Consortium Publishes Manifesto on Autonomous Vehicle Security

A new industry consortium publishes a manifesto it hopes will foster cooperation on the security of autonomous vehicles.

Intel, Uber and IoT company Aeris have joined forces in an effort aimed at fostering industry cooperation when it comes to building safety features into autonomous vehicles and the systems that support them. Today the group, which goes by the name Future of Automotive Security Technology Research (FASTR), issued a manifesto explaining its intentions.

The manifesto hopes to galvanize the nascent and sometimes balkanized autonomous vehicle industry. It’s call to action is to infuse security into the emerging and diverse autonomous vehicle supply chain comprised of automakers, component manufacturers, software engineers and cloud providers.

“Autonomy promises to be one of the most significant safety mechanisms the world has ever built,” according to the manifesto. “But autonomy and security go hand in hand; autonomy and trust exist in equal measure.” To FASTR, trust is synonymous with security.

FASTR, formerly known as Automotive Security Review Board, was founded last year by charter members Aeris, Intel and Uber. Since then, the group has welcomed security firms Rambus and Karamba Security to its consortium.

“We’d like to bring as many organizations into the fold as possible that represent the diverse technology underpinnings within the autonomous vehicle industry,” said Craig Hurst, executive director of FASTR and director, Industry Alliances and Marketing Transportation Solutions Division, at Intel.

“While today’s telemetric data analytics primarily concentrate on vehicle performance and location, tomorrow’s will be focused on highly sensitive consumer experience and personal data (e.g., advanced multi-factor authentication including 3D facial recognition, passengers in attendance, contextual voice processing records, payment history and details, location, driving habits, V2X communication records, etc.),” reads the manifesto.

“Given the scope of the problems that will be needed to solve, the auto-industry will need an equally diverse set of problem solvers,” Hurst said. To that end, FASTR is hoping to attract everyone from auto industry veterans, technology giants, startups, academics and hackers.

By the end of the decade, 250 million connected cars are forecast to be on roadways, according to market research firm Gartner. By 2035, the market for partially and fully autonomous vehicles is expected to approach $77 billion, as per a research by the Boston Consulting Group.

“Modern vehicles are approaching more than 100 million lines of code and 100 ECUs (electronic control units). With that in mind, you can imagine the number of vulnerabilities or zero-day exploits we are going to be talking about in a couple years,” Hurst said. “You can see how it becomes very important to build in a very solid security design lifecycle and methodology into every aspect of the autonomous ecosystem.”

Central to those designs is having confidence in the data used in autonomous systems, having system integrity and ensuring autonomous system availability, according to the manifesto. Building defenses is nothing new, Hurst said, and involves the same “threat modeling, vulnerability assessment, security architecture, trusted supply chains and cybersecurity assurance are needed throughout all layers of automotive security.”

FASTR competes for attention with a hodgepodge of similar auto-security focused consortiums in the smart car and semi-autonomous vehicle space. Those range from organizations such as Automotive Information Sharing and Analysis Center that advocate automotive cybersecurity best practices to groups such as I Am The Cavalry, a nonprofit dedicated to raising awareness about automotive security issues.

“As with most things, the more people working on the problem the better,” said Jason Haddix, head of trust and security at Bugcrowd. “The more exposure the automotive industry has to security, the more likely we are to make a real impact. This saturation forces the government to make regulations, which in turn protects consumer.”

He points out auto-security today is mostly practiced behind a closed door. “It’s a hush-hush community, mostly because of the impact any security bug can have on human lives,” Haddix said. “The auto community doesn’t have a great relationship with these experts yet. The emphasis here is yet.”

Suggested articles