testarticlepage

Data Safety: How Do You Protect Your Fleet from Hackers?


 

Data Safety Article Banner

By Sandy Smith

 


Officers are sitting in an undercover police car, staking out a drug kingpin. Out of nowhere, the car is surrounded by armed men, because the bad guys hacked into the police network to find out vehicle locations.

What about a terrorist attack response that is dramatically slowed down because police vehicles are remotely disabled, wherever they sit?

Today’s increasingly connected vehicles provide a trove of data and insight, but that brings with it another worry, especially for law enforcement fleet professionals: the valuable data also might be of interest to criminals.

“We are very concerned about the security of our vehicles’ locations and activity information being protected at all times,” said Tim Coxwell, CAFM, Fleet Management Division Director for Leon County (Fla.) Sheriff’s Office. “We can see where potential criminal market demand for this information could outpace the recognition of the value of protecting our vehicle locations, telematics and patrolling patterns by OEM suppliers and law enforcement administrations. If we can see this information via telematics, then a criminal element can see it during a hack.”

While this issue is a concern for any vehicle, it is heightened with law enforcement vehicles, which might be at higher risk – and may offer greater thrills for criminal hackers. 

 

OEMs work with trusted vendors to ensure that their components are secure. However, after-market systems may be out of the OEM’s hands – at least for now. An OEM’s only safety net is to block what the third-party device can access.


“While we work to protect all customers from cybersecurity concerns, we understand that first responder and law enforcement vehicles play a critically important role in our communities,” said Dana Hammer, law enforcement product manager, GM Fleet. “We apply the same standards and best practices to our fleet vehicles, including those for law enforcement use, as we do for all of our customers.”

Still, Coxwell said he worries that the information will be vulnerable until there is a high-profile attack.

“I would speculate it gets worse before it gets better because through the integration of operating systems there will be more systems at risk and more opportunity for hacks,” Coxwell said. “As with our roadways, every intersection of technology is an opportunity for an unplanned change of direction.

“We are unaware of any current federal or state standards or guidelines regulating the security protocols for in-vehicle network communications,” Coxwell added. “Our industry is generally reactionary to a known exposure where a significant loss expedites the recognition of the threat and then spawns the growth and development of the response.”  


A Part to Play

Whose responsibility is it to ensure that this data is kept out of the hands of criminals? Everyone has a role, from OEM to end user. However, there needs to be an understanding of roles among all parties, said Teresa Prisbrey, Senior Vice President of Operations for Zone Defense, which provides vision and recording systems for fleet and other applications.  

“I believe we all need to understand our roles and outline them to others,” she said. Prisbrey would like to see more fleet associations and steering committees bring together working groups of OEMs, third-party providers, government agencies and end users, much in the same way that they have “taken those steps with fleet safety to protect the roads and people who drive on them.” 

 

Editor’s Note: NAFA joined the Automotive Information Sharing and Analysis Center [Auto-ISAC] – an alliance of auto industry suppliers and automakers created to enhance cybersecurity awareness and collaboration across the global automotive industry – as a strategic partner in April 2018.


Coxwell said some of those conversations are happening, where it was an education topic at NAFA’s Institute & Expo and the International Association of Chiefs of Police conference. 

None of those have yet provided concrete answers –or comfort, and fleet should collaborate with other experts, Coxwell said. “Our IT director, Janna Richardson, suggested that we begin to work together in preparing for the next wave of computers our agency will deploy in our patrol vehicles over the coming years.” 

But there is a bit of a push/pull, he said. “Until we start using their network and they can observe what type of threats are ‘interested’ in our cyber, it is hard to tell,” Coxwell said. “Cybersecurity is much more complex than seat belts, air bags, and armor.” As he has explored the topics with OEMs and vendors, the more he has learned, the more “we became more concerned about the current state of OEM mobile network security.” 


Eye on the CANBus

Despite the concerns—and a couple of high-profile media stories – Ford Motor Co. says it’s unaware of unauthorized remote access of critical vehicle systems by a third party. But that does not mean OEMs are ignoring the issue. “We’re continually tightening the security of our vehicles as we go forward,” said Randy Freiburger, Ford’s Special Vehicle Engineering Supervisor/Police and Ambulance.

The issue became a concern in 2015 when hackers took over a vehicle that was being driven down a highway by a Wired magazine reporter. The hack was part of an experiment to prove it could be done. However, that was not an isolated incident. In early 2016, the FBI released a public service announcement, warning of the issue. The hackers returned that same year in another experiment, showcasing how they could manipulate the vehicle’s speed, turn its steering wheel or slam on the brakes.

Hacks tend to come in two ways: via the CANBus (or, Controller Area Network) –which allows devices to communicate with each other without a host computer –and the OBD-II port. The latter, of course, requires access to the vehicle itself. 

The complexity comes as more and more systems are layered upon each other. Some of the largest non-vehicle cybercrimes have come because of a third-party provider. Target, the giant retailer, often is held up as an example in this area. In 2014, the company had the credit card and other personal information stolen when one of its vendors – a mechanical company – fell prey to a phishing scheme. When the victim gave up log-in information to the fake email, that was used to, in turn, log in to Target’s system. Once in, the valuable information was there for the taking.

“In addition to our continual tightening of overall security, we partition systems from each other to provide an extra layer of protection,” said Freiburger.

But as more and more vehicles move to over-the-air service updates, the opportunities increase for access.  “As the industry moves toward increased connectivity, continued diligence is becoming even more critical,” Freiburger added.  “New interfaces, access points, and delivery methods need to be secured.”


OEMs work with trusted vendors to ensure that their components are secure. However, after-market systems may be out of the OEM’s hands – at least for now. An OEM’s only safety net is to block what the third-party device can access.

“Aftermarket devices are considered untrusted,” Ford’s Freiburger said. “The owner takes on the risk of potentially voiding the warranty depending on its functionality.  Ford provides subscription capability for any necessary data exchange to ensure it is completed in an authorized fashion.”

Prisbrey suggests fleet managers ensure that any after-market product – particularly ones that access the CANBus or OBD port – meet the highest security standards. For example, Zone Defense has developed its connectivity products utilizing the European privacy standards which have much stricter policies than those in other countries.
 
While Zone Defense does not provide a product that would allow a hacker to access any of the driving functions, even hacking into a camera could be a public relations issue. “We want to make it as safe as we can,” Prisbrey said. “If someone hacks into an MDVR (Mobile Digital Video Recording device), at most they might see a video or image showing a driver infraction. There is nothing that would take over the vehicle and cause an accident. But, in today’s world, even harmless videos can become viral and tarnish a company’s reputation. That is why it is so important to meet strict security standards. 


Looking Toward the Future

For now, though, conversations are ongoing. 

“We meet with fleet customers and law enforcement agencies regularly to ensure we understand the concerns they have, and also communicate steps we are taking, and they can take as well, to protect from cyber concerns,” GM’s Hammer said. “With this feedback, we provide solutions that can be integrated into the secure vehicle platform from the beginning, as opposed to adding on potentially vulnerable aftermarket devices. If aftermarket devices are required, we can provide feedback on ways to reduce risk, as well as questions to ask vendors of these devices in how they interface to the vehicle and implement security.”

Freiburger sees that soon vehicles may have tighter access. “In general, the security protocol to get into the OBD port probably will look a little different and may have more security requirements to get access to it,” he said. 
That may mean that after-market providers will need to form alliances with OEMs so that they can access data they desire.

Prisbrey sees the industry coming together to “fill holes really quickly,” she said. “As an industry, we all do have our eyes on it and we do know there is a potential concern. As an industry, we have the conscience that we need to make sure that everything we develop is keeping that in mind.”

That may not help Coxwell – and other law enforcement fleet professionals – rest any easier. But just as with other crimes, the bad guys will continue to evolve their methods, forcing the good guys to stay one step ahead.


 
Explore More Articles...