As part of the recent outpouring of legislation and guidance from the UK government relating to cyber security, the Centre for the Protection of National Infrastructure (CPNI) has weighed-in on the matter of intelligent cars.
The risk is real and though it is over-dramatised by films and television, there is nothing quite as scary as losing control of a vehicle. The threat isn't just to life - there can be fraud from personal data loss as well as keyless vehicle theft, among other risks.
Most consumers see cars as a single product, manufactured and built by the car companies from which we eventually purchase our brand-new ride. But cars are an assembly of parts sourced from all over (the world, in some cases), and this is especially true of in-car computers.
Your shiny, new horseless carriage comes with a built-in combined radio, GPS, Bluetooth stereo, internet browser, parking sensor, air conditioning and safety monitoring system. This is customised for the car manufacturer but not built by them. It is a glorified computer linked to IoT devices around the car and engine. It is constantly connected to the internet. It is therefore open to cyber attacks. Common sense tells us that protections should be in place.
However, from a legal perspective, the first point in the CPNI's guidance raises the additional question of culpability. If security of cars should be considered as part of organisational security, then could a serious compromise of an in-car system leading to death fall under the Corporate Manslaughter Act (Corporate Homicide Act in Scotland)? And does such a breach show security failings at an organisational level? Considering the potential cost to life of the failure of such a system, should it not be protected to the same level as an industrial control system?
Just some food for thought.
It is great to see the CPNI stepping up to the plate and issuing guidance like this and, while it is only guidance at this point, it should only be a matter of time until these tenets and more will be enshrined in law. Coming soon to a country near you...
The Department for Transport, in conjunction with Centre for the Protection of National Infrastructure (CPNI), has issued guidance that includes eight principles for use throughout the automotive sector for connected and autonomous vehicles, intelligent transport systems, and their supply chains.