Organizations in the automotive industry are no stranger to demands and mandates regarding car and passenger safety, so addressing the issue of cybersecurity of computerized, connected vehicles should, in theory, not be a huge problem.
Despite thieves regularly finding ways to boost cars by exploiting vulnerabilities in modern keyless locking systems and researchers demonstrating how attackers could fiddle with car settings, the infotainment system, the break system, the steering system, and so on, we’re yet to witness actual safety attacks that resulted in hackers disabling brakes or turning the steering wheel.
One of the reasons must surely be that cybercriminals are generally after money and not that interested in harming people for the fun of it, but perhaps another is that it’s currently very difficult to prove that attacks like these happened.
“If an incident happens there is currently no entity that will investigate such a possibility. Even more so, in most cars there are no measures monitoring for such incidents. So if you try and succeed, no one will even know, not to mention launch an investigation,” notes Nathaniel Meron, Chief Product and Marketing Officer at C2A Security, a provider of automotive cybersecurity solutions.
And, though the IT networks of original equipment manufacturers (OEMs) have already been breached by ransomware gangs, vehicle owners are lucky that those criminals have not yet switched to in-vehicle networks attacks to “brick” cars and demand money.
If and when that happens and depending on the scale of the attacks, Meron recons that they could even bankrupt an OEM.
But while it’s difficult to say when this “grace period” might end, OEMs should accept as fact that one day it surely will, and they should use this time to work on defenses.
Vehicle cybersecurity management
The automotive industry encompasses a wide range of companies and organizations whose ultimate goal is to manufacture and sell motor vehicles.
OEMs – known brands like BMW, GM, Ford and others – plan and design the vehicles and then source different parts and systems to different suppliers. Tier-1 suppliers specialize in different niches: for example, Valeo and Bosch are well known for their advanced driver-assistance systems (ADAS), while Lear is known for their seats and connectivity.
Computers in cars are not a new development, but they are controlling more and more of what is happening with them and inside them. Vehicle control is now, for example, completely computerized, and attackers could take over the level 2 ADAS systems and consequently gain full control over a vehicle’s safety-related functionalities.
“Today’s sophisticated connected vehicle architecture is inherently more vulnerable to cyber attacks. Connected vehicles can host up to 150 electronic control units and run on 100 million lines of code; tomorrow’s vehicles may contain up to 300 million lines of software code. Cyber attacks that exploit the increasing digitization of vehicles present a significant risk to manufacturers, vehicle owners, other drivers and pedestrians,” Meron noted.
“Each OEM tries to come up with their own defense strategy, using the variety of tools available in the market to protect from different attack vectors. Eventually they all need to manage cybersecurity of the vehicle throughout its lifecycle, from the very first day the design process commences, through production and maintenance of the vehicle, until decommissioning.”
Visibility is crucial for cybersecurity management, which needs to be agile, efficient and anticipate future threats.
“Understanding the supply chain of a vehicle is essential to understanding how to monitor and protect it. Before professional cybersecurity teams can protect their products, they must have full oversight of the inner workings of a vehicle. Providing 360-degree oversight of the operation of security control to OEMs makes relevant information easily accessible and therefore manageable,” he pointed out.
“For OEMs, this is the main obstacle to overcome. When considering the number of vehicle models and topologies, complex supply chains, increasing connectivity and over-the-air updates, among other areas of consideration once the vehicle is on the road, visibility provides important means of constant and systematic analysis, allowing for strong security posture. Once they gain visibility into their vehicles’ cybersecurity lifecycles, OEMs can perform risk assessments and analyze potential threats, plan their desired security policy and enforce the chosen policy across the board to gain full ownership.”
Standards and regulations
Meron’s opinion of the cybersecurity of modern vehicles is poor and he advises potential buyers to wait until OEMs apply decent security measures and prove that to the market.
Needs must, though, so that may not be an option for many.
He hopes that we’ll soon see the NCAP equivalent for security to assure consumers that their vehicles are secure and safe.
In the meantime, the first cut of automotive cybersecurity standards and regulations is here (or almost): two new UNECE WP.29 automotive cybersecurity regulations and the new ISO 21434 standard, which define the categoric directive for implementing cybersecurity management systems for the protection of vehicles.
“Together with additional standards expected in the future, such as the Cybersecurity Act in the EU, the Chinese ICV program, new guidelines from JASPAR in Japan and legislative proposals in the US Congress, these are vivid examples of the industry-wide collaborative efforts to create a basis for automotive cybersecurity. Now, OEMs need to independently find their practical way of tackling the challenge of cybersecurity lifecycle management while adhering to these standards,” Meron concluded.