Stories
Slash Boxes
Comments

SoylentNews is people

New UK Guidance on Vehicle Cyber Security

posted by FatPhil on Wednesday August 09 2017, @01:16AM   Printer-friendly
from the but-what-if-secure-means-rot-13 dept.

SemperOSS writes:

I must have banged my head and woken up in an alternate universe as something apparently reasonable seems to have emerged from inside the British government. It has issued a guidance on cyber security for "intelligent" vehicles:

[...]
Smart vehicles are increasingly becoming the norm on British roads – allowing drivers to access maps, travel information and new digital radio services from the driving seat.

But while smart cars and vans offer new services for drivers, it is feared would-be hackers could target them to access personal data, steal cars that use keyless entry, or even take control of technology for malicious reasons.

Now new government guidance will ensure engineers developing smart vehicles will have to toughen up cyber protections and help design out hacking. The government is also looking at a broader programme of work announced in this year's Queen's speech under the landmark Autonomous and Electric Vehicles Bill that aims to create a new framework for self-driving vehicle insurance.
[...]

The guidance contains eight key principles:

  1. Organisational security is owned, governed and promoted at board level
  2. Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
  3. Organisations need product aftercare and incident response to ensure systems are secure over their lifetime
  4. All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system
  5. Systems are designed using a defence-in-depth approach
  6. The security of all software is managed throughout its lifetime
  7. The storage and transmission of data is secure and can be controlled
  8. The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail

Each principle is fleshed out in slightly more detail and they also point out that the list is not intended to be exhaustive.

Now, dear Soylentils, what would you add to the list to come closer to completeness?

Original Submission

 
This discussion has been archived. No new comments can be posted.
New UK Guidance on Vehicle Cyber Security | Log In/Create an Account | Top | 19 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Wednesday August 09 2017, @09:06PM

    by Anonymous Coward on Wednesday August 09 2017, @09:06PM (#551297)

    1 ) No, they don't even know enough to know what they don't know. At most, one might say that the board will be held responsible for breaches - at which point corporate board memberships touching anything electronic will be a punishment duty. The documented details suggest that this may be delegated. You bet your bottom dollar it will be, and whoever gets the delegation turns into Sacrifical Lamb A.

    2) This isn't guidance. This is buzzword bingo. Who decides what's appropriate and proportionate? Theresa May? QA dude no. 357 in some chinese factory? And their further guidance is so open-ended that it might as well require full tempest hardening for all vehicles.

    3) And the criterion for being secure is ... no breaches? Or? And the lifetime is ... as long as some classic car enthusiast in 2175 runs a vehicle made by a long-vanished company? This is wide open. The most that the guidance really supports is that it should be auditable. Great. I'm sure that the government won't ever use that for nefarious purposes.

    4) Right. Right. Because saying so will make it happen. As per point 2. And in 4.3 it specifically calls out the ecosystem. Wow.

    5) Right. Who gets to decide how much depth is enough? Or is it retroactively insufficient after all layers have been penetrated by some 15 year old fungus with a keyboard? Inquiring minds want to know. There's no criterion for success defined.

    6) Again, as per point 3, lifetime is a very fuzzy concept. Or does lifetime stop 6 months after it is off the lot? The further guidance is as useful as teats on a bull. The whole thing can be updated, but also returned to a known good state? Read: black hats (state sponsored or not) can rewrite it to whatever the hell they want and you'll be none the wiser.

    7) Again this vague notion of what security constitutes. Controlled by whom? Under which criteria? No answers here.

    8) If the defences failed, it's because the driver is a filthy commie spy who undermined the copy protection. The vehicle locks up, deploys airbags, and screams for Judge Dredd.

    Only a bureaucrat, and an engineer blind to bureaucratic methods, or in cahoots with them, could have come up with this worthless pile.