Information security lobbying group and research collective “I am the Cavalry” has issued an open letter to the automotive industry informing them of software failings in cars.
The open letter calls for better car safety and for collaboration with the automotive industry specifically on five key capabilities that create a baseline for safety relating to the computer systems in cars: Safety by Design and development of automotive computer systems with security in mind; Third-Party Collaboration to publish a clear vulnerability disclosure response policy that works with security researchers; Evidence Capture that may assist with an investigation should one be necessary; Security Updates to provide a mechanism for consumers to receive updates to computer systems quickly and easily as issues are found and fixed; and Segmentation and Isolation to ensure that issues in non-critical systems do not impact the performance of critical systems.
Tony Sager, chief technologist for The Council on cyber security, said: “I think the proposed framework clearly states important principles and intent in a plain, sensible and workable way. It puts information sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement.”
The letter asks CEOs of automotives companies to “unite with us in a joint commitment to safety between the automotive and cyber security industries”. Following the addition of basic automotive safety features, it says that “modern vehicles are computers on wheels and are increasingly connected and controlled by software and embedded devices” and that new “technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively”.
“The once distinct worlds of automobiles and cyber security have collided,” the letter said. “In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.
“We urge the automotive industry to adopt, develop, enhance, and attest to these capabilities. Just as they consider other safety features, concerned consumers will be better enabled to make purchasing decisions based on your attestations against these five areas. We will help you navigate this road to build greater protections for your customers and set a new standard for safety.”
Joshua Corman, co-founder of I Am The Cavalry, told IT Security Guru that it wanted to work with “the big goliaths of the industry” having already begun one of four projects in medical device security.
He said: “Our goal is to educate the public and policy makers. It is not in our interest to find one bug in infrastructure, and we don’t want to hack products, we want to get out of the echo chamber and speak to think tanks on securing Internet of Things which are different from enterprise environments.
“We want to make room for innovation. This is the foundation of critical capability and becomes market signalling. We will ask if they have a published version of their software development lifecycle and take care of safety and logic. We know they miss things so do they have a coordinated disclosure policy? Also because failure is inevitable, do you have evidence capture and a foundational necessity like black boxes in planes? As Heartbleed showed, can you show updat
es, as you will not wait for five years to close gaps?”