A new 2022 Ford Maverick vehicle is displayed at the 2021 LA Auto Show media day in Los Angeles, November, 18, 2021

Ford recall on a control system cyber issue

Nov. 15, 2024
Ford will have to pay up to $165 million for failing to comply with federal recall requirements

As stated in my Oct. 8, 2024 blog, 144,500 Ford Mavericks were recalled over concerns that the rearview camera display could show a frozen image while backing up. The recalled 2022-2024 model Maverick trucks have "connected touch radios," according to a Sept. 13 recall report submitted to the National Highway Traffic Safety Administration (NHTSA).

In the report, Ford said a frozen rearview camera display image could lead to a "false representation of where the vehicle is relative to its surroundings, increasing the risk of a crash." The automaker linked the potential issue to "improper memory handling" within the connected touch radio software resulting in delayed images being displayed.

Get your subscription to Control's tri-weekly newsletter.

Nov. 14, 2024, NHTSA announced that Ford will have to pay up to $165 million for failing to comply with federal recall requirements, the nation's governmental safety agency for cars and trucks. NHTSA said Ford failed to recall defective rearview cameras in a timely manner and also failed to provide accurate and complete recall information as required under federal law.

NHTSA agreed to a consent order with Ford, which includes a civil penalty of up to $165 million — the second-largest civil penalty issued in agency history after fines related to defective Takata airbags. The agency also required Ford to start a broad look back at all its vehicle recalls over the last three years to make sure the automaker covered the right number of affected cars and trucks and if not, expand the scope of recalls to include more vehicles. 

The backup camera systems are control and monitoring systems used for driver needs. Consequently, the frozen back-up camera incidents were control system cyber incidents, as memory issues caused the loss of availability and integrity of the camera systems to provide correct displays of the current conditions. However, NHTSA did not identify these as being cyber incidents.

Even though these incidents were unintentional somewhat akin to the CrowdStrike unintentional cyber incidents, the impact was similar to the Stuxnet man-in-the middle attack used to mislead the operators by replaying “good” rather than actual real-time conditions of the centrifuges in Iran. These, and other types of “subtle” control system cyber issues that do not involve internet protocol networks demonstrate that identifying control system incidents as being cyber-related often is not obvious.

About the Author

Joe Weiss | Cybersecurity Contributor

Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...