Truck & Off-Highway Engineering - October 2021 - 21

CYBERSECURITY FEATURE
" At the end of a month
[without trucking
distribution], literally
we're preindustrial.
- Karl Heimer,
Michigan Economic
Development Corp.
Attackers chain things together, so physical access to a vehicle
could potentially snowball into a scaled attack.
the vehicle gets more complicated, it does increase
the attack surface and the old adage that 'security is
only as strong as its weakest link' is very true. "
Another concern: many autonomous-system providers
are in startup mode and their products are not necessarily
mature - these companies are just trying to make their
systems work. " I hope that they're considering cybersecurity
at the forefront and don't try to bolt-on a solution
after the fact, " Daily said. " But my fear is that somebody's
going to underspecify a requirement for cybersecurity on
those and you're going to have to retrofit. "
York likened the situation to engine manufacturers
in the recent past placing all their engineering energy
on meeting increasingly stricter emissions regulations;
cybersecurity efforts took a back seat. " We have to
spend a lot of time squirting fuel, to get the emissions
just right, " he said. " The treadmill that we were on for
a long time with the vehicle electronics was pretty
challenging for all of us, and cybersecurity [suffered]. "
Industry standards must evolve and provide a better
platform for addressing these advanced technologies
and vehicles, York said. Even the infrastructure to support
electric trucks - the charging systems - pose a
challenge, Daily added. " Everything communicates
and everything's got data flowing, so I can see that
being a huge challenge in the near future, " he said.
The U.S. Department of Energy (DOE) and its
National Renewable Energy Laboratory (NREL) are
actively evaluating the potential cybersecurity impacts
of EV grid integration, panelists noted.
" In the more general case where you're talking
about inter-vehicle communication with modules using
wireless, certainly cryptography is a major thing
TRUCK & OFF-HIGHWAY ENGINEERING
that we have to look at, " Heimer said. " I think the industry is actually
looking at the design from an informed, adversarial point of view and
making sometimes hard choices on how you're going to put your
system together and passing security requirements down your supply
chain, and then having a few agencies that can validate your requirements
in a way that might be more robust than it is now. "
Cyber regulations, beware
With the very real possibility that security could be an afterthought in
the development of electric and autonomous systems, could cybersecurity
become more regulated in the coming years? Daily flipped this question
on its head, giving an example where " regulation is actually creating
cybersecurity issues. " He was referring to the electronic logging device
(ELD) mandate from the Federal Motor Carrier Safety Administration
(FMCSA) that synchronizes an ELD with a truck's engine to automatically
record driving time, for more accurate hours-of-service recording.
" Now you have direct, mandated network access through your own
device, " Daily said. " Basically, every truck now has an IP address. One of
the things we have to fight against is the notion that, 'Of course everybody's
going to be secure.' It's a race to the bottom for a mandated
technology - whoever sells it for $99 as opposed to $109 is going to
get most of the sales. Cybersecurity tends to not be a profit generator. "
The National Highway Traffic Safety Administration (NHTSA) has
not stated anything specific, but has indicated it would treat cybersecurity
events as safety events, York said. " Basically, they're declaring
that cybersecurity is within their domain and if you have a cybersecurity
event, they can force a recall. That's exciting. "
" What I've found as an engineer in product development is deciding
what regulations apply to your products is more of a lawyer issue
than a technologist issue, " York continued. " There are regs now for
IOT devices, like in California, that you can't have an IOT device with
a default password. Well, at what point does vehicle-autonomy stuff
become an IOT device? "
" Regulations are definitely coming for cybersecurity, " York asserted.
" They introduce issues and hopefully they will solve some
issues as well. "
October 2021 21
FROM LEFT: CYBERTRUCK CHALLENGE; RYAN GEHM/SAE
Truck & Off-Highway Engineering - October 2021

Table of Contents for the Digital Edition of Truck & Off-Highway Engineering - October 2021
