The emergence of autonomous vehicles (AVs) in Canada will present a number of cybersecurity challenges and risks. AV manufacturers will need to consider these risks and address them early in the design and development process of their products. In this post, we discuss some of the key cybersecurity risks associated with AVs, strategies to mitigate them, and potential liability stemming from cyberattacks. For more information on AV technology and the current legal framework in place in Canada for AV testing, see our earlier post here.
As vehicles become increasingly automated and connected to their external environment, and collect greater amounts of information, both their risk of being targeted by a cyberattack and the potential for harm are likely to increase.
AVs are capable of collecting a vast amount of data, including information about the vehicle’s surroundings (using sensor systems such as cameras and LIDAR), and personal information about the passengers (such as biometric data or information from a synced smart device). AVs are also equipped with technologies to enable communication with other systems (e.g., cellular or Wi-Fi) that collect various types of information. The data collected by an AV may be transmitted to third-party systems for storage or processing (e.g., a cloud service provider).
Although the enhanced connectivity of AVs provides many benefits to its users, it also introduces new points of entry for cyberattackers to exploit. There is a real risk that a cyberattackers could gain access to an AV system, retrieve or compromise the information the AV collects, and expose connected third-party systems. Conversely, there is a risk that a cyberattackers could penetrate the connected third-party system and gain access to the AV’s system as a result.
AVs also include electronic control units that control the vehicle’s systems during operation (e.g., brakes, steering, etc.). This introduces a risk of physical harm to passengers, since a cyberattackers could gain control and interfere with the vehicle’s operation. These safety risks are heightened since passengers typically trust that AVs will operate correctly and hesitate to intervene during operation.
In view of these serious risks, it is critical that AV manufacturers prioritize cybersecurity throughout all stages of the vehicle lifecycle.
In 2020, Transport Canada released Canada’s Vehicle Cyber Security Guidance (Guidance), which sets out technology-neutral guiding principles to strengthen vehicle cybersecurity in Canada and is intended to address the cybersecurity challenges associated with connected and automated vehicles.
The principles within the Guidance encourage organizations that manufacture, supply, or maintain systems, software and services for motor vehicles to: (1) identify how they will manage cybersecurity risks; (2) protect the vehicle ecosystem with appropriate safeguards; (3) detect, monitor, and respond to cybersecurity events; and (4) recover from cybersecurity events safely and quickly. Some highlights that businesses developing AV technology should consider include:
- Businesses are expected to develop formal governance frameworks to identify roles and responsibilities for managing and addressing cybersecurity risk throughout the vehicle lifecycle.
- Businesses are also expected to develop a risk management framework for identifying, assessing and responding to risks throughout the product lifecycle, including conducting regular cybersecurity threat and risk assessments. This process should also address risks introduced by suppliers, sub-contractors, and/or third-party vendors.
- Data stored both on- and off-board the vehicle’s systems should be protected using appropriate cryptographic techniques commensurate with the assessed degree of sensitivity.
- External service providers that require access to the vehicle’s systems should be identified, authenticated and authorized using a pre-defined process (which should incorporate the concept of least privilege for granting access to sensitive information and technical assets). Third-party systems should be isolated from the vehicle’s internal systems and only be granted limited access as required. Organizations should conduct necessary diligence to ensure these external service providers have robust cybersecurity programs in place.
Many questions arise on the attribution of liability when a cyberattack causes an AV to malfunction. If cyberattackers identity is known, they will bear primary legal responsibility – although, attribution and locating them can be difficult (if not impossible). When the identity is unknown, however, liability could be shared by multiple parties, including the AV manufacturer and the AV user. In these situations, the apportionment of liability may depend at least in part on assessing who was in control of the vehicle at the time of the incident.
Current policies prescribed in provincial laws are built on the notion that human error is the primary cause of motor vehicle collisions. This premise will likely be challenged as drivers begin relying on automated technology to operate vehicles, as it is reasonably foreseeable that a collision could be caused in whole or in part by vehicle malfunction (whether or not due to a cyberattack). In a future post in this series, we will take a closer look at AVs and product liability.