Cybersecurity & the Automotive Industry

The automotive industry faces a unique set of cybersecurity challenges. With the advent of smart cars and autonomous vehicles equipped with computers, automotive manufacturers also have to protect their vehicles from being hacked. That is in addition to the usual cybersecurity considerations like data, IT infrastructure, and employees.

Modern (non-autonomous) vehicles can contain up to fifty different computers. Even older cars rely on computers to handle everything from GPS navigation systems to the engine, brakes, and even steering, making vehicular cybersecurity an urgent essential for the industry. 

If a vehicle and its systems are not properly protected, attackers can take control of the vehicle and steal the data the vehicle gathers on its owner and where they travel. It’s terrifying when you think about it - attackers have been known to remotely take control of a vehicle and run commands which force it to stop while being driven. 

Vehicular Cyberattacks Double

According to recent research, there has been a huge increase in cyberattacks against vehicles over the last decade. Automotive technology has evolved with features like machine-controlled speed regulation, parking, and driving, further compounding the risks.   

Between 2018 and 2019 alone there was a 99% increase in attacks on vehicles, including short-range and long-range remote attacks. Another study that surveyed vehicle manufacturers discovered that approximately 62% think it is very likely that they will become victims of a malicious cyberattack on their vehicular components or software over the next year. 

Even more worrying was the fact that approximately 30% of them admitted to having no cybersecurity team or program in place. They were making IoT components with no concern for securing those components.

The survey demonstrates that the automotive industry and their cybersecurity measures are not keeping pace with the constant evolution of their technology. Therefore, smart cars and autonomous vehicles are suffering from many cybersecurity issues.

The Wider Threat

As the vehicles we drive become more interconnected, autonomous, and smarter, the more they rely on software code to operate almost every aspect of the vehicle. In the automotive industry, the lines between software and vehicles are blurring rapidly and cybersecurity needs to form part of the foundation of this moving forward. 

While it’s obvious that the automotive industry needs to resolve its security issues quickly, the problem is not yet as serious as it could be in the future. 

Hackers can likely take over the 4G-connected entertainment system in your car and control some aspects of your vehicle, but they probably cannot use that same vulnerability to exploit thousands of vehicles simultaneously. The current concern is more focused on hackers extracting data or infecting vehicles with malware - something we haven’t seen yet. But imagine a hacker infecting thousands of vehicles with ransomware and having to pay a Bitcoin ransom to use your car again. 

When you consider the countless ransomware attacks on businesses over the last few years, it's not difficult to imagine such a scenario.

It is also worth considering that, as we move toward a world of autonomous vehicles, artificial intelligence is coming into play. This will rely on either powerful computers in the vehicles themselves or harness the power of local computing remotely to drive their systems. There will be a high degree of interconnectedness, with a rapidly growing transportation ecosystem of vehicles that communicate with traffic lights, other vehicles, and centralized control hubs. 

We can already see an echo of this in Los Angeles, where they launched a new transportation data-sharing platform and took control of their mobility data. This platform will eventually form the foundation of the LA ‘smart city’ project and become woven into the digital transformation of its transportation networks. 

It does seem like LA understands the cybersecurity implications of this. Their CIO has stated that a vehicle can become an entry point for malicious attackers if it is not properly secured and that urban transportation infrastructure can become a huge liability if it is hacked.

Their concern (and the concern of any other smart city) is that malicious hacking could enable organized cybercriminals to gain access to data, payment accounts, transportation guidance systems, and individual control over vehicles, putting the safety of pedestrians and passengers at risk. 

All of this makes the automotive industry’s collective cybersecurity practices, as well as their supply chain manufacturers, a growing concern. It is a concern that is driving cybersecurity to the top of their agendas as the industry evolves and increasingly integrates third-party software, components, communications, applications, and protocols. 

How Can the Automotive Industry Improve Cybersecurity?

You can boil automotive cybersecurity down to three essential elements, which gives us a simple way to think about improving the cybersecurity of vehicles and transportation systems.

1. Threat Detection & Incident Response - This means identifying threats, responding to them, and reporting them, ideally in real-time before they become a problem.

2. Access Control - Access control is working out secure practices for who can do what on which systems and tightly controlling access to them with strong authentication.

3. Preventing External Attacks - To prevent unauthorized access to control systems, preventing malware from gaining a foothold, and encrypting communications.

 Thinking about automotive cybersecurity in this way gives the automotive industry a handy framework. Their multi-layer approach to cybersecurity needs to include mechanisms to facilitate access control and authentication, secure communications and system updates, and embed threat detection and prevention systems when securing vehicle operating systems.

Many different cybersecurity solutions need to be built into autonomous and connected vehicles to ensure their security. As with any system, vehicle system security is all about multiple layers of protection, with each layer supporting the other to ensure robust security.

Effective cybersecurity needs to:

Encrypt All Data - Protecting the privacy of the owner and their data.Protect Communications - Ensuring internal and external communications are encrypted.Embed Security - Integrated firewalls and malware detection can help secure vehicles.Authenticate Access - The vehicle needs to know who is trying to access its computer. 

All of this is a huge challenge for a rapidly-growing smart and autonomous car industry. However, it’s one they need to address over the long term if they are to prosper and ensure the safety (and privacy) of their customers, passengers, and pedestrians.

Automotive Industry Best Practices

For those interested in learning more about automotive industry best practices, here is a list of fantastic resources for further reading.

Guidebook For Cyber/Physical Vehicle Systems - This guidebook provides a cybersecurity framework that you can use to develop internal security processes for your organization when designing and building security into vehicular systems.

NIST Cybersecurity Best Practices - The National Institute of Standards and Technology provides some free resources covering a wide range of different cybersecurity practices and knowledge. Well worth reading for those at the beginning of their cybersecurity journey.

Automotive Security Resources - Published by Synopsys, this automotive security research page can help you develop your cybersecurity initiatives and meet reliability, safety, security, and compliance requirements for automotive software. Also worth looking into is the BSIMM model (Building Security in Maturity Model) which can further enhance initiatives.

Auto ISAC - The Automotive Information Sharing & Analysis Center is a great place to network with automotive information security professionals and pick up valuable intelligence about emerging automotive cybersecurity threats to autonomous and connected vehicles. It is also a solid starting point to begin enhancing an organization’s automotive security.

Contact Digital Hands

Digital Hands employs a deeply experienced team of cybersecurity practitioners who can help your business get to grips with your cybersecurity risk exposure. We can help you implement controls, detection, and prevention systems to help you protect your organization, manufacturing systems and digital assets from cyber threats.

If you need a competent security services provider to ensure that you are making the right moves with security, get in touch with Digital Hands today via email (info@digitalhands.com) or by calling us at 855-511-5114.

About Digital Hands:  Recently ranked as one of the Top MSSPs in 2020, Digital Hands is a trusted global cybersecurity leader continuously taking action to protect our customers’ most valuable assets against relentless threats.

Digital Hands is proud to offer extensive security expertise and advanced monitoring and reporting capabilities. Our robust set of innovative cybersecurity services and solutions ensures your organization, customers and employees are defended against cybersecurity attacks and data breaches round the clock.    

We are proactive in our response orchestration that includes in-depth analysis and business context. Digital Hands enables our customers to harden their security posture, outmatch bad actors and benefit from our complementary white glove service and excellence in delivery. Our industry – leading customer retention rate and Net Promoter Score of 94 reflects how we go above and beyond every day for our customers.

References:

Ponemon. 2018. Securing the Modern Vehicle: A Study of the Automotive Industry Cybersecurity Practices.