I must have banged my head and woken up in an alternate universe as something apparently reasonable seems to have emerged from inside the British government. It has issued a guidance on cyber security for "intelligent" vehicles:
[...]
Smart vehicles are increasingly becoming the norm on British roads – allowing drivers to access maps, travel information and new digital radio services from the driving seat.But while smart cars and vans offer new services for drivers, it is feared would-be hackers could target them to access personal data, steal cars that use keyless entry, or even take control of technology for malicious reasons.
Now new government guidance will ensure engineers developing smart vehicles will have to toughen up cyber protections and help design out hacking. The government is also looking at a broader programme of work announced in this year's Queen's speech under the landmark Autonomous and Electric Vehicles Bill that aims to create a new framework for self-driving vehicle insurance.
[...]
The guidance contains eight key principles:
Each principle is fleshed out in slightly more detail and they also point out that the list is not intended to be exhaustive.
Now, dear Soylentils, what would you add to the list to come closer to completeness?
(Score: 0) by Anonymous Coward on Wednesday August 09 2017, @09:06PM
1 ) No, they don't even know enough to know what they don't know. At most, one might say that the board will be held responsible for breaches - at which point corporate board memberships touching anything electronic will be a punishment duty. The documented details suggest that this may be delegated. You bet your bottom dollar it will be, and whoever gets the delegation turns into Sacrifical Lamb A.
2) This isn't guidance. This is buzzword bingo. Who decides what's appropriate and proportionate? Theresa May? QA dude no. 357 in some chinese factory? And their further guidance is so open-ended that it might as well require full tempest hardening for all vehicles.
3) And the criterion for being secure is ... no breaches? Or? And the lifetime is ... as long as some classic car enthusiast in 2175 runs a vehicle made by a long-vanished company? This is wide open. The most that the guidance really supports is that it should be auditable. Great. I'm sure that the government won't ever use that for nefarious purposes.
4) Right. Right. Because saying so will make it happen. As per point 2. And in 4.3 it specifically calls out the ecosystem. Wow.
5) Right. Who gets to decide how much depth is enough? Or is it retroactively insufficient after all layers have been penetrated by some 15 year old fungus with a keyboard? Inquiring minds want to know. There's no criterion for success defined.
6) Again, as per point 3, lifetime is a very fuzzy concept. Or does lifetime stop 6 months after it is off the lot? The further guidance is as useful as teats on a bull. The whole thing can be updated, but also returned to a known good state? Read: black hats (state sponsored or not) can rewrite it to whatever the hell they want and you'll be none the wiser.
7) Again this vague notion of what security constitutes. Controlled by whom? Under which criteria? No answers here.
8) If the defences failed, it's because the driver is a filthy commie spy who undermined the copy protection. The vehicle locks up, deploys airbags, and screams for Judge Dredd.
Only a bureaucrat, and an engineer blind to bureaucratic methods, or in cahoots with them, could have come up with this worthless pile.