Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Automotive Security Threats Are More Critical Than Ever

We’ve all marveled at the latest innovations from Tesla, the skill of Google’s self-driving cars, or, at the very least, enjoyed playing a podcast on our phone through our car’s speakers.

We’ve all marveled at the latest innovations from Tesla, the skill of Google’s self-driving cars, or, at the very least, enjoyed playing a podcast on our phone through our car’s speakers.

The automotive industry continues to innovate, bringing connectivity to vehicles in new ways from the cockpit to the engine. These new tools change the way people drive and view their cars. An automobile is no longer just for transportation from point A to point B, but cars are rolling data centers that transmit a wealth of actionable intelligence to the networks and systems around them. However, that same information is also a valuable commodity to hackers – who are looking to steal it at any cost.

According to Statista, it is projected that by 2025, there will be over 400 million connected cars in operation, up from some 237 million in 2021. That growth brings risk, and so it’s particularly important that we have the ability to secure connected cars from cybersecurity threats.

An Ongoing Threat 

While there is a solid body of knowledge around securing automakers’ back-end networks, the actual car and the interconnected systems and components inside the vehicle are the least understood part of the automotive security equation. WiFi, Bluetooth, LTE and 5G, CAN bus, V2X and the entire infotainment system are all entry points that pose serious security risks for automotive manufacturers. New technologies such as Voice-as-an-Interface may further expand the attack surface from the vehicle to the consumer through connected ecosystems such as Amazon, Apple, and Google.

However, cybersecurity standards for cars are only emerging recently The United Nations Economic Commission for Europe (UNECE) issued UN R155 that will come into effect on July 1, 2022 for new vehicle types. These rules govern cybersecurity and cybersecurity management systems (CSMS) for all vehicles sold in major markets outside of the US, Canada and China. 

Cybersecurity within the automotive industry has a long way to go to catch up to traditional enterprise cybersecurity standards and best practices. Automotive original equipment manufacturers (OEMs) and component manufacturers need to manage vehicle cybersecurity risks, mitigate risks along the supply chain by securing vehicles in the design stage, detect and respond to security incidents across a vehicle fleet, and provide safe, secure software updates that do not compromise vehicle security.

Protecting Vehicle Systems

Advertisement. Scroll to continue reading.

Even in the relatively short life of connected vehicles we have seen reported attacks on everything from in-vehicle components and systems and back-end services to third-party technology providers and maintenance systems.

The governance of connected automobiles remains essential to establishing cybersecurity measures across the industry. Vehicle cybersecurity starts with the OEM and each part of the value chain must adhere to regulations and mandatory legal requirements. 

Manufacturers must install, evolve and maintain a CSMS throughout the product chain. In many areas, manufacturers must work together to create a governance framework that assigns responsibility to different parties. This includes those with roles in each part of the supply chain from OEM factories and legacy systems to component suppliers including those supplying sensors, ECUs, connections and other communication technology to maintain cohesion across applications.

ICS Cybersecurity Conference

To ensure proper security, automotive OEMs and suppliers must:

• Establish an incident response plan. Every device company needs best practices to include protocols for recovering from cyber threats and patching vulnerabilities. They should be able to communicate with car owners, dealers, and other manufacturers to prepare, find, fix and close any issues that arise. These guidelines are largely covered by the adoption of a CSMS which is outlined in the International Standards Organization/Society of Automotive Engineering (ISO/SAE) 21434 standards and mandated by UN R155.

• Collaborate with appropriate parties. As with IT systems, no one technology product works in isolation. Connected car device manufacturers must have open lines with other providers to share security best practices and send alerts of potential vulnerabilities.

• Manage and assess risk. Not all cybersecurity threats pose the same threat level. Device makers need to be aware of all dangers and treat those that could lead to safety and data security issues. This process can help automakers identify and protect the most critical assets to ensure the vehicle’s integrity. This is also covered by the adoption of a CSMS as outlined by ISO/SAE 21434 and mandated by UN R155.

• Bake security into the design process and entire automotive ecosystem. With the risk of vulnerabilities now better understood, cybersecurity must be a top priority for the entire automotive ecosystem including the car, the network communications, the cloud services, and the connected apps on your phone.

A Look at Testing

Mitigating cybersecurity threats is just the beginning of the process. It really is about validating that the security measures you have taken work. In order to understand that, you have to think like a hacker. For automakers and suppliers, cybersecurity should take place at several levels. For the suppliers, they must test their devices and components including connected components at the communications protocol layer. For the automaker, they need to ensure that any supplier components have been thoroughly tested. Then, automotive manufacturers must ensure that any original parts and systems in alignment with their CSMS have been thoroughly tested. The security testing should include include functional cybersecurity testing, fuzz testing, and vulnerability testing.

These tests don’t just need to cover a comprehensive suite of potential threat vectors; they also have to account for the various points of entry an attacker can take. That means testing across all the communication interfaces a modern car uses — including cellular, Wi-Fi, Bluetooth, CAN, and automotive ethernet.

But that’s only half the battle. Software updates — the preferred method to mitigate emerging threats across automotive components and systems — require verification. This process is painstakingly repetitious, and automation is key to making this happen. 

Compliance with UN R155 demands a repeatable, scalable, and well-documented testing approach. And between sprawling attack surfaces, emerging threats, and mandatory compliance processes, integration and automation aren’t luxuries — they’re a must-have. While it’s possible to cobble individual hardware and software components together into an automotive cybersecurity test platform, the time commitment of managing a homegrown system can easily outweigh any potential benefits.

The Road Forward

As vehicles become more connected and autonomous and a part of our everyday life, the need to secure them only grows more critical — and complex. The role of testing becomes even more critical to the success of the next generation of vehicles on the market. Better managing the cybersecurity needs of these cars starts at the beginning of the design process and continues throughout the life of the vehicle. With a committed industry, we can mitigate threats as they emerge and let everyone enjoy these truly incredible machines.

Related: Security Vulnerabilities: A Threat to Automotive Innovation

Written By

Marie Hattar is chief marketing officer (CMO) at Keysight Technologies. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets. Before becoming Keysight’s CMO, Marie was CMO at Ixia and at Check Point Software Technologies. Prior to that, she was Vice President at Cisco where she led the company’s enterprise networking and security portfolio and helped drive the company’s leadership in networking. Marie also worked at Nortel Networks, Alteon WebSystems, and Shasta Networks in senior marketing and CTO positions. Marie received a master’s degree in Business Administration in Marketing from York University and a Bachelor’s degree in Electrical Engineering from the University of Toronto.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...