A trade group representing makers of drones, cars, planes, boats and other unmanned vehicles is teaming up with a cybersecurity firm to develop voluntary safety standards for the autonomous vehicle market.
Today, representatives from the Association for Unmanned Vehicle Systems International (AUVSI) and Fortress Security announced that they are forming a working group that will develop the standards over the next year.
In an interview, Tobias Whitney, Vice President of Strategy and Policy at Fortress Security, and Michael Robbins, AUVSI Executive Vice President for Government and Public Affairs, said the framework would be built around five major use cases. These cases include the scope of internal controls and effective cyber hygiene for autonomous vehicle vendors; map product security to transparency and security standards, such as software and hardware bills of materials; apply effective encryption and authentication tools around remote operations and connectivity; review third-party and fourth-party suppliers in the supply chain; and create clearer lines between technologies with military and commercial applications.
Whitney said the task force will target companies with “skin in the game” who work in the autonomous vehicle industry, as well as those who “understand their markets, understand their customers but also understand [security]they can understand the implications of a security exploit that affects the operations of their technology.
He also acknowledged upfront that the framework is an attempt by industry to coalesce around voluntary standards before governments decide to regulate, with Whitney saying this was done to “get ahead of something that might be mandatory”. He pointed to industries such as the electricity, oil and gas sectors that were not proactive enough to put their own cybersecurity rules in place, for the government to do it for them during very serious incidents. (the 2003 Northeast blackouts and the Colonial Pipeline ransomware attack) created public pressure for regulation.
With concerns about the safety and reliability of self-driving cars and other vehicles on the minds of many Americans, a similar incident in self-driving vehicles could expose vendors to tougher rules.
“We don’t want to be in a situation where we don’t have informed people in the room who understand the risks…the last thing you want to be in is a situation where something potentially happens, a certain type of security risk does materialize and there is a potential knee-jerk reaction and standards or mandates that may or may not reflect some of the best practices within the industry.
Fortress Security maintains a database matching ICS products to various security standards and has in the past partnered with American Electric Power and other energy industry entities to develop programs and resources information sharing for suppliers in the energy sector.
Robbins said past experience with other industries was key to their decision to partner with Fortress on their project and the task force has a dozen confirmed AUVSI member companies as participants. He declined to name them at this time, but said they were committed to making the membership public at some point.
“As unmanned systems develop their technology and are continually integrated into society, whether it’s self-driving trucks on highways or drones performing critical infrastructure inspections or sidewalk robot deliveries… we believe we have an existential risk to the industry by not proactively addressing cybersecurity,” Robbin said.