CAV industry calls for cyber security framework for connected cars
10 July 2017 |
An Insurance and Legal Report released by insurance company AXA and law firm Burges Salmon has warned that connected cars in the UK will require new cyber security and data protection frameworks.
AXA has urged the government to lay down a framework on how data generated by connected cars will be protected and who will have access to it.
The Insurance and Legal Report was prepared by AXA and Burges Salmon on behalf of the FLOURISH Consortium which is overseeing the implementation of Connected and Automated Vehicles in the UK. Through this report, Axa has highlighted concerns of the industry in terms of how sensitive data will be treated, where will it be stored and who all will have access to it.
Considering that Connected and Automated Vehicles will generate enormous amounts of data once they are on the streets, the government will have to lay down a new cyber security framework to guard against concerns like denial of service attacks, data theft from cloud databases, network outage, technological malfunctions, interceptions and highjackings and information leakage, the report said.
'CAVs will generate enormous amounts of data with different and often multiple purposes. As CAVs evolve and become a reality on our roads, standards will need to be created which define the minimum security requirements embedded in the vehicle’s hardware, and what the boundaries are for software and connectivity.
'The success of CAVs will also be dependent upon a consistent framework for cyber that is able to monitor and assess the effectiveness of security measures implemented. This will contribute to informing the position adopted by insurers and legislators in identifying the risks and the ways in which to mitigate them,' it added.
According to David Williams, Technical Director at AXA, Connected and Automated Vehicles will turn out to be beneficial for the society only if motor manufacturers, infrastructure providers, and transport network operators can come together to 'standardise and allow access to crucial data'. If this happens, then insurance and emergency services will also be able to help out if accidents ever occur.
The report also stressed on how the automated vehicle industry will have to align itself with the GDPR which will come into effect in less than a year from now. Considering that the GDPR will mandate equal liability for data processors, data controllers as well as those who handle data on behalf of data controllers, it has urged all key stakeholders in the industry to 'enter into carefully structured agreements identifying the distinct roles, responsibilities, and accountabilities of each party to comply with GDPR.
At the same time, the report has called upon the government to 'legislate to ensure that the development of CAV technologies is appropriately supported and that any unequal balances of power do not result in unfair agreements limiting access to data or gridlock in reaching arrangements'. This recommendation is in light of the fact that GDPR was not framed with the CAV ecosystem in mind.
Through this report, the FLOURISH Consortium has also requested the ICO as well as the government to clarify on certain teething issues concerning automated cars. It has requested the ICO to clarify if data generated by connected cars will fall into 'data processes for public health purposes' or into 'archiving purposes in scientific research.'
At the same time, the government has been asked to confirm its position on regulatory access to encrypted data so that CAV players are informed in advance in case security services or regulators need to access any data for various purposes.