October marks Cyber Security month – a time when it is important to raise awareness about potential issues related to computers and security. The risks pertain to industries across the board, though perhaps the auto-industry is not one that quickly comes to mind. With the introduction of Autonomous Vehicles (AV), the issue of cybersecurity in the auto industry is a very real one.
At the New Car Dealers Association of BC (NCDA), we are big believers in the wonders of technology and how they can help enhance user experience. From EV’s to more fuel-efficient vehicles, the technologies we’ve seen over the last few years have been absolutely remarkable. And with that, we’re excited to see where the world of AV’s takes us. But the introduction of AV’s is not without the inherent risks that could potentially come from the technologies.
In 2019, the AV industry experienced a significant shift in the technologies and regulations, which made it increasingly more possible for Canadians and businesses to own and operate Connected and Automated Vehicles (CAV’s). AV’s and CAV’s have the very real potential of creating cybersecurity risks that we have never seen before. But the risks are not inherent to just these types of vehicles – all newer vehicles use computers and technology to enhance user experience.
In March 2020, Transport Canada published Canada’s Vehicle Cyber Security Guidance – it provides guiding principles to help ensure vehicles are cyber-safe for Canadians. Building on existing cyber security best practices, the Cyber Guidance uses a risk-based approach to help automotive industry stakeholders mitigate and manage vehicle cybersecurity risks. The guide focuses on four major principles it encourages organizations to consider.
1. Identify how to manage cyber security risks. The guide recommends that organizations develop formal governance frameworks that clearly identify roles and responsibilities related to managing cybersecurity risks. This will ensure a process is formally in place, should any issues related to cybersecurity come up.
A risk-based approach also requires organizations to adopt a documented risk management strategy to address risks to ensure safety of critical systems and personal information. Organizations should implement risk-based security controls in the chance there is a cybersecurity attack.
CAV’s pose another interesting risk – they have an increasingly non-traditional supply chain. This means ensuring that there is a security procedure in place across the entire chain. The guide suggests that all organizations work together to enhance vehicle security and engage in cyber security sharing forums – to ensure a direct line of contact.
2. Protect the vehicle ecosystem with appropriate safeguards. The guideline suggests a layered approach when it comes to cybersecurity. This includes having security controls, data security using cryptographic techniques, secure communications, secure software development, and secure updates. With a multi-layered approach, organizations can ensure that they are being as cautious as possible to protect consumers.
The guide acknowledges a concern in the area of privacy protection. The current laws will make it challenging to apply them to CAV’s, as there are a number of stakeholders that will have varying degree of responsibilities complying to Canadian privacy laws. There will be unprecedented amounts of data on passenger movements and mobilities, which raises concerns about data over-collection.
A main takeaway from this section is the emphasis on training the workforce. An effective cyber security defense requires a knowledgeable workforce to properly carry out the systems in place.
3. Detect, monitor, and respond to cybersecurity events. One of the most important ways in which to handle cybersecurity is early detection of threats. Organizations need to have measures in place to rapidly detect, monitor, and analyze potential threats and vulnerabilities. The guide also suggests that regular security audits take place to ensure all cybersecurity measures within the ecosystem are effectively working. It’s really all about prevention.
Organizations should maintain an incident management plan to conduct regular exercises to prepare for and respond to cybersecurity threats. It needs to be clear and define the steps, roles, and processes to respond to any potential threats.
4. Recover from cybersecurity events safely and quickly. Should the worst-case scenario occur, and a cybersecurity event take place, this Guidance recommends a number of steps organizations should take. This includes a post-incident analysis and system diagnostics to figure out where the vulnerabilities lie, and the lessons learned.
The Guidance recognizes that eliminating all threats when it comes to the risks with CAV’s is not feasible or realistic – there are simply too many risks in place. Instead the focus becomes on learning through periodic reviews and audits of security systems.
Though the thought of AV’s and CAV’s is exciting, it is clear that it is not without some very real concerns to cybersecurity. But we are likely about a decade away from sales to the public – so I hope to see leaps and bounds in the cyber safety of these incredible vehicles.
Blair Qualey is President and CEO of the New Car Dealers Association of BC. You can email him at [email protected]