NAFA discusses fleet hacking risks, recommendations

Quimby Mug Bayou Florida Headshot
Updated Oct 7, 2016

The picture said it all: 14 potential access points for hackers to enter a vehicle’s computer system.

While advances in technology promise to make fleet management more efficient, the National Association of Fleet Administrators (NAFA) remains focused on the security risks.

And it’s not just NAFA that’s concerned. Patrick O’Connor, NAFA’s U.S. legislative counsel and president of Kent & O’Connor, pointed out in a cyber security webinar this week that the National Highway Traffic Safety Administration and the U.S. Department of Homeland Security are also taking a closer look at vehicle security, particularly as automakers continue to develop more autonomous features.

“A connected vehicle is a step forward to the autonomous vehicle,” said Patrick O’Connor, NAFA’s U.S. legislative counsel and president of Kent & O’Connor.  “What we have today, people want more of tomorrow.”

That includes high-tech, fast connectivity through Bluetooth, which, unfortunately poses such a security risk that the Chesterfield County Fleet Management Division in Virginia took the step of eliminating the regular use of the technology.

“Currently, we do not allow Bluetooth on any of our equipment,” Jeff Jeter NAFA’s vice-president and fleet manager of Chesterfield County explained during Wednesday’s webinar.

“We’ve got major concerns that folks will be hacking into the county mainframe,” he added, “and this even goes for my maintenance software which has Bluetooth capabilities. We have to meet with their manufacturers, talk with them and see what type of security blocks are in there.”

A NAFA webinar from Wednesday displayed a vehicle with access points vulnerable to hacking. 

screen-shot-2016-10-06-at-11-04-56-pmOBD-II port security was also a topic of discussion. In place in vehicles since 1996, OBD-II ports are the gateway to a vehicle’s computer system, providing vital links ranging from control of certain vehicle systems to performance data and diagnostics.

A slide displayed during the webinar featured an excerpt from a recent letter to NHTSA from the U.S. House Energy & Commerce Committee asking the agency “to develop a plan of action for addressing the risk posed by the existence of the OBD-II port in the modern vehicle ecosystem.”

O’Connor said that while the House E&C Committee is concerned with OBD-II technology, auto manufacturers have “no plans to eliminate the OBD-II port as of yet,” and that “by federal law they cannot (eliminate OBD-II ports).”

Jeter remarked that, “Without the OBD-II, we would be stranded.”

Robert Martinez, NAFA’s U.S. Government representative and deputy commissioner of the New York Police Department pointed out that OBD-II port access is vital to law enforcement vehicle management.

“Our current fuel system utilizes the OBD-II and we’re looking at other fuel systems and they all seem to use OBD-II,” Martinez said. “Everybody that has an in-house fuel program are going to more than likely have to utilize the OBD-II.”

Martinez said OBD-II port access allows for downloading vehicle events, such air bag deployment in the event of an accident.

The State of New York also uses OBD-II ports during emissions inspections.

“You bring your car to an inspection station and they plug into the inspection machine,” Martinez explained. “They don’t even have to run it on the dyno. They just plug it into the OBD-II and it gives them the report back so they can see if all the emissions and everything is working right. New York state as a whole would have a problem if there wasn’t access to OBD-II.”

NAFA, according to O’Connor, has contacted both NHTSA and congressional leaders asking that it be included in developing the plan for addressing OBD-II risks.

Access to vehicle data posed another concern raised in the one-hour meeting. Courts can request to acquire vehicle information for various reasons, including cases involving divorce. In that scenario, GPS data could be used to determine the history of the vehicle’s location.

Peter explained that as a public fleet, any information gathered by Chesterfield County vehicles is subject to the Freedom of Information Act.

Security threats to vehicle technology are big enough that the FBI and NHTSA issued a warning in March 2016 to the public and auto industry manufacturers “to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles.”

The Department of Homeland Security is keeping a close eye on the transition of federal fleet vehicles to telematics. A White House executive order requires the federal fleet to transition to telematics by Jan. 1, 2017.

NAFA has formed a Cyber Task Force and will be issuing a white paper soon offering guidance to fleet managers and legislators regarding vehicle hacking concerns.

NAFA has crafted several recommendations, including the following:

  • NAFA will collaborate with the Automotive Information Sharing and Analysis Center to establish communication protocols for the exchange of information related to cyber incidents.
  • The privacy policy should specify the types of information that will be collected, how such information will be used and stored, and under what circumstances the information can be retrieved.
  • Fleet management requires continued access to the OBD-II port.