Medium-term Automotive Cybersecurity Challenges
The dawn of electric vehicles has sparked a monumental shift within the automotive realm. No longer just simple machines of yesteryear, cars now resemble intricate computer systems on wheels, edging ever closer to becoming highly autonomous, robotic entities. This article delves into the complex world of modern vehicles, exploring their high-tech sensors, vast computational prowess, and countless lines of code that underpin their connectivity and independence.
With such advancements comes the pressing need for dependable, fortified systems to defend against functional safety hazards and cyber onslaughts.
As we venture into 2023 and beyond, leading automobile manufacturers are acutely aware of the imperative to weave cybersecurity considerations into every facet of their operations, from vehicle design and charging stations to transit infrastructure and supply chains. This strategy is vital for staying afloat in our increasingly digitalized world.
Thanks to computing breakthroughs, the automotive landscape has been transformed. Vehicles now boast seamless connections to manufacturers, owners, and drivers, a feat made possible by the marriage of information technology and innovative, collaborative, and versatile smart vehicles. Examples abound, such as emergency calls triggered during accidents or pinpointing vehicles’ locations via GPS. However, as vehicle connectivity surges, so does their vulnerability to cyber predators.
In a world where driver-assisted vehicle prototypes are evolving rapidly, some have already made their debut in European and Japanese markets. Industry giants like Tesla and Google are pouring resources into this burgeoning field, fully grasping the significance of cybersecurity. They acknowledge that the tantalizing prospects offered by cutting-edge technology also bring perils, such as targeted cyber attacks. Consequently, addressing cybersecurity risks within the realm of intelligent vehicles is of utmost importance.
Weak points of a computerized vehicle
Automobile cybercriminals seek to affect the electronic systems of the vehicle to take control of it, which could affect the safety of its occupants or, worse, generate accidents that could affect other vehicles on the road or the transport infrastructure itself in the event of a collision. There are records of cyberattacks on smart vehicles from prestigious manufacturers.
Cyberattacks on the telematics control unit and the central gateway module are the most common. The attack mode is by physical access through various interfaces of the vehicle with the outside; onboard diagnostic systems, USB memory, or the cellular network, which could provide access to the entire vehicle network, being able to manipulate functions as critical as steering or braking.
In that sense, manufacturers are working hard on robust and reliable cybersecurity systems. In 2023, cybersecurity specialists recommend the use of the “Road Vehicles Cybersecurity Engineering” standard (ISO/SAE CD 21434) based on the well-known SAE J3061 “Cybersecurity Guidebook for CyberPhysical Vehicle Systems” standard that tries to minimize the risk caused by possible cyberattacks on vehicles.
Reasons to Cyberattack an intelligent vehicle
The cyberattack of a vehicle in motion on a high traffic highway to cause an accident is an example of cyberterrorism. The automotive fleet and transportation are considered a target of terrorism because an attack on this sector will negatively affect a large number of users. Another reason to cyberattack vehicles is to extort money from drivers under the threat of vehicle theft that promotes the sale of parts on the black market, or even worse, gain access to real-time data on a vehicle such as its location, navigation, information about your surroundings and even information about your driver and passengers for your kidnapping or murder, in case the ransom payment is not satisfied.
Data protection and privacy laws play an essential role in protecting vehicle owners, since vehicle sales establishments, at the time of sale, can process a large amount of personal data up to credit card information from the person who purchases the vehicle.
It goes without saying that if consumer data is exposed and falls into the hands of cybercriminals, it can generate severe damages, either by selling the data, perpetrating other types of physical criminal acts, or carrying out Ransomware of any of the functionalities of the vehicle that prevent its use until a ransom is paid for the recovery of its functionality.
Challenges of automotive cybersecurity
Cybersecurity proposes that different links in the automotive business chain as a supply: manufacturers, suppliers, dealers, aftersales workshops, manufacturers and managers of charging points, owners of transport infrastructures, carriers, and drivers, among others, participate in a plan that complies with cybersecurity requirements.
The Europeans are the greatest reference in terms of bills, implementation of laws, and implementation of regulations in the field of cybersecurity. Their experiences are mandatory references, and from them, there are a series of recommendations in the form of good practices for the cybersecurity of smart vehicles. These go through the holistic protection of all the systems involved, including the vehicle’s post-sale process. In general terms, the cybersecurity challenges are mentioned to protect the automotive fleet in 2023:
- Definition of a risk-based methodology to identify and prioritize the main vehicle risks.
- Guarantee privacy and security based on the design of connected and automated vehicles.
- Manufacturers are responsible for installing updates on autonomous vehicles to reduce vulnerabilities before the vehicles are sold.
- Aftersales workshops are in charge of offering a cybersecurity service to vehicles once they are sold in order to deal with security problems when they occur, being able to perform software updates that resolve vulnerabilities in the event of cyberattacks have mechanisms that allow reconfiguring and disabling applications to ensure that vehicle functions continue to be active and do not pose a risk to vehicle occupants and the environment.
All this requires a specialization in cybersecurity in the automotive industry, which, like other industries, suffers from a lack of qualified cybersecurity engineers, and to satisfy this need, it is essential that companies direct efforts towards strengthening cybersecurity processes exclusively for the automotive park.
Citizen education regarding the cybersecurity of their smart vehicles
Security professionals think that despite continuing education programs, the majority of people still need to understand how crucial it is to be informed of the cybersecurity state of their cars. As time goes on, more and more individuals will start to pay attention to their automobiles’ cybersecurity and recognize the risks posed by an out-of-date cybersecurity system.
Vehicle manufacturers in the United States since 2019 have been carrying out an important campaign on the importance of maintaining cybersecurity systems, driven by a series of government regulations implemented to protect citizens based on the following:
- Protection against cyberattacks: Both the entry points to electronic systems of each vehicle offered for sale in the United States would have to be equipped to protect against cyberattacks, including isolation measures to separate critical software systems from noncritical systems and the need to evaluate it against cybersecurity vulnerabilities including the application of penetration tests.
- Security of information collected: Data collected by the vehicle’s electronic systems must be secured to prevent unauthorized access. In contrast, the data is stored in the vehicle while it is transferred from the car to another location and in any storage or use of the data outside the vehicle. This especially applies to businesses that rent vehicles.
- Cyber Attack Detection, Reporting, and Response: Any vehicle manufactured for sale in the United States that features entry points would need to be equipped with capabilities to immediately detect, report, and respond to any attempt to intercept the vehicle’s driving and control data. If it is for rent, you must present an even more rigorous plan to update your cybersecurity system.
- Cybersecurity panel: all vehicles must have a cybersecurity panel that informs who drives it through a standard graph and easy to understand the level of protection and privacy.
The initiatives indicated above are being considered by other countries. The cybersecurity specialists recommend that a body coordinate cybersecurity for the automotive sector that helps transportation authorities identify, detect, protect, respond to, and recover from cyber threats and cyberattacks.
Talking about cybersecurity in the automotive sector implies considering the cybersecurity and privacy of the vehicle from its design, as well as all the elements with which it will subsequently interact, such as charging systems, the roads on which it circulates, or management systems of traffic, all this taking into account the supply chain of the vehicle and the underlying responsibilities in case something goes wrong.
To integrate cybersecurity and privacy by design, a culture of cybersecurity must be fostered in vehicle and spare parts manufacturers so that they can define and manage cybersecurity policies, train people, adopt life cycles for the development of vehicles, and think about responses to possible cyber threats and cyberattacks. The education of the users involves knowing the cybersecurity status of their vehicles and their responsibilities in case of cybersecurity failures.
César Daniel Barreto
César Daniel Barreto is an esteemed cybersecurity writer and expert, known for his in-depth knowledge and ability to simplify complex cyber security topics. With extensive experience in network security and data protection, he regularly contributes insightful articles and analysis on the latest cybersecurity trends, educating both professionals and the public.