Identificación y confirmación de la demanda

Intelligent Transportation Systems (ITS) that are emerging around the globe achieve that classification based on the convergence of smart technologies that allow the included systems to communicate and share data in real time.347 _{These systems rely on}

architectures that have varying degrees of security protocols embedded, which could lead to vulnerabilities internally and externally by cyber intrusion.

343 “National Cyber Security Awareness Month.” 344 Ibid.

345 “Chief’s Checklist,” accessed October 4, 2015, http://www.iacpcybercenter.org/chiefs/it-security/ chiefs-checklist/.

346 “Home,” accessed October 5, 2015, http://www.iacpcybercenter.org/. 347 “Fast Facts,” accessed October 6, 2015, http://its.dot.gov/fastfacts.htm.

Autonomous and connected vehicles once were considered concepts for the future, but because of accelerated research and development, they are poised to enter the consumer market within the next decade. These vehicles are systems of systems and include hardware and software that enable communications and operations with little to no input from a human. The modern automobile contains numerous electronic control units (ECU’s) that control information and functions within the car like brakes, lighting, and drivetrain components.348 _{These ECU’s will also be present in autonomous and}

connected vehicles and will function in similar manner to today’s automobile.

The vehicle’s ECU’s are connected via electrical architecture in an internal network that routes data through a Controller Area Network (CAN) bus.349 _{While this}

configuration provides reduced costs to manufactures, it does allow data to flow from individual system components through a central processing unit. However, this arrangement creates the possibility for serious consequences in the event of a cyber attack. Once access is gained to the CAN bus an attacker could manipulate individual safety critical functions in the car.350

This process would require the attacker to have knowledge of the vehicle’s electrical system, and the data packets that signal and control individual systems to perform a specific function. This is achieved through experimentation by “fuzzing” where wireless signals are captured after observing data flows on a computer that is in proximity to the target vehicle.351

The attacker would then need access to the vehicle or have sufficient knowledge to execute a remote attack via an external attack surface like Bluetooth, cellular phone or

348 Tobias Hoppe, Stefan Kiltz, and Jana Dittmann, “Security Threats to Automotive CAN networks—Practical Examples and Selected Short-Term Countermeasures,” Reliability Engineering &

System Safety 96, no. 1 (January 2011): 11, doi:10.1016/j.ress.2010.06.026.

349 Stephen Checkoway et al., “Comprehensive Experimental Analyses of Automotive Attack Surfaces,” in USENIX Security Symposium, 2011, http://static.usenix.org/events/sec11/tech/full_papers/ Checkoway.pdf.

350 Karl Koscher et al., “Experimental Security Analysis of a Modern Automobile” (IEEE, 2010), 448, doi:10.1109/SP.2010.34.

infotainment systems in the car.352_{Most major car manufacturers now have Telematics,}

like GM’s On Star as optional packages on their vehicles, which provide driver services, but also provide an attack surface into the vehicle.353

The remote attack is much more sophisticated but has recently been executed by two cyber researchers named Miller and Valasek.354 _{An exhaustive discussion on remote}

attacks is also presented in a paper entitled, “Comprehensive Experimental Analyses of

Automotive Attack Surfaces.355

Direct physical access to a vehicles internal network system can be achieved by multiple means. Methods include insertion of malware from a compact disk (CD) into the CD player or inserting an infected universal serial bus (USB) drive into a USB port. Connecting a digital media device (iPod/iPhone) or similar device with embedded malware would achieve the same result.

A vehicle’s On Board Diagnostic (OBD) port is particularly vulnerable and easily accessed near the steering wheel beneath the dashboard. These OBD ports are federally mandated in the United States and are most often used by mechanics for diagnosis and programming of the ECU’s on the vehicle.356_{This port provides access to the vehicles}

CAN buses from which access to automotive systems can be achieved with relative ease.357

It is not the intent of this paper to articulate specific attack scenarios or how to accomplish them, however it is critical to understand that autonomous and connected vehicles will have similar electrical CAN bus architecture as current vehicles and will be subject to similar attack by nefarious actors.358

352 Checkoway et al., “Comprehensive Experimental Analyses of Automotive Attack Surfaces.” 353 Koscher et al., “Experimental Security Analysis of a Modern Automobile,” 449.

354 Greenberg, “Hackers Could Take Control of Your Car. This Device Can Stop Them.” 355 Checkoway et al., “Comprehensive Experimental Analyses of Automotive Attack Surfaces.” 356 “A Brief Intro to OBD-II Technology,” accessed October 5, 2015, http://www.cnet.com/news/a- brief-intro-to-obd-ii-technology/.

357 Checkoway et al., “Comprehensive Experimental Analyses of Automotive Attack Surfaces.” 358 Kim et al., “An Approach to Communications Security for a Communications Data Delivery System for V2V/V2I Safety: Technical Description and Identification of Policy and Institutional Issues.”

Evidence suggests that vehicles could become a target for hackers, but the National Highway Traffic Safety Administration recently acknowledged a dearth of qualified engineers to research cyber related issues.359 _{The Electronics Systems Safety}

Research Division has a total of seven employees in two locations. They are responsible for testing and evaluating cyber vulnerabilities among other assigned duties.360

NHTSA also intends to create a Cyber Information Sharing Analysis Center for vehicles.361 _{Automakers agreed to the idea in July 2014 to allow for the exchange of}

information, but the center has yet to open. NHTSA officials are now concerned that future attacks on connected vehicles will have the potential to affect multiple cars in a single event.362

The U.S. Department of Homeland Security is also concerned about cyber security for motor vehicles. The DHS Science and Technology Directorate (DHS S&T), the Cyber Security Division, and the U.S. Department of Transportation Volpe Center (DOT Volpe), and the non-profit research institute SRI International have formed a new Government Vehicle Cybersecurity Steering Group that met in October 2015.363 _This

group will assess the threat to government vehicles and develop appropriate security measures.

Law enforcement across the nation should be concerned with preparing for how to investigate cyber attacks on vehicles. They should be equally concerned with ensuring their own fleet vehicles are protected so that the public safety mission can still be achieved. It was this thought that drove the recent public-private partnership undertaken by the Virginia State Police.

359 “Short-Staffed NHTSA Struggles to Handle Car-Hacking Threats,” accessed October 5, 2015, http://www.autoblog.com/2015/10/02/short-staffed-nhtsa-struggles-to-handle-car-hacking-threats/.

360 Ibid. 361 Ibid. 362 Ibid.

363 Invitation in possession of author to participate in Government Vehicle Cybersecurity Steering Group Kickoff Meeting, October 22, 2015. Dr. Dan Massey, DHS, e-mail message to the author, September 15, 2015.