The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) is working to protect the Federal government’s fleet of connected vehicles from cyber threats.
Executive Order 13693: Planning for Sustainability in the Next Decade, issued in March 2015, requires Federal agencies to equip their vehicles with telematics systems by March 2017. Telematics systems collect data on fuel consumption, maintenance, location, and speed. Agencies can use these systems to determine if cars need repair or if employees are misusing their government-issued vehicles. S&T’s task is to secure these vehicles from cyber enemy threats.
Daniel Massey, program manager for S&T’s Cyber Security Division, said that he and his team’s chief cybersecurity focuses are managing the new data these cars collect and supporting back-end databases. While he said there is “tremendous potential” for identifying improper use of Federal vehicles, there is also a greater need to keep this information safe from cyber foes. While Massey said that a group of security researchers demonstrated that they could hack into a Jeep Cherokee on the highway and control the lights and steering, he stated that no such attack has ever occurred. He said that a more credible threat is information falling into the wrong hands.
“Everything is becoming more and more connected. Your car or fridge is now an online device, like your computer or cellphone,” Massey said. “That creates opportunities for similar risks to a computer or cellphone.”
Federal agencies are still in the process of installing telematics systems into their cars. Massey said that the process is relatively easy because the systems can be plugged into cars through the On-board Diagnostic II port, which is located underneath the steering wheel. He said that government cars are not the first to be furnished with these systems, and that many insurance companies use similar dongles to monitor how their clients are driving. Agencies can install these systems through the General Services Administration (GSA) or through their own procurement processes.
“It’s not taking them back to the factory for a recall,” Massey said. “It’s not as onerous in terms of deployment.”