Wake-up call from Washington
The US legislature is moving forward willing to shape the automotive future of the country. On September 6, the bill entitled H.R. 3388 – the Self Drive Act – passed the House of Representatives. If it passes into law, IT security for cars with automated driver assistance systems will become a necessary precondition for approval in the USA.
The Self Drive Act establishes legally binding standards for autonomous and automated driving. An entire chapter of the bill is devoted to the issue of automotive cybersecurity. The upshot is that all manufacturers of cars equipped with automated driving functions will be obligated to develop a so-called “cybersecurity plan”. The bill explicitly recommends intrusion detection and prevention systems (IDPS) for monitoring attacks and protecting key control elements as well as testing and monitoring procedures and performing regular updates.
On the one hand, the bill prescribes embedded security solutions, an effective backend, and continuous adaptation of the cybersecurity components to a continually changing risk landscape. It also explicitly requires an organizationally anchored security policy that clearly defines areas of responsibility and access to sensitive data.
Such security measures are also to become mandatory for cars where it is intended that drive assistance systems will only perform specific tasks. The term the bill uses here is “partial driving automation”, although it presently does not clearly explain what this term actually means. But it is assumed that e.g. vehicles with an active parking or a traffic jam assist will no longer be approved for the US market unless they are equipped with the cybersecurity plan the legislation calls for.
It is only a question of time until the bill becomes law in the USA. It is currently before the Senate Committee on Commerce, Science and Transportation. In all likelihood, the Senate will finally pass the Self Drive Act, subject to possible changes. So the wake-up call from Washington is clearly audible. It would be unwise to ignore it.
Against this background, ESCRYPT offers comprehensive strategic automotive security consulting. This includes important elements such as up-to-the-minute information on the existing legal situation or threat levels as well as the evaluation of the latest announcements and security relevant incidents. The overriding goal of ESCRYPT is to support the OEM holistically across all instances – starting with their unique situation through to automotive security at the benchmark level. This includes not just the targeted use of security solutions such as hardware security modules, secure protocols for data transmission, key management, and intrusion detection and prevention systems. Equally important is the involvement of all internal and external stakeholders in the implementation and orchestration of security processes throughout the organization and across the entire life cycle of the vehicle.
Ideally, automotive security is more than the sum of its parts. The mindset the US legislature is demanding in its bill is already good practice at ESCRYPT.