As the automotive industry continues to evolve, today’s ground vehicles are increasingly part of connected systems that will change and improve the movement of people and goods within communities and nationwide. Trucking, mass transit, and last-mile delivery services are among the first to adopt this advanced technology and multiple states are conducting pilots to ensure their safe integration.
The U.S. Department of Transportation (USDOT) estimates that more than 80 companies are currently testing autonomous vehicles (AVs) across 40 U.S. states and Washington, D.C., and more than half of states have introduced legislation to allow testing on public roads. However, while autonomous ground vehicle technology offers benefits to organizations and communities, there are also potential threat vectors to people and assets.
The Cybersecurity and Infrastructure Security Agency (CISA) has created an Autonomous Ground Vehicle Security Guide that provides transportation systems sector partners with a framework to better understand cyber-physical threats related to AVs and recommended strategies to mitigate both enterprise- and asset-level security risks.
Various systems and components connect to AVs and enable them to operate. These include:
- Vehicle-to-everything (V2X) Technologies, such as 5G, enable communication to and from an AV system.
- Parallel computing enables advanced information processing from vehicle sensors and operating systems.
- Dedicated Short Range Communications (DSRC) communicate and sync capabilities with other AVs.
- Global Navigation Satellite Systems / Inertial Navigational Systems (GNSS/INS) ensure accurate position, velocity, acceleration, and heading data for autonomous operation.
- Light Detection and Ranging (LiDAR) uses light pulses to estimate distance and create high-resolution 3D images of the environment and road.
- High-frequency acoustic sensors use audio waves to measure distance to an object.
- Radio Detection and Ranging (RADAR) relies on radio waves to enable braking assistance applications and sensors that monitor blind spots for distance control.
- Monocular cameras allow an AV to gather 3D images of its surroundings.
- Stereo cameras capture images from two viewpoints to triangulate depth information.
- Traffic-sign Recognition (TSR) uses forward-facing cameras to recognize and interpret traffic signs on roadways.
CISA says that as the cyber-physical systems (CPS) threat landscape continues to evolve, organizations will become increasingly vulnerable to attacks that can result in data breaches, supply chain disruptions, property damage, financial loss, injury, and loss of life. CSOs and CISOs should therefore proactively monitor and manage AV technology risks using holistic security strategies that address both enterprise and asset vulnerabilities related to CPS integration with broader connected networks.
CISA’s Autonomous Vehicle Cyber-Attack Taxonomy (AV|CAT) tool provides a framework for identifying AV risks based on the attack vectors, targets, consequences, and outcomes associated with a specific cyber-physical attack. Organizations can use the AV|CAT to understand risks related to AV technology integration, as well as risks to the AVs themselves and other physical assets. The tool offers a baseline for conceptualizing attack sequences and predicting an attack’s ripple effects. Security teams can use the taxonomy to trace how a malicious actor can exploit a vulnerability, assess potential impacts, and identify associated risk mitigation strategies to enhance future resilience.
Securing AVs, like any other CPS, requires a multi-layered approach that evaluates threats to the enterprise, such as compromised proprietary data or operational disruptions, and to assets, such as an AV itself. Organizational resilience will increasingly rely on a converged approach to physical security and cybersecurity. Prioritizing communication, coordination, and collaboration across security functions and the supply chain can enhance organizational operations and optimize strategies to reduce risk. In addition to CISA’s recommended best practices, consider incorporating both enterprise- and asset-level risk mitigation strategies into security plans.