systems’ could be
construed to eliminate large portions of the cyber-physical systems used to
control modern motor vehicles. Given the recent work by Corey Thuen at Digital
Bond Labs on can bus issues (see for example here)
it seems to me that the definition of ‘critical software systems’ needs to be
much more expansive. Even if we limit that definition to other cyber-physical
systems like lights and windshield wipers, the definition needs to include all
of the safety systems for the vehicle.
The bill needs to include specific provisions for the
discovery, reporting and mitigating of new vulnerabilities once the vehicles
are on the road. This will almost certainly be a function for the National
Highway Transportation Safety Administration, but is needs to be specifically
spelled out in the bill. This would have to include specific authority for
NHTSA to order (if necessary) an automotive manufacturer to fix a cyber defect
reported to NHTSA by a security researcher.
Finally, and perhaps most importantly, we are going to need
to have a serious discussion about who can authorize access to the various
electronic systems in vehicles. The automotive industry has long maintained
that they own those systems and only license their use to the vehicle owner.
This potentially means that a bill like this would make it a federal criminal
offense for a non-manufacturer authorized auto shop to access information in
the vehicle control system for diagnostic testing, much less make changes to
the tuning specifications for the engine to improve engine performance or
increase fuel efficiency. Because of the wide definition of hacking provided
here, even changing out a vehicle sensor with a factory replacement by the
owner could be considered hacking under the bill if the manufacturer is the
only one who can authorize access.
No comments:
Post a Comment