The Evolving Landscape of Connected Vehicles
As the automotive industry continues its rapid technological transformation, the integration of autonomous and connected vehicle systems has become increasingly prevalent. Today’s vehicles boast an array of advanced features, from Wi-Fi and Bluetooth connectivity to satellite-enabled telematics and sophisticated driver-assistance capabilities. These innovations deliver greater convenience, safety, and efficiency for both drivers and pedestrians.
However, this growing connectivity has also introduced new vulnerabilities that malicious actors can exploit. The complex hardware and software systems that power connected vehicles have expanded the attack surface, enabling adversaries to potentially access and manipulate critical vehicle functions remotely. Securing these advanced automotive technologies against malware threats has become a pressing priority for both industry and policymakers.
Dissecting the Risks: Vulnerabilities in Connected Vehicle Systems
At the heart of the connected vehicle ecosystem are two core systems that warrant particular attention: the Vehicle Connectivity System (VCS) and the Automated Driving System (ADS). These systems, if compromised, can serve as gateways for adversaries to infiltrate vehicle operations and data.
Vehicle Connectivity System (VCS): The VCS is the primary interface between the internal vehicle network and external communication channels. It collects data from onboard sensors and enables the vehicle to access external data sources, facilitate vehicle-to-vehicle communication, and provide enhanced services to users. However, the connectivity and data-handling capabilities of the VCS also make it a valuable target for exploitation. Adversaries could potentially inject malicious code into the VCS, allowing them to surveil, disrupt, or even manipulate critical vehicle functions.
Automated Driving System (ADS): As vehicles become increasingly autonomous, the ADS plays a central role in processing data from a multitude of sensors and making crucial driving decisions. The complexity of ADS software, its reliance on a vast array of data sources, and its direct control over vehicle operations render it a prime target for adversaries. Compromising the ADS could enable an attacker to corrupt the data feeding into the system, leading to erratic or dangerous vehicle behavior that could jeopardize the safety of drivers, passengers, and pedestrians.
The integration of these vulnerable systems into the connected vehicle ecosystem presents a significant risk, as adversaries could leverage them to exfiltrate sensitive data, disrupt critical infrastructure, or even physically endanger human lives. Securing the supply chain and mitigating these threats is a pressing challenge for the automotive industry and policymakers.
Adversary Spotlight: The Risks Posed by China and Russia
Two foreign adversaries, in particular, pose significant threats to the security of connected vehicles: the People’s Republic of China (PRC) and the Russian Federation (Russia).
The PRC’s Automotive Ambitions and Cyber Capabilities:
The PRC’s automotive sector has experienced rapid growth, fueled by state-backed policies and a focus on technological innovation. This expansion, combined with the PRC’s legal and regulatory framework that enables government control over domestic companies, increases the risk of PRC-linked entities infiltrating the global connected vehicle supply chain. Furthermore, the PRC’s advanced cyber espionage capabilities and its military-civil fusion strategy, which aims to leverage private-sector innovation for military modernization, heighten the threat of PRC-based actors exploiting connected vehicle vulnerabilities.
Russia’s Automotive Resurgence and Regulatory Control:
While historically less prominent in the global automotive market, Russia has recently sought to revitalize its domestic auto industry, potentially increasing the likelihood of Russian-linked entities entering the U.S. connected vehicle supply chain. Moreover, Russia’s legal framework grants the government sweeping powers to compel domestic companies to cooperate with security and intelligence services, enabling the Russian state to gain privileged access to sensitive data and systems within connected vehicles.
The combination of the PRC’s and Russia’s growing automotive industry involvement, their legal and regulatory frameworks that enable government control, and their demonstrated cyber capabilities poses undue and unacceptable risks to the security and safety of connected vehicles in the United States.
Securing the Connected Vehicle Supply Chain: Proposed Regulatory Approach
To address the national security threats posed by connected vehicle systems designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has proposed a comprehensive regulatory framework.
The key elements of the proposed rule include:
1. Targeted Prohibitions
- Prohibiting the import of Vehicle Connectivity System (VCS) hardware designed, developed, manufactured, or supplied by persons linked to the PRC or Russia.
- Prohibiting the import or sale of completed connected vehicles containing Covered Software (software for VCS or ADS) designed, developed, manufactured, or supplied by persons linked to the PRC or Russia.
- Prohibiting the sale of completed connected vehicles by manufacturers owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, regardless of the origin of the VCS hardware or Covered Software.
2. Compliance Mechanisms
- Declarations of Conformity: Requiring VCS hardware importers and connected vehicle manufacturers to submit annual certifications attesting to their compliance with the regulations.
- General Authorizations: Allowing certain low-risk transactions, such as the import of VCS hardware for testing or the sale of connected vehicles used for limited public road testing, without the need for prior BIS approval.
- Specific Authorizations: Providing a pathway for VCS hardware importers and connected vehicle manufacturers to seek BIS approval for transactions that do not qualify for a general authorization, enabling case-by-case risk assessments and the implementation of tailored mitigation measures.
3. Enforcement and Penalties
- Establishing civil and criminal penalties for violations of the regulations, including engaging in prohibited transactions without authorization and providing false information to the government.
- Providing a mechanism for appeals and administrative reviews of BIS decisions related to specific authorizations.
Balancing Security and Practicality: Key Considerations
In developing this proposed rule, BIS has sought to strike a balance between addressing the national security risks and minimizing unnecessary disruptions to the connected vehicle supply chain. Key considerations include:
Scope and Definitions:
BIS has narrowly defined the scope of the rule to focus on the most critical systems – VCS and ADS – while excluding other vehicle components that pose a lower risk or provide high utility to consumers.
Implementation Timeline:
To allow industry sufficient time to adjust their supply chains, the proposed rule includes phased implementation timelines, providing a longer transition period for VCS hardware compared to Covered Software.
General Authorizations:
The availability of general authorizations for low-risk transactions, such as the import of VCS hardware for testing or the sale of connected vehicles used for limited public road testing, aims to reduce compliance burdens for smaller market participants.
Specific Authorizations:
The specific authorization process enables BIS to assess the unique risks and mitigation measures on a case-by-case basis, providing a flexible approach to address the evolving nature of connected vehicle technologies and supply chains.
Recordkeeping and Declarations of Conformity:
The proposed requirements for detailed recordkeeping and annual Declarations of Conformity are designed to enhance supply chain transparency and enable effective enforcement, while avoiding overly prescriptive due diligence mandates.
Conclusion: Securing the Future of Autonomous Mobility
As the connected vehicle ecosystem continues to evolve, safeguarding these advanced automotive systems against malware threats has become a critical priority. The proposed regulatory framework from the U.S. Department of Commerce’s Bureau of Industry and Security aims to address the undue and unacceptable risks posed by the involvement of foreign adversaries, particularly the PRC and Russia, in the connected vehicle supply chain.
By targeting the most vulnerable systems, providing compliance flexibility, and fostering supply chain transparency, this proposed rule represents a comprehensive approach to enhancing the security and resilience of autonomous and connected vehicles. As the industry and policymakers work together to implement these measures, they will be better equipped to ensure the safe and reliable deployment of transformative transportation technologies that benefit both drivers and the broader public.
To stay informed on the latest developments in this space, be sure to visit the IT Fix blog, where seasoned IT professionals provide practical insights and in-depth analysis on the evolving landscape of technology, including the critical issue of securing connected vehicles.
