Cybersecurity challenges of systems-of-systems for fully-autonomous road vehicles

摘要

We are seeing rapid development of in-vehicle, vehicleto- vehicle, intelligent roadway, infrastructure and ride-hailing systems. However, progress in some areas is much faster than in others. For example, in-vehicle self-driving systems are evolving rapidly, but development of intelligent road systems is relatively sluggish. These systems are beginning to interconnect and interoperate to become complex systems-of-systems for which attack surfaces and vulnerabilities are expanding exponentially. Many of these systems are standalone and proprietary and do not interoperate. However, systems must be seamlessly integrated if we are to arrive at safe and secure fully-autonomous road vehicles. If we do not create broad standards early on, we can expect vulnerabilities to grow so much that they could overwhelm potential benefits from improved safety and fuel economies. Warnings about cybersecurity consequences of such complexities appear from time to time in academic publications and the popular press, but few companies and government agencies do not seem to heed these admonitions and suggestions. Meanwhile, the self-driving juggernaut ploughs ahead. Here, we identify likely cybersecurity consequences that will arise because current efforts reflect uncoordinated design and development, particularly of supporting infrastructure systems. We describe how such risks might be mitigated proactively by introducing cybersecurity requirements early in the design, development and deployment processes. We also discuss how we might establish universal automotive and transportation security and safety standards that are enforceable and can be enforced globally across in-vehicle and ex-vehicle systems. While we see impressive near-term advances, particularly with in-vehicle systems and vehicle-to-vehicle systems, such innovations will eventually hit a roadblock if infrastructure systems, both physical and cyber, do not receive the attention required to achieve acceptable levels of cybersecurity and safety.