US automakers respond to cyber-security failings with new ISAC

Connected cars pose security risk
Connected cars pose security risk

Automobile manufacturers in the US are establishing an Information Sharing and Analysis Centre (ISAC) for their industry in response to the growing cyber-security threat to modern cars.

The industry has been criticised by US Senator Edward Markey and others for its woeful response to hack attacks.

The Alliance of Automobile Manufacturers and the Association of Global Automakers have jointly sponsored the ISAC for the auto industry. Speaking at the launch of the ISAC, Robert Strassburger vice president for vehicle safety at the Alliance said that computer technology had become integral to modern cars but the industry had to work “on multiple fronts” to ensure the safety and security of vehicles.

“We are announcing an added layer of cyber-protections by launching an Auto ISAC that will serve as a central hub for intelligence and analysis, providing timely sharing of cyber-threat information and potential vulnerabilities in motor vehicle electronics or associated in-vehicle networks,” Strassburger said.

It is anticipated that the auto ISAC will begin operations before the end of 2015. It will begin by disseminating information to manufacturers then expand to include suppliers. It could eventually include partners such as telecoms providers and tech companies.

“The Auto ISAC will allow automakers to more effectively counter cyber-threats in real time and further enhance the industry's ongoing efforts to safeguard vehicle electronic systems and networks,” he said.

Senator Edward MarkeySenator Markey (pictured) published a report in February based on research by his office of the cyber-preparedness of 16 major auto makers which found that security measures were inconsistent and haphazard and only two of the companies had the capabilities to diagnose or respond to infiltration in real-time.

Senator Markey posed his questions after studies showed how hackers can get into the controls of some popular vehicles including Jeep, causing them to suddenly accelerate, turn, kill the brakes, activate the horn, control the headlights, and modify the speedometer and gas gauge readings.

In addition to inadequate security, most of the companies were collecting copious amounts of driver data and transmitting it to third-parties without any protocols for protecting customer privacy.

Worryingly, many manufacturers when queried about cyber-security in their in-car systems didn't seem to even be able to understand the questions, Markey noted in his report.

“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and user personal driver information,” he said.

Traditionally a closed environment, the introduction of connectivity in vehicles has opened it to external software suppliers and – as surely as night follows day – this has attracted the attention of hackers. However, according to Frost & Sullivan, this has not been followed by a robust approach to security.

“The government appears to be taking action, while automakers are slower to respond. These roles must be reversed,” said Frost & Sullivan.

In the UK, the Society of Motor Manufacturers and Traders says it is addressing cyber-security with the same energy as it addressed physical security. “Vehicle manufacturers invest billions of pounds to keep vehicles as secure as possible, and work tirelessly to stay one step ahead of criminals. As a result, overall thefts in the UK have decreased by more than 75 percent over the past 10 years and continue to fall,” a spokesman told SCMagazineUK.com.

“The industry is working closely with the European Commission to ensure that motorists can experience the many benefits of connected technologies with minimal risk to vehicle security,” he said.