Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Transportation Education Microsoft Privacy Software News Technology

Auto Industry Publishes Its First Set of Cybersecurity Best Practices (securityledger.com) 38

chicksdaddy quotes a report from Security Ledger: The Automotive industry's main group for coordinating policy on information security and "cyber" threats has published a "Best Practices" document, giving individual automakers guidance on implementing cybersecurity in their vehicles for the first time. The Automotive Information Sharing and Analysis Center (ISAC) released the Automotive Cybersecurity Best Practices document on July 21st, saying the guidelines are for auto manufacturers as well as their suppliers. The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties. Taken together, they move the auto industry closer to standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up and to take a sober look at risks to connected vehicles as part of the design process. Automakers are urged to test for and respond to software vulnerabilities, to develop methods for assessing and fixing security vulnerabilities, to create training programs, promote cybersecurity awareness for both information technology and vehicle specific risks, and educate employees about security awareness. The document comes after a Kelly Blue Book survey that found that 62% of drivers think "connected cars will be hacked," and that 42% say they "want cars to be more connected."
This discussion has been archived. No new comments can be posted.

Auto Industry Publishes Its First Set of Cybersecurity Best Practices

Comments Filter:
  • Pity they didn't think of it before now.

  • ... 62% of drivers think "connected cars will be hacked," and that 42% say they "want cars to be more connected."

    Numbers may not lie, but they are occasionally insightful. If these two statements are true, and they represent the survey results of a similar control group, there is a minority report on an overlap that evidently admit cars will be hacked... but they like it, they love it, they want some more of it.

    • but they like it, they love it, they want some more of it.

      Look at the number. A minority of drivers, "like it, they love it and want more of it".

      I'm surprised anyone thinks "cybersecurity" when it comes to cars means anything beyond, "No, you cannot fix it yourself, you can't see what it's doing, and you definitely can't turn off data collection". Automobile manufacturers will be the Google/Facebook of the next ten years. You're nothing but the consumables.

      • Just as good. Who wants the liability and maintenance headaches of owning a car anymore, especially when they go autonomous? With all the cameras and road rage out there, you just can't have fun anymore, except on the track. It's better to make them into a throwaway appliance.

        If you need a vehicle, just get a 1970 3/4 ton Chevy out of the boneyard and put a sign on it saying, "Go rent a U-Haul you cheap bastard!" to warn off your neighbors.

      • by gtall ( 79522 )

        Better to be a consumable than a have a company want an intimate and long lasting relationship with me.

        Very few companies are set up for the loving care of their customers. Even Ben and Jerry's is distributing artery clogging fat globules and intent on separating you from your money, all the while shining their halos.

        • Even Ben and Jerry's is distributing artery clogging fat globules and intent on separating you from your money, all the while shining their halos.

          You should pay more attention to science. Eating fat doesn't clog arteries.

    • an overlap that evidently admit cars will be hacked... but they like it, they love it, they want some more of it.

      Makes perfect sense - there's only a small number of people who realise that if the cars software cannot be "hacked", then the only people who will be able to repair the car will be the dealership. These people presumably want aftermarket technicians to be able to fix their car.

  • I'd rather just not have networked anything in my car. There, problem solved.

    • If my grandmother had wheels she'd be a wagon

      You mean she'd be red and fun to ride?

    • If you have a car build after the early 90s you already have a car with a network. If it's newer than 2003 it's CAN.

      Here's a cheat sheet: http://canbusacademy.com/resou... [canbusacademy.com]

    • I'd rather just not have networked anything in my car.

      There's nothing stopping you from keeping and maintaining a classic made before cars had networks. But the truth is that the newer cars are a lot better in every way other than reliability of accessories.

      • I'd rather just not have networked anything in my car.

        There's nothing stopping you from keeping and maintaining a classic made before cars had networks. But the truth is that the newer cars are a lot better in every way other than reliability of accessories.

        There's going to be a gap in the market for newer cars with older tech. Probably already happening in some countries - a cheap car that can be cheaply kept on the road for decades regardless of what breaks. I'll start a business selling "perpetually-maintainable" cars, with parts based on popular existing mechanicals.

        Used to be once upon a time if you needed to swap an engine out you could with only mechanical changes (adapter plates, etc). Now you can't take (for example) a v8 off an Audi in a scrapyard a

        • Now you can't take (for example) a v8 off an Audi in a scrapyard and drop it into your Ford without first getting all the electronics correct (missing gearbox, wheels sensors, etc).

          Well, that's true and untrue. For $150 I can get my PCM hacked to be properly reflashable and it will come with a stock 6MT tune from a rare euro V8. You don't need any wheel sensors for that. The antique Bosch ME5 which comes with the 32V V8s can be written with an MPPS cable, but it cannot be read without modification. You can still tune without a hack, but you need a dump before you can start. You can also remove the immobilizer via software. Apparently the ME7 PCM which comes with the 40V is much easier

  • Yet's see dealer only sevice and forced ecu swaps. Say your can't run car os 2018 so for only $500 + labor we can upgrade it to a new one and wave the $150 software update fee or you can get a good deal on a NEW CAR. If you say no your car may enter limb mode and will be locked out of some auto drive roads.

    • by symes ( 835608 )

      That is pretty much in line with my expectations for the car trade. Fortunately, it is also my experience that with a bit of effort it is always possible to find someone to do the same work for next to nothing.

      • That is pretty much in line with my expectations for the car trade. Fortunately, it is also my experience that with a bit of effort it is always possible to find someone to do the same work for next to nothing.

        Not if they ever get security correct. Correct security means that they *will* effectively lock out everyone that is not them. After all, any exploit used by a aftermarket tech can also be used by a thief/hacker.

  • Needs to be free software updates for 7-12 years and no BS like after 1-2 years want that bug fix BUY A NEW CAR!

    • Needs to be free software updates for 7-12 years and no BS like after 1-2 years want that bug fix BUY A NEW CAR!

      It needs to be free software updates for the life of the vehicle. Get these dickheads thinking about standardizing their interfaces now so they can upgrade your PCM if they want to abandon it.

  • Rule #1 (Score:4, Insightful)

    by Snotnose ( 212196 ) on Friday July 22, 2016 @09:56PM (#52564559)
    Is rule #1 along the lines of "thou shalt not allow traffic between the entertainment system and the actual driving the car system to occur"? Cuz if not, it's a fail from the beginning.

    Exception being car system saying "oh holy fuck, slam on the brakes, this could be bad, turn off the music".
  • I fear a big fiasco (Score:5, Interesting)

    by knorthern knight ( 513660 ) on Friday July 22, 2016 @11:30PM (#52564833)

    GM can shut down any Onstar-equipped vehicle anywhere. Currently, it's being heralded as a good thing http://www.autobytel.com/auto-... [autobytel.com]

    But, as Aldredge Ames and Jonathon Pollard proved, there will always be turncoats willing to sell extremely sensitive info. So you're Al Qaeda or ISIS, with connections to Saudi oil money. Or China or Russia or whoever. You need to buy, or blackmail, the info on how it's done. Here's a doomsday scenario...

    The date is a December or January in the next few years. The forecast calls for major snowstorm in the US Northeast, followed by a brutal cold front. 6-to-10 hours before the storm is due to hit, the bad guys throw the switch in the middle of afternoon rush hour. The roads are clogged with stalled cars. There are so many stalled cars, that any "immune" vehicles wouldn't be able to get anywhere anyways. The smart drivers get out and try to find shelter in stores/hotels/wherever. The slower thinkers freeze to death in their cars.

    Because the roads are clogged with dead cars, and the US is heavily into JIT (Just-In-Time) supply chains, grocery stores, supermarkets, convenience stores, etc, are soon running out of goods. Minor issues in the power grid go unfixed, because utility workers can't get from home to the dispatch site to the problem area. More and more of the US Northeast loses electricity, and people start freezing and starving to death. The president declares martial law, but thousands, if not millions, of people die in the ensuing chaos before order is restored.

    Similar scenarios apply to anything that can be shut down "from the cloud". Imagine if Microsoft's authentication systems suddenly decided that your copy of Windows, and everybody else's, was bogus. The US shuts down. Taking over Nest thermostats durning a cold spell or a heat wave could also cause many thousands of casualties, and major chaos. It's eff-ing stupid to allow any one authority that much power, because they *WILL* get hacked, and the power *WILL* be used for evil. It's only a matter of time.

  • If this Automotive industry's main group for coordinating policy on information security and "cyber" threats has published anything, where is it? All the website has is an "Executive Summary". All this seems to be is a single consultancy company, whose sole revenue is government consulting, launching a marketing website to gather automotive execs' contact details so they can widen their customer base.
  • standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up

    I believe there is a conflict between the statement and the call.

    But as further networking of cars seems unavoidable I wish them success.

  • The document comes after a Kelly Blue Book survey that found that 62% of drivers think "connected cars will be hacked," and that 42% say they "want cars to be more connected."

    the real concern should be the percentage of people that despite thinking "connected cars will be hacked," still "want cars to be more connected," and then laughed maniacally. ;)

  • Isaac Asimov Three Laws of Robotics must be MANDATORY! Anything less and your'e just asking for trouble! The documentation for the device resides IN the device and is EASILY accessible to the user. I've seen way too many devices that require intricate complicated instructions that are no where to be found when something needs fixing or modifying. IE wrist watch time setting.

Keep up the good work! But please don't ask me to help.

Working...