Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

UK publishes Laws of Robotics for self-driving cars

Privacy and security principles for connected and autonomous vehicles

The United Kingdom has published a set of “Key principles of vehicle cyber security for connected and automated vehicles” outlining how auto-makers need to behave if they want computerised cars to hit Blighty's byways and highways.

Penned by the UK's Department for Transport, with help from the Centre for the Protection of National Infrastructure, and launched by transport minister Lord Callanan, the principles suggest all participants in the auto industry's long supply chains must work together on security both in the design process and for years after vehicles hit the roads.

The eight principles follow:

  • Organisational security is owned, governed and promoted at board level;
  • Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain;
  • Organisations need product aftercare and incident response to ensure systems are secure over their lifetime;
  • All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system;
  • Systems are designed using a defence-in-depth approach;
  • The security of all software is managed throughout its lifetime;
  • The storage and transmission of data is secure and can be controlled;
  • The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.

Each principle has sub-principles and that's where the detail gets interesting. Principle 1.2, for example, suggests “Personal accountability is held at the board level for product and system security (physical, personnel and cyber) and delegated appropriately and clearly throughout the organisation.”

Principle 2.4 expects “Security risks specific to, and/or encompassing, supply chains, sub-contractors and service providers are identified and managed through design, specification and procurement practices.”

Principle 3.4 may raise eyebrows as it suggests “Organisations ensure their systems are able to support data forensics and the recovery of forensically robust, uniquely identifiable data. This may be used to identify the cause of any cyber, or other, incident.” The combination of “uniquely identifiable” and “other incident” isn't spelled out, but suggests all manner of avenues to investigate driver behaviour, although those efforts could founder on Principle 7.3's insistence that “Users are able to delete sensitive data held on systems and connected systems.”

There's some sound OpSec suggestions under Principle 5, with 5.3 calling for “Design controls to mediate transactions across trust boundaries, must be in place throughout the system. These include the least access principle, one-way data controls, full disk encryption and minimising shared data storage.” Principle 5.4 suggests “Remote and back-end systems, including cloud based servers, which might provide access to a system have appropriate levels of protection and monitoring in place to prevent unauthorised access.”

Principle 8.1 sets out how a car should respond to malicious hacking attempts, by stating “The system must be able to withstand receiving corrupt, invalid or malicious data or commands via its external and internal interfaces while remaining available for primary use. This includes sensor jamming or spoofing.”

To The Register's mind, the Principles are largely sound and could handily be applied to other Internet of Things devices.

Lord Callanan's announcement suggests the Principles will be included in future legislation governing self-driving cars on British tarmac. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like