When it comes to using your digital devices, physical safety is probably one of the few things you don’t have to worry about. Sure, the occasional overheating battery can be a problem, but generally speaking, you don’t see a whole lot of need, nor requests, for detailed safety requirements for digital gadgets.
In the automotive world, on the other hand, there is an enormous range of different safety standards and requirements that must be met before a particular vehicle can even be sold, let alone used. The Federal Motor Vehicle Safety Standards (FMVSS), which are developed and enforced by the National Highway Transportation Safety Administration (NHTSA), for example, include hundreds of detailed requirements that automakers must meet in order for a car to be eligible for sale in the US.
Importantly, these rules are intended to help maintain the safety of passengers inside the vehicle, as well as pedestrians and other people near the vehicle (such as passengers in other cars).
As cars continue to evolve, they are morphing into the most sophisticated digital devices we own (or at least use), yet unlike most electronic devices, they still represent an enormous potential safety hazard to both people and property. So, do we need to start outlining safety and security standards for the specific digital components of modern vehicles? Given the car hacking incidents that have already occurred, and the concerns about the potential for even worse ones, it seems the obvious answer is yes.[pullquote]Given the car hacking incidents that have already occurred, and the concerns about the potential for even worse ones, it seems the obvious answer to a question about the need for automotive digital safety standards is yes.”[/pullquote]
To its credit, much of the automotive industry does follow a functional safety standard for vehicle electronics called ISO 26262. Developed by the International Organization for Standardization (referred to as ISO), the standard incorporates a number of guidelines for how different electronic subsystems (both hardware and software) should work on their own, and along with other subsystems in the vehicle. In addition, ISO 26262 outlines four Automotive Safety Integrity Levels (ASIL) that rank these systems on their potential risk level, from the lowest at ASIL Level A to the highest at ASIL Level D.
As robust a mechanism as these standards may appear to represent, however, they don’t necessarily take digital security issues into account. For example, there’s no standard way to ensure the integrity of “over-the-air” upgrades to the incredibly complex software that is now found in today’s cars. While very few carmakers are currently doing software upgrades to their vehicles (unfortunately), that will undoubtedly change soon. In addition, as we start to see more advanced data and services being delivered both to and from the car thanks to technologies like 5G networks, there will be a critical need for ensuring the integrity of those communications.
Many advanced assisted and autonomous driving features also require the coordination of multiple different subsystems within a vehicle, but there aren’t sufficient standards to ensure that those in-car communications aren’t compromised in any way either.
Admittedly, like trying to develop a security standard for IoT devices overall, creating digital security requirements for cars is no easy task. One major challenge, for example, will be to determine exactly which parts of an automotive digital security solution would need to be required, and which parts may simply be recommended (and, therefore, open to a variety interpretations by different car or component makers). The risk factor on hacked cars is so high, it’s essential that the work be done though. In fact, I wouldn’t be terribly surprised to see federal or state legislation that starts to demand certain automotive security requirements be met before more advanced cars can be sold.
The physical safety standards for cars have been around for 50 years and are a widely accepted and essential part of the automotive industry. What needs to happen now is a similar level of effort and acceptance on standardizing the safety and security-related digital components at the heart of today’s modern vehicles.
Only just cars ?