Remember in 2014 when millions of people woke up to find a U2 album on their devices, which they hadn’t downloaded? A lot of people were rightly annoyed about it. They thought they were the ones who controlled what was installed and downloaded onto their phones – so it was quite unsettling to realise that it could be manipulated by third parties. We saw the same thing happen this year, but with darker implications, when users received a system update with malware which was downloaded to their Android devices automatically.
What if that happened to your car? We tend to think of a car as a closed unit, where the driver is in control and responsible for driving. But imagine if someone hacked your car and turned up the radio so loud that you couldn’t think or concentrate? Or they switched on your hazard signals without your consent? Or, even worse, they deactivated your autonomous driving software, so the car couldn’t detect obstacles or pedestrians?
As vehicles become more and more software-defined, cybercrime is going to be a huge issue. In this blog, we’ll explore some of the risks – and what manufacturers can do about it.
Why the automotive industry is at risk
Although everyone knows the danger of cybercrime, the automotive industry is not as mature as other sectors in their defences. Industries like financial services deal with sensitive customer data daily, meaning that security has been a high priority for a long time.
However, many automakers are just getting into the technology business. They understand the risk of losing valuable IP – but manufacturers haven’t had to deal with sensitive data in the same way as other companies before. Now though, with vehicles becoming more like software platforms, these auto manufacturers are becoming ‘data businesses’. And that means there are a lot more areas where criminals could cause damage.
Evolving types of cyber threats
In my previous blog, I talked about the risk of AD/ADAS algorithms developed in the public cloud. But that’s only one part of the problem. As automakers move further into cloud technology, there are a lot more potential attack surfaces.
You could attack self-driving vehicles directly, with adversarial attacks into the visual sensors – which is one of the risks I discussed previously. New legislation in the EU, Japan and South Korea will make black boxes mandatory in all cars over the next couple of years. Hackers could infiltrate the black boxes, to manipulate the data that is being recorded.
But you could attack the infrastructure too. The cloud backend that a fleet uses (as happened in the Gigaset example above) could automatically transmit malware to millions of vehicles at once, rather than just one. In fact, researchers at Fraunhofer IESE Institute highlight those risks due to attacks on the IT backend are increasing – the impact could be worse, the attack surface is bigger, the driver has no power to stop an attack, and there are more safety-critical processes which could be affected. This issue is increasingly addressed by standardization initiatives like ISO TR 4804. Fraunhofer IESE has been researching the impact of security on safety for more than a decade, and its Safety Meets Security conferences show that the interest in this topic is increasing. It recently established an alliance to develop safe-system architectures for self-driving vehicles, which includes Volkswagen Group and DENSO, among others.
Another target that is of interest to attackers is all the proprietary data related to the different technologies that go into an automobile. This type of data is the source of the competitive differentiation for auto makers and can help attackers use it for demanding ransomware. According to Accenture, the average cost of such attacks is estimated to be $15.8M for the automotive industry. For most automakers, IT infrastructure is a relatively new thing. But now is the time to get serious about it.
The rules are changing
Cybersecurity is not just about IP theft. It could have enormous real-world (and potentially fatal) implications. Automakers should take cyber-safety just as seriously as they take physical crash testing.
Fraunhofer IESE states that the cost of investment to guarantee automotive cybersecurity will increase significantly. Several studies have made realistic estimates for the overall cost, including one which predicts that the ‘global automotive cybersecurity market will reach $10.92 billion by 2030, growing by 21.7% annually over 2020-2030, owing to the rising need for cyber security among smart vehicles, self-driving cars and connected transportation.’ This is in line with previous studies from McKinsey.
Because of the risks, it’s no surprise that regulation is coming in to keep consumers safe. For example, the UNECE WP29 regulation is already in effect. It stipulates:
-
- Demand for a Software Update Management System (SUMS)
- Demand for a Cybersecurity Management System (CSMS)
From July 2022, the new cybersecurity regulation will be binding for all new vehicle types in the European Union and July 2024 for all new vehicles globally.
This was signed into law in 2020. Yet I’ve spoken to maybe eight to ten automotive clients in the last month or two who didn’t even know it exists. The rules come into force just one year from now, so there’s no time to lose.
What to do about it
There are certainly some serious concerns for automakers around cybersecurity. But it’s not a nightmare scenario – there’s still time to act, partners who you can work with, and plenty of clear ways to secure your software and vehicles. There are a lot of strong options for security out there, which automakers can take advantage of, especially if they don’t have cloud security experts in-house yet. Some suppliers, like Bosch and Continental, have begun including security testing in their ‘control as a service’ offerings.
Dell Technologies is working with new and innovative security partners who are at the cutting edge. An example I found recently is a company called Pilot Systems, who support cybersecurity in AD/ADAS software. On the IT Infrastructure, side Dell storage portfolio comes with data isolation based cyber-protection and recovery solutions. These solutions are powered by machine learning based models to detect the attacks in real time and take actions to minimize the impact of the attack as well as recover data from an isolated cyber vault.
I’ll be discussing cybersecurity and safety-critical autonomous driving development on July 27 at 11 a.m. CT, with a panel including experts from the Fraunhofer Institute and Ward’s Intelligence. Register here to join the session or to watch an on-demand recording.