It has been predicted that by 2020, there will be a quarter billion connected vehicles on the road with connected capabilities; Tesla founder Elon Musk is even more aggressive, predicting fully autonomous vehicles on the roads within two years. However, some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC) by a group of US automakers in July of 2014 (see our previous blog post on the subject). The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.
The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties. The Best Practices expand on the Framework for Automotive Cybersecurity published in January 2016 by the Alliance of Automobile Manufacturers (“Auto Alliance”) and the Association of Global Automakers (“Global Automakers”).
Previously, the Auto Alliance and the Global Automakers had published a set of “Consumer Privacy Protection Principles” to address vehicle technologies, but the document in many respects fell short of what was required by Canadian privacy laws.
Best practice framework
The framework covers seven major topic areas and is designed to help those engineering connected vehicles to create vehicles that are not only resistant to attack but also fail–safe (in other words, it an attack does succeed, the vehicle fails in a way that is safe i.e. coming to a slow stop versus a sudden halt). The topic areas are:
- Governance: Effective governance practices include defined executive oversight for security, defined roles and responsibilities for cybersecurity within the organization, dedication of appropriate resources to cybersecurity and the establishment of governance processes to ensure compliance.
- Risk assessment and management: In order to mitigate the impact of cybersecurity vulnerabilities, organizations are expected to standardize their processes to identify and manage risks and to monitor compliance by relevant stakeholders.
- Security by design: Cybersecurity features should be integrated into the design process by including security reviews in the development process, vulnerability testing, and validation of software updates.
- Threat detection and protection: In order to proactively detect threats, automakers are expected to use consistent processes to identify vulnerabilities, use a risk–based approach to threat monitoring, and have a plan in place for vulnerability disclosure and updates.
- Incident response and recovery: Automakers are expected to have an incident response plan with a dedicated incident response team that is periodically tested and evaluated to promote timely and appropriate action.
- Training and awareness: In order to create a culture of security automakers are expected to establish training programs to stakeholders and educate employees on their security roles and responsibilities.
- Collaboration ad engagement with appropriate third parties: Since the connected car will involve interaction between the original equipment manufacturer and external vendors, having a policy in place for third parties that is regularly reviewed is an industry best practice.
Where the rubber meets the road: Key implications and Canadian business
The release of the Auto ISAC best practices is a welcome step, but also raises several issues. The primary concern is the enforceability of the standards. Membership in the Auto Alliance which runs the Auto ISAC is voluntary, meaning there is no easy way to hold automakers accountable for implementing best practices. If an automaker believes the cost of implementing cybersecurity best practices exceeds the benefit from being part of the Auto Alliance, they can simply leave the Auto Alliance. The best practices are also limited in scope to “refer primarily to US light–duty, on–road vehicles” which raises questions about whether they will be observed in Canada and other countries.
There are also questions about how feasible implementation of the best practices is. The Auto ISAC report gives no timeline for implementation and recognizes that there could be variations between different automakers. For example, one of the best practices identified is the creation of an incident response and recovery strategy although many auto executives acknowledge that they have not considered how they would respond if their vehicles were hacked.
Automakers operating in Canada should be aware that the adoption of industry–specific cybersecurity standards does not mean that Personal Information and Protection of Electronic Documents Act (PIPEDA) does not apply, or that adoption of such best practices translates into compliance with PIPEDA. Industry codes, while helpful, cannot be used to substitute for compliance with Canada’s privacy legislation. Differences between PIPEDA and the Privacy Principles of the US Alliance of Automobile Manufacturers suggest that adopting the latter and applying a blanket approach to Canada may not be in the best interest of automakers or others in the auto industry. A tailored privacy management program to stay abreast of legal developments impacting automotive products is a more prudent approach.