In 2015, two security researchers demonstrated the remote hacking of a Jeep Cherokee. What guidance exists to prevent these kinds of automotive cyberattacks? A Tech Briefs reader asks two authors of the automotive cybersecurity standard J3061™.
By gaining Internet access through the Jeep Cherokee’s entertainment system, noted security professionals Chris Valasek and Charlie Miller took control of the vehicle’s steering capabilities, brakes, and transmission. The demo caused Fiat to later recall 1.4 million vehicles to fix the vulnerability.
Valasek and Miller’s remote hack is just one example of a vehicle’s growing exposure to cyberattacks. To guard against automotive security threats, SAE created a Ground Vehicle Standard known as J3061. The guidebook establishes recommendations for designing cybersecurity into the vehicle infrastructure, including product design, validation, deployment, and communication tasks.
In a webinar titled “SAE International J3061 – The World’s First Standard on Automotive Cybersecurity,” a Tech Briefs reader asked two of the writers behind J3061:
“If J3061 was used by the auto industry today, would the recent hacking incidents been avoided?”
Barbara Czerny, Sr. Technical Specialist Safety and Cybersecurity at ZF TRW: The hack incident would not have been avoided. We will always have hackers. We can’t guarantee 100% cybersecurity, and we can’t prevent people from hacking into vehicles.
However, by applying a well-structured and well-defined process that’s based on the process framework described in J3061, we believe that this helps to reduce the likelihood of successful attacks. Following a well-structured and well-defined process allows us to identify and determine the threats and threat risk, and prioritize the highest-risk threats and determine the vulnerability.
Since hackers are methodical, trying to instill cybersecurity into a vehicle/vehicle infrastructure in an ad-hoc manner will not be effective in the long run. We need to build cybersecurity in. By adding security in an ad-hoc manner, we may have some unneeded costs added into the vehicle that are passed on to the consumer. Adding security in an ad-hoc way may put unnecessary countermeasures in, or not take into account the highest-risk vulnerabilities. So, we may miss things and leave them open to attack.
Following a well-defined and well-structured process, as defined in J3061, helps us to focus our efforts in the correct places and provide a methodical process to try and prevent a successful attack on a system or vehicle.
Lisa Boran, Global Security Attribute Leader, Ford Motor Company: Nothing is 100% secure or foolproof. By adding this well-defined, well-structured cybersecurity process, the thieves are most likely going to go after something that is simpler and easier to attack than something that you already have preventative measures in.
What are your automotive cybersecurity concerns? Share your thoughts below.
Watch the full presentation: SAE International J3061 – The World’s First Standard on Automotive Cybersecurity.
The above responses have been edited for presentation on the web.