Security risks are at the forefront of connected vehicle discussions.

“Connected vehicle.” It sounds so nice. But for fleet managers especially, the newest in communications technologies can pose a security threat that brings all-new, 21st-century stresses of their own.
Making vehicles highly automated with an unprecedented array of features and capabilities “broadens the attack surfaces that can be exploited,” said Patrick O’Connor, NAFA Fleet Management Association’s US legislative counsel and president of Kent & O’Connor during a recent NAFA-hosted webinar.
Access points can include Smartphones, OBD-II ports, USB ports, Bluetooth, passive keyless entry, remote keys, vehicle access system and airbag engine control units (ECUs) and ADAS (advanced driver assistance systems) ECUs, encompassing telematics (which enable remote control, remote diagnostics etc.), driver support (such as navigation, augmented vision and collision avoidance), automation (such as dynamic EV charging and computer control of engine brakes), and content (voice, data, info and entertainment).
“Items once considered options only available on luxury models are becoming standard across model lines,” O’Connor said. “The trend of ever-expanding electronic functionality accelerates the complexity and dependence on embedded controllers.”
Privacy concerns
Among concerns—including hacking, data collection and storage, liability, and criminal use—perhaps of primary concern to fleet managers is privacy. A fleet driver responsible for the operation of a company asset has different expectations of privacy than a consumer, which O’Connor said means managers should be recommending to their employers that a policy be developed about the collection and use of driver behaviour data—how it will be used, stored, and when and why it will be retrieved—that should be fully transparent to drivers. “If personal use is permitted, the privacy policy needs to wrestle with how to distinguish business and personal use,” he added.
“If I’m collecting the data, I may have to provide it [to courts],” says Jeff Jeter, NAFA’s VP and fleet manager for Chesterfield Country, Va. “If we know drivers were doing excessive speed, and we don’t do anything about it, we’re liable.”
Transparency is a must
“Transparency is key,” said Oleg Cytowicz, NAFA’s board of delegates’ vice-chair and a senior analyst in fleet ops at Unilever. “If you’re going to keep records and use the information to judge and/or determine an individual’s behaviour [you need to] advise employees you will retain driver tendency information that could affect their employment. No acknowledgement could leave your organization at risk.” He adds that transparency must be established up front, before data collection begins.
NAFA is eager to collaborate with manufacturers and stakeholders on alternatives to the OBD-II port; as O’Connor points out, it became mandatory at a time when the Internet was in its infancy, and as it has advanced, so has the technology to override it. The panel stressed that alternatives must provide the same access to data that lets fleet managers have unrestricted access to vehicle ECUs. “Without OBD-II, we would be stranded,” Jeter said.
While the owner of a vehicle is the rightful owner of collected data, OEMs need access to information for warranty and safety purposes, something that again should be addressed with transparency. Data ownership should be a part of contemporary lease agreements, and owners should opt-in before data is transmitted or collected by OEMs. Any list of exceptions shouldn’t be in the fine print—it must be explicit. Even if data isn’t collected by fleet managers, vehicles that have the capability can present risks.