Companies around the U.S. have piloted the use of autonomous vehicles (AVs) in their supply chains and operations. Although fully autonomous vehicles are still relatively rare, supervised semi-autonomous vehicles are being developed and tested on the road, according to new guidance from the Cybersecurity and Infrastructure Security Agency (CISA).
As organizations integrate artificial intelligence and wireless security systems into AVs, CISA has released guidance to mitigate the cyber and physical risks posed by smart vehicles. CISA highlighted the following potential risks to enterprises and their assets created by AVs:
- Access control: A malicious actor gains unauthorized access to a network, potientially via a control room, and introduces malware via USB
- Insider threat: A malicious actor works with insiders at a third-party supplier to modify data-processing motherboards
- Cyberattack: A cybercriminal creates privileged access credentials to mark AVs as stolen via their anti-theft system, rending AVs potentially inaccessible
- Tampering with the environment: A malicious actor uses reflective strips or paint to alter identifiers such as stop signs on the AV's route, misdirecting the vehicle
These risks and more pose threats to AVs and the supply chains that rely on them. With this information, CISA released guidelines for organizations who develop and/or use AVs in their operations:
- Develop and implement employee training and exercises to ensure on-the-ground personnel are aware of interconnected cyber-physical risks
- Ensure physical access points to networks and systems are secure
- Conduct vulnerability assessments
- Report vulnerabilities and cyber-physical incidents
- Adopt and implement system security guidance, best practices, and design principles
- Implement recommended vehicle software updates regularly
- Avoid connecting non-manufacturer, unsecured, or unknown devices to vehicle systems
- Design, develop, and implement cybersecurity standards for connected vehicles and associated components
Find a full list of CISA's identified threats to AVs and their guidance on how to mitigate AV risk to enterprises here.