Although you may want to admit it, it is true that your automobile is becoming a “thing” as far as the Internet is concerned. Self-driving vehicles are placed firmly within the Internet of Things (IoT), so why not create a subcategory, IoTA, the Internet of Things Automotive? After all, the amount of computer technology incorporated into today’s cars is mind-boggling. According to the March 2016 report, “Vehicle Cybersecurity: DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack,” by the U.S. Government Accountability Office (GAO-16-350), the modern luxury vehicle has an average of 100 million lines of code, compared to 6.5 million in the Boeing 787 Dreamliner aircraft. The report is available at http://www.gao.gov/assets/680/676064.pdf
As the number and size of computer programs and wireless connectivity proliferate within and between vehicles and between vehicles and their surroundings, their infrastructure and the world, the IoTA is calling many issues into question.
I recently wrote two articles on the integration and cybersecurity of in-vehicle, vehicle-to-vehicle, and vehicle-to-infrastructure systems and networks. When all of these systems are implemented over the next decade or so, they will represent an enormous complicated system-of-systems. Many of the subsystems will have been developed independently and may not be able to interoperate and interconnect with other systems without having to build complex interface systems if we do not have design standards in place very soon. But the question is “Who will develop and enforce such standards?” John R. Quain examines this issue in his article “Self-Driving Cars Might Need Standards, but Whose?” in The New York Times of February 24, 2017, page B4.
Currently, car manufacturers such as Tesla, Ford, GM, Audi, and Volvo, and other companies, such as Alphabet’s Waymo, Apple, Amazon and Uber, are ploughing ahead with their own in-vehicle systems. A few are developing vehicle-to-vehicle systems so that cars can report to each other what they are about to do. And there are a couple of experiments in vehicle-to-infrastructure communications in progress. But there is no master plan to ensure that the results of all these efforts are compatible and that the individual and combined systems and networks are safe and secure. Many of the documents about securing the IoTA are primitive and naïve, harking back to the state of cybersecurity that existed in some sectors decades ago. The auto industry only recently formed an ISAC (Information Sharing and Analysis Center) whereas the financial services sector launched the FS-ISAC in 1999.
Yes, we are seeing rapid progress in autonomous vehicles, and some preliminary efforts in vehicle-to-vehicle and vehicle-to-infrastructure systems and communications, but the way things are going, we are building a huge Tower of Babel … and we all know what happened to that! It’s time to step back and look at what kind of system-of-systems we need to meet the stringent security and safety requirements for an intelligent transportation system that will work for everyone.