The second a system is connected to a network, it becomes vulnerable to a cyber attack. We’ve seen news of companies experiencing cyber attacks across different industries more often than we can count. But now that the automotive industry has joined the digital bandwagon, cybersecurity threats and attacks are also becoming an issue. With predictions of over 125 million electric vehicles on the road by 2030, adequate cybersecurity within the automotive industry is necessary to ensure passenger safety and security of the automotive network.
Understanding the cyber threats that arise from automotive innovations
Automotive innovations have transformed the industry as we know it. Where automobiles were once driven by wheels and an engine, now are a sort of data network on wheels. However, with new technological advances, comes new network vulnerabilities and risks. Between connected, electric, and highly autonomous vehicles, let’s take a look at the new cyber threats presented by these innovations.
Connected vehicles
The cyber risk of connected cars has become clear over the past few years as security researchers have revealed various technical vulnerabilities. In these scenarios, cybercriminals can hijack Electrical Control Units (ECU) to disrupt the braking, steering, and the engine, as well as compromise technical pairs to smartphones via Vehicle-to-Everything (V2X) and Vehicle-to-Vehicle (V2V) vulnerabilities.
Electric vehicles
Electronic devices and networks are embedded into the hardware of electric vehicles. And while electric vehicles offer several benefits, their vulnerabilities lie within their battery packs, commercial charging stations, vehicle access through mobile applications, and the command and control server. When these vulnerabilities are targeted, cybercriminals have the ability to decrease the battery life of an electric vehicle by 50%, jam the vehicle control systems while charging at a public station, or even gain control over systems through the network WiFi of their mobile app.
Highly autonomous vehicles
With the uptick of artificial intelligence (AI) technologies, autonomous vehicles are victims of evasion attacks, distributed denial-of-service (DDoS) attacks, manipulation of autonomous vehicles’ communication equipment, and information disclosure. All of these cyber threats stem from the increase in AI automated decision-making, where digital systems are exposed and cybercriminals can take advantage of the vulnerabilities presented by new machine learning (ML) and AI methods.
Top 3 cyber threats for automotive manufacturers
Eliminating cyber threats starts by identifying where the vulnerabilities come from and how they can be prevented from the start. Automotive manufacturers play a very important role to ensure the safety and security of their vehicles. Therefore, we must first look at the top cyber threats tactics to inform and secure the production of new automotive vehicles.
Brute force attack
The Brute Force attack is the most common type of attack in the U.S. automotive industry. This attack is performed by cybercriminals where they target a computer’s network and infiltrate a large database of passwords and usernames. From there, cybercriminals will attempt a credential stuffing attack where they create combinations to try and crack into the computer network of an automobile.
Phishing attack
Phishing attacks are carried out through email, in which employees of a large automotive company are sent emails with malicious attachments. If an employee falls victim to one of these attacks and clicks on the link or attachment, the malicious code embedded in the email allows cybercriminals to roam unnoticed through the computer’s network and search for sensitive data.
Ransomware
Ransomware attacks are becoming more common as cybercriminals learn new ways to gain access to databases and take advantage of the Ransomware as a Service (RaaS) industry. In a typical ransomware attack, cybercriminals infiltrate a computer’s network and deny access to business entries until a ransom has been paid. If the ransom is not paid by the compromised business, cybercriminals may threaten to erase all data or the encryption key used to decrypt data.
How to achieve automotive cybersecurity
As the automotive industry continues to develop intelligently, connected, and autonomous vehicles, we must work to better understand the safety and security of this connected technology to best protect the automotive industry as a whole. Here are some of the top ways to achieve automotive cybersecurity.
Adhere to automotive cybersecurity guidelines
The International Standardization Organization (ISO) and the Society of Automotive Engineers (SAE) have recently published a “Road vehicles—Cybersecurity Engineering” standard 21434 that lays out the cybersecurity regulations and requirements for automotive vehicles. These standards allow the automotive industry to implement common cybersecurity procedures and practices specific to the manufacturing and development of these vehicles. Adhering to this standard will create unison within the automotive industry to ensure that cybersecurity is at top of mind for all manufacturers.
Upgrade data security protocols
Another way to achieve automotive cybersecurity is to update and upgrade data security protocols. This can be done by reviewing basic security measures that include generating strong passwords, encrypting any and all sensitive data, implementing multi-factor authentication, frequently updating systems, and establishing lockout policies for multiple attempted network entries. The automotive industry can also work to better educate and train employees on how to identify cyber threats or attempts that they may fall victim to.
Secure interfaces to the outside world
A vehicle’s communication interfaces connect the occupants and the car itself to the outside world. Therefore, these interfaces (Bluetooth, Ethernet, On-Board Diagnostics (OBD), etc.) need to be secure to achieve optimal automotive cybersecurity and protect user privacy and vehicle safety. In order to accomplish this, strong authentication and encryption need to be implemented to ensure the vehicle is only communicating, exchanging, and receiving data with known and trusted entities.
Maintain cohesion across applications
Governance of connected automobiles is essential to establish cohesive cybersecurity measures across manufacturers. There must be clear governance in place so that manufacturers can install, evolve, and maintain a cybersecurity management system throughout the entire production chain. As of late, there is no clearly defined governance model for the cybersecurity of connected vehicles. In order to achieve automotive cybersecurity, manufacturers must work together to create a cybersecurity governance framework between connected vehicles, automotive factories, legacy systems, and typical information and communication technology (ICT), to maintain cohesion across applications.
How SecurityScorecard can help
The strategic partnership of Auto-ISAC and SecurityScorecard presents several new capabilities for the automotive industry. For starters, SecurityScorecard continuous monitoring will now have improved visibility to conduct security benchmarks from Auto-ISAC. In addition, the partnership allows members to access Complimentary Enterprise Starter License to continuously monitor up to five third parties, identify areas of risk aggregation, and inform the ISAC’s intelligence collection curriculum.
Interested in learning how your enterprise can strengthen your security posture? Request a free instant scorecard and see how advanced insight into the cyber health of your organization can help exploit vulnerabilities in the future.