Friday, July 24, 2015

S 1806 Introduced – Auto Cybersecurity

Earlier this week Sen. Markey (D,MA) introduced S 1806, Security and Privacy in Your Car Act of 2015, or SPY Car Act of 2015. While this bill was introduced on the same day as the notorious Wired article about the Jeep Cherokee hack was published, this bill marks the culmination of an ongoing interest by Markey on this topic.

Definitions

The bill starts out by adding some new cybersecurity related definitions to 49 USC 30102. The following terms were added:

Critical software systems;
Driving data;
Entry points; and
Hacking.

Of the four the first and last two are most critical from a control system cybersecurity perspective.

The term ‘critical software systems’ was specifically limited to “software systems that can affect the driver’s control of the vehicle movement” {new §30102(a)(3)}. This means that other control systems related to signals, lights, locks and windshield wipers for example are excluded from the definition.

‘Entry points’ are those means by which someone can access driving data or through which control signals can be sent into the system. The term is specifically defined to include wired or wireless connections.

The term ‘hacking’ is given pretty broad definition as “the unauthorized access to electronic controls or driving data, either wirelessly or through wired connections”. There is no discussion of who (the auto manufacturer or vehicle owner) can provide authorized access.

Cybersecurity Standards

The bill then goes on to add a new section to 49 USC, §30129 addressing cybersecurity standards that would apply to vehicles manufactured two years after regulations implementing this new statute take effect. Three areas are covered in these standards:

Protection against hacking;
Security of collected information;
Detection, reporting, and responding to hacking.

The protection against hacking provisions require that the covered vehicles are {new §30129(a)(2)}:

Equipped with reasonable measures to protect against hacking attacks;
Incorporating isolation measures to separate critical software systems from noncritical software systems;
Evaluated for security vulnerabilities following best security practices, including appropriate applications of techniques such as penetration testing; and
Adjusted and updated based on the results of the evaluation.

The information security provisions of the new section deal with protecting the data collected by onboard ‘electronic systems’. The provisions include protecting data stored in the vehicle, in transit to undefined other locations, and in storage in those off-vehicle locations. The protected data is not limited to that obtained from ‘critical software systems’.

The final standard pertaining to hacking is the most broadly written. It states {§30129(a)(4)}:

“Any motor vehicle that presents an entry point shall be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.”

Once the regulations are written implementing these standards, violations of the standards could result in a civil penalty “of not more than $5,000 for each violation” {§30129(b)}. This paragraph references 49 USC 30165 for the application of this penalty so it is clear that the penalty could be assessed on each vehicle or part of a vehicle covered under the violation for up to a total of $5 million.

Privacy Protections

Section 4 of the bill relies on the Federal Trade Commission to provide additional privacy protections. The FTC is required to develop regulations addressing the following automotive information protection requirements {new 15 USC 57d}:

Notice of the collection, transmission, retention, and use of driving data collected from such motor vehicle;
The option of terminating the collection and retention of driving data;
Continued access to navigation tools or other features or capabilities; and
Prohibition of the use any information collected by a motor vehicle for advertising or marketing purposes without affirmative express consent by the owner or lessee.

Moving Forward

I think that thanks to Charlie Miller and Chris Valasek there is an increased understanding of the potential severity of the problem. This will be reinforced when they give their talk about the Jeep Cherokee hack at Black Hat next month. There will be some more hearings; probably including a command performance by Miller and Valasek with an FCA executive sitting at the table next to them. But some sort of legislation like this will almost certainly move forward during the 114th Congress.

Markey is a member of the Senate Commerce, Science and Transportation Committee which is tasked with considering this bill and the Subcommittee which will take the lead on this legislation. So he is in a good position to move this bill through the Committee side of the equation. It remains to be seen if he can convince Chairman Thune to work to move the bill to the floor.

With the surface transportation bill starting to move forward in the Senate, it would not be unusual for Markey to try to get this added to that bill as a floor amendment. It is a bit early in the process for this to be effective, but it would provide an interesting gauge of how well this type of bill would do on the floor of the Senate.

Commentary

The first problem that I see with this bill is that it relies on the DOT in consultation with the FTC to establish control system security regulations for automobiles. While I understand that DOT is responsible for automotive safety (and this is clearly a safety issue) I don’t believe that they have the necessary in-house expertise to establish and enforce workable automotive control system cybersecurity regulations.

While DHS has generally been given responsibility for cybersecurity regulations, I don’t think that anyone there has given any serious thought to control system cybersecurity regulatory issues. TSA, which has the transportation security mandate, certainly has not and their surface transportation security folks have over the last five years or so demonstrated a marked inability to get around to writing mandated security regulations.

What probably needs to happen here is that the bill needs to include ICS-CERT as a consultive partner on this regulatory scheme and that organization needs to be beefed up with some regulatory expertise to actually be of help in this type of situation. While we are talking about ICS-CERT we need to consider that they are going to have to add some expertise in automotive control systems as they are obviously going to have to be dealing with automotive control system issues going forward.

The next problem is the unnecessarily limited definition of ‘critical software systems’. In fact, limiting the problem to ‘software systems’ could be construed to eliminate large portions of the cyber-physical systems used to control modern motor vehicles. Given the recent work by Corey Thuen at Digital Bond Labs on can bus issues (see for example here) it seems to me that the definition of ‘critical software systems’ needs to be much more expansive. Even if we limit that definition to other cyber-physical systems like lights and windshield wipers, the definition needs to include all of the safety systems for the vehicle.

The bill needs to include specific provisions for the discovery, reporting and mitigating of new vulnerabilities once the vehicles are on the road. This will almost certainly be a function for the National Highway Transportation Safety Administration, but is needs to be specifically spelled out in the bill. This would have to include specific authority for NHTSA to order (if necessary) an automotive manufacturer to fix a cyber defect reported to NHTSA by a security researcher.

Finally, and perhaps most importantly, we are going to need to have a serious discussion about who can authorize access to the various electronic systems in vehicles. The automotive industry has long maintained that they own those systems and only license their use to the vehicle owner. This potentially means that a bill like this would make it a federal criminal offense for a non-manufacturer authorized auto shop to access information in the vehicle control system for diagnostic testing, much less make changes to the tuning specifications for the engine to improve engine performance or increase fuel efficiency. Because of the wide definition of hacking provided here, even changing out a vehicle sensor with a factory replacement by the owner could be considered hacking under the bill if the manufacturer is the only one who can authorize access.

As a serious first pass at automotive cybersecurity legislation this looks like a pretty good bill. It still needs a lot of significant work and some serious input from the control system security community.

No comments:

 
/* Use this with templates/template-twocol.html */