Modern technology under modern threats, need modern fleet solutions

Dr. Tina P. Srivastava Strategic Engineering Research Group, MIT

A small but growing number of security experts have focused on an emerging threat within the overall automotive security space: fleet security.

Fleet security can cover a range of things but, generally, takes the same automotive threat space and expands it to those vehicle networks that are already networked to some degree into a fleet. Think of supply chain or logistics companies, large delivery fleets, or even ride sharing and other sharable economy platforms. Each of these presents an additional threat surface beyond the consumer’s own connected car – that is, fleets have additional layers of connection. But the mesh networks and layers that connect them vary widely across industries and companies.

Security for fleets not only extends the threat surface but also presents a tangled web of security and legal questions. For example, is the driver an employee of the company? In some contexts the answer to this question is clear (e.g., when the company controls the driver, employs the driver, sets hours/routes, and provides the vehicle). In other contexts, the answer is uncertain (e.g., trucking companies who hire drivers as independent contractors or Uber and Lyft models). Who is responsible for ensuring security on the vehicle in these situations? Who is liable when there is an attack? From a technology perspective, is the company in a better position to add security to the connected infrastructure than an individual driver? While the answers to these questions are not immediately known, there is good news. Courts have been dealing with similar issues of liability and employee classification for some time (including a recent Supreme Court case), and some of the same type of legal analysis can serve as a guide as new technologies are introduced.

Robert Gee head of product management, software and connected solutions, Continental

Fleets, and the transportation industry in general, have developed connectivity under the auspice that the architecture could be vertically siloed to specific fleets or well-defined OEM ecosystems. Such assumptions would limit the communications of individual vehicles or specific fleets to known and controllable back end systems, providing not only for differentiation but also walled gardens for security.

However, experience has shown that attackers do not subscribe to such limitations and thus happily exploit common weaknesses across the boundaries of multiple industries. The security model does not follow the fleet or OEM business model – unlike product design approaches focusing on differentiation, designing for security requires broad knowledge of related technologies and products both within the industry and across other industries.

For example, the same web-based exploit that could be used to activate a camera on a home computer might be used as one step in affecting a vehicle's driving systems. The concern increases with the fact that there are now exploit kits that can be relatively easily purchased or obtained, many of which include simple interfaces and instructions to enable even novice hackers to try their hand.

But there are positive directions as well: although fleets and individual vehicles are relatively new to the world of remote attacks, there is much that has already been done in other industries. There are formal training courses and conferences for white hat hackers, those persons who wish to do good by learning the dark hacking arts in order to find ways to defend against them. And there are new activities within the transportation industry such as the beginnings of the new Auto-ISAC, the Information Sharing Advisory Center, structured on a best-practice used in other industries: namely, the sharing of common exploit information so that all members of the industry can apply the known protections to identified attacks.

So while media attention has recently been focused on the topic of security, nevertheless, there has been in the past and will continue to be a very real risk – the vehicle hacking announcements in 2015 are neither the beginning nor the end of reported hacks to vehicles. As the connected vehicle industry matures, consumers should demand security just as they continue to demand increased levels of active safety systems, and the transportation industry should further collaborate across its own members and with other industries, including white hat hackers, to address these ever-changing threats.

Wes Mays director OEM product innovation Omnitracs

Everyone seems to be most concerned about terrorism… and while that is obviously a concern, the biggest and most widespread, threat is going to be true cyber security; the silent type that is difficult to detect. The theft of corporate information such as routing plans, manifests, logistic information, customer lists, costing information, fuel costs, and other competitive information that can be used to “win” business using that stolen information for competitive advantage. The victims probably won’t even realise it.

There are multiple layers of network, telematics and vehicle security in place. For obvious reasons we are not going to disclose what that is and how it works. Fortunately, for fleets and commercial vehicles, the biggest safeguard is that the driver is still in control of the truck. It is also worth pointing out that most telematics systems allow for remote programming of the telematics system, so any security breaches can be remedied over the air quickly preventing further exploits of the same attack.

Clearly the opportunity to hack into a truck depends on what type of equipment is installed. For example, the more control by wire systems there are the more likely it is that a system can be compromised, thus more care must be taken to ensure safety and security. Consider the old emergency brake design that uses a physical cable. This is purely a mechanical system. There are no electronic components, and so there is no electronic way to engage the brake. Does that alone make the system secure? Not necessarily, you could conceivably crawl under the vehicle, find the cable and cut it to disable the function, or add tension to it to force engagement of the brake. So even non-electronic systems are hackable, albeit by different methods. Modern electronic vehicle technology just makes the factors more complex. The sub systems themselves on a vehicle may take action based on inputs from another subsystem on the vehicle. For example, a collision avoidance system may have the need to engage the braking system. Once the braking system is designed to take electronic input from another subsystem on the vehicle that exposes an attack point. Now consider the complexities of a vehicle network and telematics devices that essentially connect the vehicle to the internet and you start to see the potential safety and security threats to a vehicle.

Ultimately, security and safety have to be designed into the vehicle and the telematics systems need to be included up front in cooperation between OEMs, Tier 1 suppliers, telematics providers, and the owners/drivers that add other aftermarket equipment. The responsibility for fleet cyber security is going to be everyone’s.

Gail Gottehrer partner at Axinn

Cybersecurity is a concern for the fleet industry. The electronic management tools that fleet owners and operators use for a variety of business purposes, including vehicle tracking, driver performance monitoring, navigation and electronic logging of hours of service, make fleet vehicles vulnerable to hacking. While these monitoring apps provide numerous benefits for fleet owners, they also provide potential points of entry that hackers can exploit to gain access to vehicle systems. Today’s fleet vehicle is essentially just one more potentially hackable computerised device.

The risk of hacks and other potential cyber threats are not news to the fleet industry. In the Fall of 2014, NAFA published an article titled “Car Hacking: Preparing for the Future Now,” which alerted its readers to these issues. To address these risks, the fleet industry can take steps like those automobile manufacturers have taken, such as working with ethical hackers to encourage them to identify vulnerabilities so they can be resolved before any damage occurs, and teaming up with researchers, like those at the University of Michigan, whose work includes testing the security and firewalls on automated cars to identify hacking risks.

While fleet hacking is not a significant threat at this time, the media attention that has been given to recent automobile-related hacks has succeeded in drawing public attention to the importance of vehicle cybersecurity and the need to be proactive about protecting cars and fleets. While the recent hacks have been dramatic and highly publicized, they were conducted by teams of researchers with extensive technological skill and experience, who spent a considerable amount of time figuring out how to accomplish these hacks. While cybersecurity is a pressing issue that the fleet industry is wise to focus on, the recent hacks should not cause the industry to panic or to question the use and value of telematics and electronic fleet management tools.

A hack on a fleet vehicle will have different legal consequences than a hack on a consumer vehicle. The driver of a fleet vehicle is most likely to be an employee, either of a private company or a government entity. That employee will be driving a vehicle maintained by his employer and provided to him by his employer to use to perform his job duties. The employee cannot dictate what sensors or monitoring devices are installed in the vehicle nor does he have control over how these devices are maintained and updated. If a fleet vehicle is hacked and the employee is injured, the driver could potentially assert claims against the employer alleging that the employer was negligent, having failed to adequately maintain the vehicle in proper working order and for failing to ensure that the vehicle it provided to the employee was safe to operate. In addition to alleging that

the employer breached a duty of care to the employee, the employee might also allege that the employer acted recklessly by requiring the employee to work in a vehicle that was not sufficiently secure and thereby putting the employee at risk while doing his job. (Employers will, of course, be able to assert defences to these claims.) By contrast, if a consumer vehicle were to be hacked while being driven by the consumer who owns it, the driver’s potential legal claims would be directed at the manufacturer of the vehicle and would be based on product liability theories.

Catch up with all the developments in fleet telematics at Connected Fleets USA 2015 this November 16-17.

Leave a comment

Your email address will not be published. Required fields are marked *