As vehicles get smarter, cybersecurity in the automotive industry is a growing concern for vehicle manufacturers, OEMs and drivers. The amount of technology embedded into connected cars creates a growing attack surface that allows hackers to exploit vulnerabilities to access car systems, where drivers’ personal information and their physical safety could be compromised.
This isn’t the stuff of science fiction either. In 2015, for example, researchers proved that they could take control of a Jeep Cherokee remotely and send it off the road. That same year, hackers found a vulnerability in BMW’s ConnectedDrive technology and exploited the weakness to take control of vehicle functions.
We have also seen attackers reuse attack techniques used in other environments (most notably Operational Technologies) so it is not out of the question that we could see ransomware attacks on vehicles soon.
The automotive industry has a unique set of challenges when it comes to security. For starters, connected cars and autonomous vehicles are highly complex, relying on over 100 million lines of code - that's more than a commercial aircraft, a fighter jet and Facebook combined. Add this to over 30,000 component parts, 30-100 Electronic Control Units (ECUs) and around 25 gigabytes of data created every hour by a connected car, and we can see that today’s car is a sophisticated computer than needs securing, patching and updating regularly.
Then there is the supply chain, which is highly fragmented with hundreds of suppliers each producing component parts and ECUs to their own standards and patch specifications. And, even if the individual component is robust, poor integration can lead to vulnerabilities.
With the introduction of 5G networks, automotive manufacturers now have a much more robust means of updating vehicles ‘over the air’. What the traditional IT industry has faced for years with patching is going to become a reality in the automotive sector. Vehicle updates and patches can be deployed without visiting the dealership.
Manufacturers will look to its supplier ecosystem to share the responsibility for security. Traditionally, they will specify exactly what they expect suppliers to produce, but they will only vaguely specify cybersecurity requirements and are unlikely to mandate the use of specific standards or frameworks.
Plus, suppliers have been reluctant to invest in creating their own standards in case the manufacturer mandates a different one. (There is an exception to this rule with VW announcing recently it is to create its own centralized operating system across all 12 VW Group Brands thus establishing a common single software stack for everything from instrument displays and infotainment to powertrain and chassis management).
It’s a stalemate situation that cannot continue if security is ever to be part of the design stage of a vehicle and the manufacturer – as the final assembler of all component parts – needs to take responsibility for ensuring that third-party systems are also ‘secure by design’, and that systems do not become vulnerable when connected. Standardization of automotive cyber platforms can only be good in the long run for auto-industry cybersecurity.
The connected car is going to make itself indispensable for owners. By making journeys easier (such as avoiding jams automatically) and without having to visit the dealerships for software upgrades, the ownership model will become easier.
In the future, there will be the move to full automation, which is likely to have more of an impact on how we use our vehicles. If we are removed from the pleasure of driving, would we want to own a vehicle? If we then move to an autonomous lift-share model, do we consent to our data being stored on every vehicle we use, for example, and is there going to be a facility to remove that information when we step out of the vehicle?
There are plenty of issues that are going to start to crop up that people are not considering at the moment.