Battling cyber in the automotive industry

The automotive industry is going through a major change, and with the introduction of connected and self-driving cars, new cybersecurity glitches have been presented. Gartner predicts that by 2020, there will be quarter billion connected vehicles on the road, enabling new in-vehicle services. Each of these vehicles will employ IoT technology while being part of a network that is reliant on the cloud for storage of software protocols and necessary information. This means that their network will be connecting to external devices and hackers can exploit this feature by attacking the network, and remotely controlling the vehicle and all information therein.

Ruggero Contu, Research Director, Gartner

Ruggero Contu, Research Director at Gartner explains that the automotive industry is not just facing threats that other industries are facing in security (for example phishing and other targeted attacks), it is also tackling new risks coming from digital business initiatives such as cloud and mobile computing. Further, autonomous vehicles remain vulnerable to threats around identity thefts (including personal and financial data), misrepresentation of information, denial of service, etc.

Another key concern in the cybersecurity of the automotive industry is malware. If malware is injected into an unsuspecting vehicle through a crucial connection, the hacker unfortunately could gain full control. It is important to keep in mind that the manufacturer or the vehicle user could lose control over the car’s software as it is constantly being rewritten by different developers.

Research firm, Gartner emphasizes that the security of the infotainment platform (which provides key services such as entertainment, navigation and internet connectivity) is critical because it can offer a door to hackers to enter connected-car system networks. “In the process, hackers can compromise a driver’s privacy by stealing stored data; they could also infiltrate a car’s controller area network (CAN bus) and compromise or disrupt more vital vehicle functions,” adds Contu.

Clearly, staying abreast and ideally ahead, of the cyber threat landscape in the face of the rapid pace of digitisation is one of the greatest challenges today. This essentially means that this is the right time to strengthen all procedures and shore up the cyber defences. By 2020, it is estimated that 25% of all cars shipped will support different levels of autonomy, and that proportion will climb to 44% by 2025, according to Navigant Research. So, what can be done to ensure maximum protection of both the computer control systems and in-vehicle components on connected cars?

The simple answer is to make sure that a robust security infrastructure is in place. However, this is easier said than done.

Saurabh Verma, Associate Director for Digital Transformation Practice, Frost & Sullivan

The Associate Director for Digital Transformation Practice at Frost & Sullivan, Saurabh Verma, says that an all-rounded security practice is not just about securing the vehicle components. “The best practices will have to be viewed at a holistic level, and should ideally include communication protection, identification, authentication and authorization, security audit, self-protection, cryptography, and user data protection. Once you have taken care of each of these areas, the security of in-vehicle components will get addressed on its own,” he explains.

According to a McKinsey report, although an increasing number of regulatory bodies globally are starting to focus on the cybersecurity aspects of automotive, the definition of formal rules is still at a preliminary stage. In order to improve security services of vehicles, the auto industry must therefore implement definite and radical procedures.

Theodore Polykandriotis, VP of Business Development, Blackwire

Theodore Polykandriotis, VP of Business Development, Blackwire adds that it is of utmost importance to integrate security solutions into the preliminary stages of the product creation. He further emphasizes that automakers must invest in cybersecurity vendors that give a comprehensive portfolio of security technologies for cars.

Polykandriotis feels that over-the-air (OTA) updates are essential for any connected system as they allow for quick response to cyber attacks and enable automakers to eradicate cyber breaches.

Amir Kanaan, Managing Director META, Kaspersky Lab mirrors this opinion saying that over-the-air updates are vital in order to flag any discrepancies as soon as a breach or vulnerability is discovered.

Amir Kanaan, Managing Director META, Kaspersky Lab

So, the connected automobile can be a lethal instrument if not secured at all possible nodes, and the security of this vehicle should be a key concern for the manufacturer, owner and operator, and the city and state authorities as well.

“Just like with the BYOD model followed within enterprises, the connected vehicle needs to be vetted for security protocols within internal systems, which is the responsibility of the manufacturer and owner/operator. With the vehicle granted access to the wide network, it will then be the city authorities’ responsibility to ensure that the networks are secure and all connectivity nodes are safe,” adds Kanaan.

To decrease vulnerability of connected cars, it is imperative for customers to partner with vendors who are experts in the automotive technology industry to stay updated with the most upgraded and secure systems.

“Paying attention to hardware and software vulnerabilities and the security of telematics and safety systems is critical. Just as personally identifiable information should be compartmented and firewalled, so should the hardware and software in a vehicle,” says Eddie Schwartz, Executive Vice-President of Cyber Services, DarkMatter.

Eddie Schwartz, Executive Vice-President of Cyber Services, DarkMatter

“We are seeing an expanding, and predictable growth in attempted attacks on vehicular systems, and it is now demanding the highest levels of cyber security resilience in this rapidly digitising world,” he adds.

Simply put, there is a need for automakers to invest in well-established and proven connected systems and ensure that these systems integrate well with broader aspects such as city and traffic planning, law enforcement, rideshare services, and many other allied offerings that are required to prepare for the increased presence of autonomous vehicles.

As we move into a world of digitization, we have certainly opened gates to a mob of cybercriminals. Agreed, every new technology or innovation brings new security risks, but the vulnerabilities that come as part of autonomous vehicles are unique, unheard of and under analysed. If these connected vehicles are left unattended, criminals can create hazardous implications not just for the drivers but also for pedestrians and the entire infrastructure.

It therefore goes undisputed that similar to any software-driven product, investment in cybersecurity is essential. In fact, security must be built into every in-vehicle device from the very beginning, ensuring that the hardware has been hardened against attack, and guaranteeing that the software in the command centre of every car has been tested rigorously. Also, because a car is made up of both hardware and software systems from many vendors, each auto manufacturer must take ultimate and singular responsibility for the security of the vehicle as a whole, and coordinate all the security across the vehicle as an ecosystem.