Insuring the Cyber Risks of Connected and Autonomous Vehicles

Authored by AXA UK Managing Director of Underwriting & Technical Services David Williams

All modern vehicles now include driving assistance, control units, sensors and ubiquitous internet connections. However, the future needs to be anticipated now, and it is a future of fully autonomous vehicles, connected to each other, to road services and to infrastructure.

This article is part of the AXA Research Fund's upcoming report, Building Cyber Resilience: Threats, Enablers and Anticipation. The full contents of the report will be available in November.

All modern vehicles now include driving assistance, control units, sensors and ubiquitous internet connections. However, the future needs to be anticipated now, and it is a future of fully autonomous vehicles, connected to each other, to road services and to infrastructure.

As vehicles become more connected to their external environment, the vulnerabilities and opportunities of attacks increase dramatically, including for example threats on engine controls, tyre pressure monitoring systems or wireless key fobs. For example, in 2015, a remote attack was carried out against a Jeep Cherokee through its connected entertainment channel and resulted in physical control of the braking system, amongst other elements.

The insurance industry is working hard to understand the new class of cyber risks brought by autonomous and connected vehicles. It is a big challenge, as insurance companies traditionally rely on data to price their products and provide services to their customers. Most of the data is historical data based on the performance of millions of previous policies and customers, which enables us to accurately predict overall outcomes. Today in the vehicle insurance sector, all this data comes from the operation of manual vehicles with little or no connectivity. To embrace autonomous vehicles, we need to change strategy and model the risks based on scientific understanding and modelling, rather than on data from past experience.

We need to understand how vehicles will connect and interact, as this is the entryway for any attacker, and to detail what autonomous systems and technology will be deployed, as this helps to understand the hazards incurred. For example, hacking of an automated brake system will affect not only the passengers but also very possibly, the other users of the road, whereas a dysfunctioning navigation system might drive you safely at least... but to an unwanted destination.

However, due to the volume of control modules and microprocessors, new vehicles can have around 100 million lines of code across 50 engine control units or more. In practice, there is a high probability that we ignore vulnerabilities as detailed code reviews and security evaluations are infeasible. These vulnerabilities can compromise one of the vehicle control mechanisms. For example, an attack could target the vehicle’s sensor network, falsify the sensor data, or exploit control modules directly. To properly assess the vulnerabilities and manage or insure the pertaining cyber risks, we need to understand the functionality of each of the individual components, the vehicle design and the interaction between components.

Future intelligent vehicles will be increasingly connected to the internet, accept over-the-air updates, become Wi-Fi hotspots, and communicate with other internet-enabled devices such as vehicles or infrastructure. This means that the most severe security threats are still to emerge.

In addition, vehicles are also the entry point into many other vehicles and the wider infrastructure. This means that a hacker gaining physical or remote access to a vehicle can use it as a gateway to cause wider disruption. Given this possibility of physical access, simply removing internet or remote access to vehicles does not remove the risk entirely if vehicles can still connect to each other. Therefore, key security methods to protect connected and autonomous vehicles against cyber-attacks will likely be a coalition of cryptography, statistical anomaly detection systems, and software integrity solutions.

With much of this technology still being in the test phase, insurers have struggled to obtain data to run their usual risk-and-pricing models. To fill this gap, insurers now seek to embed themselves in the development work in order to gain a greater understanding of the subject. For example, the Association of British insurers has set up the ‘Autonomous Driving Insurance Group’ which liaises with motor manufacturers, to obtain information on new technology and to run track tests. The data and information we obtain from involvement in these areas will enable us to build analytical models, helped by AI and machine learning. This should prepare us for when these vehicles become more widely available. Connected and autonomous vehicles are a global phenomenon and sharing across borders will help to enrich this process, for example using resources like the National Vulnerability Database in the US. Practical experience can be gained at facilities such as the Thatcham Motor Vehicle Research Institute in the UK and the AXA Crash Test Centre in Switzerland.

Finally, despite a very important technological focus, many experts believe that the weakest link in terms of cyber-attacks on connected and autonomous vehicles remains the human element. User behaviours are key to issues ranging from not operating systems properly, being influenced by external communications, tampering with equipment or just not quickly installing security software updates. Awareness of user behaviours and a more balanced focus between studying the cutting-edge technologies themselves and how we interact with these technologies is necessary to ensure autonomous and connected vehicle insurability.