With CAVs, it is not only a matter of the confidentiality of personal data, it is also a matter of public safety. However, modern connected cars are highly complex, with upwards of 100 electronic control units (ECUs) and tens, if not hundreds, of millions of lines of code. Add to this a wide range of ingress points and a complex supply chain, and it is not surprising that Mary Barra, CEO of General Motors, said in 2016 that "[a] cyber incident is a problem for every automaker in the world."
It was estimated that in 2014, more than half of the vehicles sold in the U.S. were connected in some way. That number will only have increased since then. At the same time, the degree of connectivity, and the extent to which ECUs within a car communicate with each other, has also increased. Although level 4 and 5 autonomous vehicles (highly autonomous and fully autonomous) are still some way off, the industry is moving at such a pace that it is only a matter of time before such vehicles start appearing on the roads in numbers. Governments are also grappling with the issue, for example the UK government's stated desire for the UK to become a leader in connected cars, and engaging in discussions with the insurance industry about some of the insurance issues that arise in relation to connected vehicles (see our article on liability and insurance for more).
End-user engagement and education is a key part of this puzzle. A vehicle may be secure when sold, but that is only part of the issue (although admittedly a good start). As mentioned above, 'on the fly' patching and updating is one way to deal with the issue, but this may not always be possible. If a vehicle does not have the latest critical updates installed, should it be automatically disabled as presenting a risk to other road users? What if a critical update is pushed out automatically that, in fact, creates new vulnerabilities, or compromises the car in some way? If for some reason a vehicle does need to be taken to a dealer, how can owners be educated (or incentivised) to do this quickly, when (as far as they can tell) the vehicle is behaving as it should and is perfectly roadworthy?
The ENISA guidance published in January 2017, provides a very useful and detailed guide to the issues. This guidance noted a number of critical issues with the current lifecycle for manufacture of connected cars, including no defence in depth strategies, no security or privacy by design, lack of communication protection on internal and external interfaces, lack of authentication and authorisation (particularly for privileged access to ECUs), lack of hardening, and lack of diagnosis and response capabilities. While it is perhaps to be expected that such a report would highlight serious issues in an industry which is still in relative infancy, these are major issues with the processes for designing and building CAVs which will need to be resolved.
There is some movement across the industry towards common standards which should deal with some of these issues. However, this is likely to take some time to achieve, and there is a risk of watering down to the minimum. While arguably this would, in itself, be an improvement on the current situation, it remains to be seen whether legislators will step in and impose standards on the industry. There have been moves in this direction; in 2015, Senators Markey and Blumenthal proposed standards to establish federal standards for vehicle cybersecurity in the USA, but other legislators consider that the market should be left to formulate solutions and set standards, arguing that anything proposed by government will quickly be out of date. Taking a cynical view, it may be that litigation or risk of significant liability, and the development of the insurance market, drives the industry to accelerate resolving some of these issues. There are already a number of safety and security initiatives in motion, and again, the ENISA guidance provides an excellent summary of those initiatives and what it considers to be good practice. Hopefully the industry will see significant development over the next few years to move to resolve these difficult issues.
If you have any questions on this article please contact us.
Driverless cars are among the most significant advancements in technology set to bring about changes to our existing product liability regimes.
2 of 4 Insights
Every day, new and innovative data services from the connected car universe are introduced to the public: telecommunications providers connect the driver to tailor-made insurance products via a mobile app which generates driving and movement profiles; users are offered the opportunity of monetising their data collected from their vehicles by providers ranging from public garage operators to insurers; a German university sets up a connected car test drive in the heart of Berlin to collect IoT data from connected vehicles for research purposes; the list goes on.
3 of 4 Insights
For many, driverless cars and autonomous driving features present exciting commercial and technological opportunities. For the insurance industry, however, they are a significant market disruptor.
4 of 4 Insights