FTC on 4 Strategies to Secure Connected Cars

Connected cars are about to become a whole new data point on your life and how you live it.

And connected cars will become a target for bad actors wanting to cause trouble or create fear.

In this case, both privacy and security of future cars were part of the same discussion.

Privacy concerns around the connected car

During a recent workshop of the Federal Trade Commission and the National Highway Traffic Safety Administration, a working committee said cars will collect three classes of data on all of us: "The types of data collected through connected cars will range from aggregate data, to non-sensitive data about a particular vehicle or individual, to sensitive personal data."

And those at the workshop said we must have the ability to clearly and easily opt out of sharing our most personal data unless, for example, that data is strictly used for our safety. This is crucial for widespread acceptance and adoption of smart cars.

4 strategies to fight hacking in smart cars

Cybersecurity for autonomous vehicles or connected cars is a concern raised by leaders across InfoSec, and this committee came up with four ingredients to increase security as these vehicles are developed:

1. Information sharing: Panelists agreed that information sharing through groups such as the Auto-ISAC, the International Organization for Standardization, and the Society of Automotive Engineers may limit the extent to which vulnerabilities can be exploited. The FTC has encouraged such information sharing.
2. Network design: Panelists discussed connected car network design solutions, such as segregating safety-critical functions from other functions controlled through the networks. 
3. Risk assessment and mitigation: Panelists discussed risk assessment and mitigation practices during vehicle development and after sale, and explored solutions for addressing newly discovered vulnerabilities, including over-the-air updates to connected networks.
4. Standard setting: Panelists discussed the importance of industry self regulation, including efforts to create security best practices and government standards and guidance, such as the NIST framework, in helping to set baseline security for connected cars.

As more cars join the IoT, the race will be on against hackers who are waiting for ways to do a virtual hit and run. 

"After a group of attackers has done the work to identify an attack vector, they may share that attack publicly, simplifying follow-up attacks. Several workshop panelists raised the possibility of remote attacks that could involve large numbers of connected vehicles."

And that's something no one (except bad actors) wants to see.