Securing Autonomous Vehicles: Insights from Charlie Miller and the Industrial Internet Consortium

Wired’s recent piece on Charlie Miller—famously the hacker who remotely commandeered a Jeep—argues that only open dialogue among companies can build secure autonomous cars. That view oversimplifies the competitive reality of a revitalized automotive sector, yet it misses a crucial point: security is a cross‑industry challenge, not one confined to automotive.

The Industrial Internet Consortium (IIC) already brings together 250+ firms—including Bosch, Denso, and TTTech—to tackle the same balance of security, safety, performance, and cost that car makers face. The IIC’s open reference architecture, free for all, offers a practical roadmap from business goals to implementation. The Industrial Internet Connectivity Framework (IICF) and Industrial Internet Security Framework (IISF) extend this foundation, providing targeted guidance for protecting connectivity endpoints and the data that flows between them.

Let’s explore how a data‑centric approach can shield a connected car from attacks like Miller’s Jeep hack. The exploit began with a backdoor in a Harmon Kardon head unit, allowing unprotected remote commands that reprogrammed a CAN‑Bus‑connected chip and granted near‑full control. Removing that interface is only the first step; securing the entire stack is essential.

Miller would likely have continued searching for vulnerabilities. A robust defense begins with an authenticated application layer: secure boot, ARM TrustZone, and signed application binaries. This builds a trusted stack that can be illustrated as follows.

Many of these trusted components interface directly with the CAN Bus, exposing the vehicle’s control system to unauthorized reads and writes. In autonomous taxis, physical access by malicious actors becomes a realistic threat, underscoring the need for data authenticity and granular access control.

While replacing the CAN Bus entirely is not a realistic short‑term goal, the Industrial Internet Security Framework recommends a Data Distribution Service (DDS) overlay. DDS introduces a layered architecture that isolates legacy systems while allowing new components to communicate securely.

DDS enables peer‑to‑peer communication where participants authenticate each other and share only the data they need. Security can be tailored—TLS‑style encryption for critical topics, selective authentication, and fine‑grained access control—without the performance overhead of a central broker.

Back to the IICF: it maps open standards to system functions, and its recommendations for industrial IoT systems naturally extend to autonomous vehicles. The Object Management Group’s DDS specifications provide exactly that data‑centric, publish/subscribe model.

With DDS Security, architects can plug in security modules that balance performance and protection: authenticate only the topics that matter, encrypt sensitive data, and enforce distributed access control. This approach prevents unauthorized publishers—like Miller’s rogue application—from sending steering or braking commands, and it allows subscribers to reject tampered messages based on cryptographic signatures.

In short, while Miller’s demonstration was alarming, it also highlights that a collaborative, cross‑industry approach—rooted in the IIC’s frameworks and DDS security—provides the flexibility needed to secure future autonomous systems. We invite industry leaders, including Charlie Miller and Chris Valasek, to join us at RTI for deeper discussions on autonomy, industrial IoT, safety, and security.