Connected technologies are helping transform vehicles from a mode of transportation to mobile living spaces. Technologies like navigation, GPS, connected infotainment, among others., have become a standard feature in a modern car. To put this in perspective, as per Deloitte’s 2020 report on connected cars, the Indian connected car market is projected to grow at a CAGR of 22.2% and reach $32.5 by 2025 from an estimated $9.8 billion in 2019. Connectivity has been opening doors for new technologies and information sharing across industries.
By Alexander Klotz, Head of Technical Center India (TCI), Continental Automotive India
However, as the connectivity quotient increases in the car, cybersecurity becomes a key priority for all those involved in the automotive industry as we move closer to autonomous vehicles.
Automotive Cybersecurity: The Need
A vehicle today has several million lines of code. These vehicles rely on Over-The-Network (OTN) communication interfaces to function, increasing the risk factor for privacy and security. The various Electronic Control Units (ECUs) in a vehicle are linked through an internal network,
and a lack of cybersecurity measures makes them vulnerable. For instance, we need to secure the ECUs of a vehicle’s brakes and transmission from a possible hack. Earlier, our concern was to protect the environment from faulty components. Today, it is equally essential to protect the components from hostile environments.
Further, a connected vehicle has a network of functions, such as cameras that screen passengers, GPS, seat belt warnings, working together to share the necessary information. If even one of these functions were compromised, the whole system could be affected.
The vehicles in the future would be collecting vast amounts of data through the internet, and it will leave the user open to other data threats, including the consumer’s personal information. The result of compromised data would make the car more vulnerable to security threats.
The Need for Cybersecurity for the Automotive Ecosystem
As we move towards connected and electric mobility, and vehicles becoming IoT devices, we could be looking at a future where a faulty ecosystem can expose the vehicles to threats and vulnerabilities. For instance, many charging stations use outdated open charge point protocol based on HTTP, which does not encrypt data/information, allowing attackers to break into the WIFI signal and rewire the charging gateway.
There is a crucial need to develop means based on artificial intelligence and machine learning to fight cyberattacks and minimize their impact on the Internet-of-Vehicles framework. Automotive cloud security could help stakeholders by giving them an entire picture of the data flows in their surroundings. It makes it easy for users to identify threats to one’s network and identify deviation beforehand.
However, automotive cybersecurity does not limit just to securing the vehicle. It has to start way earlier. For instance, during the manufacturing process itself. The manufacturing setup requires a robust security system to prevent intrusion of the hackers, who could modify the codes of the components, leading to faulty behavior.
Automotive Cybersecurity: Beyond Mobility
As we move towards connected plants and advanced technologies, it opens us to new threats and vulnerabilities. Any information that travels through the internet is susceptible to a cyberattack. For example, when manufacturing data migrates from Operational Technology (OT) systems on the factory floor to interconnected Information Technology (IT) systems in the corporate network, new risks evolve. This data is now more vulnerable at this stage. Cybercriminals could potentially gain access to intellectual property, shut down systems, disrupt production timetables, and affect product quality.
The manufacturing setting needs to be considered a fully integrated setting, even if some processes are not integrated into the Internet. Although many breaches start in IT networks, the hackers or attackers may jump into other parts of the setting through connected devices. Furthermore, some connected devices may include information about the non-connected process.
A secure supply chain ecosystem also requires diligence toward proper vendor management. Any third parties that have authorized access to the company’s network can become unwitting avenues of attack. A bad actor who steals any login credentials of the third party could potentially gain access to the company’s network by pretending to be an authorized user.
The solution for automotive cybersecurity needs to be proactive and multilayered. First, individual electronic components/systems must be secured. Following this, the connections between these components/systems need to be made secure. As the next step, the focus should shift towards protecting and securing the external interfaces. Once all external interfacing is secured, as the final step of protection, data processing taking place outside of the car has to be strengthened to prevent data theft and exploitation. Cloud and backend solutions also need to be given importance at the final stage, and they need to be protected from security breaches.
Today, teams are working on securing the systems, memory, communication, and supporting infrastructure. Online trust centers secure the crypto keys, penetration test labs that continuously look for vulnerabilities and threats have become crucial to ensure vehicle safety.
Cybersecurity can be tackled in three broad critical steps:
1. Prevent – The probability of security encroachment rises in tandem with the degree of networking and the number of in-vehicle interfaces that it necessitates. Hackers are driven by various factors, including data theft, financial gain, and prestige. Manufacturers need to strengthen all potential attack points and lay down security solutions across multiple levels and departments. This can be made possible by identifying the various attack points, understanding the behavior, and designing safety measures to secure the systems.
In other words, make it as hard as possible for hackers to attack. This typically involves hardware-enhanced crypto, embedded security software, secure networks, and secure vehicle architecture. In terms of automotive cybersecurity, another example of a preventive approach would be DevSecOps. The practice ensures that developers are using coding practices that are less vulnerable to attacks.
2. Understand – Know that the system is being hacked, identify the point of entry, exposed vulnerabilities, and other critical information in real-time. This involves live monitoring and tracking of connected vehicles. An example of this would be setting up the Security Operation Centres (SOCs). SOCs are needed to ensure real-time detection of any such breach and tackle it in real-time. The SOCs would also help us identify the gaps and do quick patches to avoid long-term exposure to vulnerabilities in on-road vehicles.
3. Respond – Mitigate the damage and immunize the fleet in hours. This involves software updates over-the-air and patch management. Cybercrime is an asymmetric challenge. Although an organization must monitor hundreds of processes, hackers just need to find a single flaw to gain access. It is like a never-ending race between those who want to secure networks and those who want to break them down. This is why, once a loophole is identified, it is vital to act as quickly as possible.
Organizations should implement an Incident Response Management System that provides an extra layer of security that reacts quickly if an attack occurs. Millions of cars will be able to upgrade themselves to new protection standards without needing to visit an auto repair shop. Real-time patch management through over-the-air updates is an essential requirement for “Vision Zero” – a future without fatalities, injuries, and crashes.
Cybersecurity has always been an industry that has sustained innovation. For instance, earlier, the concern was to protect the environment from faulty components. Today, it is equally essential to protect the components from hostile environments. Today, a considerable section of industry engineers are working on securing the systems, memory, communication, and supporting infrastructure. Today, online trust centers secure crypto-keys, and penetration test labs continuously look for vulnerabilities. As the technology evolves, the industry continuously adapts and responds to the threats, innovating to keep the systems secure.
The challenge today we face, as an industry, is a lack of standardization. Standardization is crucial in shaping cybersecurity practices of the future. As an industry, we also need to move towards an information-sharing ecosystem – share information and best practices with peers. As they say, one person’s detection can become another person’s prevention.
Another step that could be transformative would be the introduction of AI and predictive modeling. It is accelerating instant detection and response, better communication of risks to the business, and gaining a better understanding of cybersecurity’s situational awareness.
About the Author
Alexander Klotz is the head of Continental’s Technical Center India (TCI), the in-house R&D center of Continental Corporation. In this role, Klotz is responsible for the growth of the center into a trusted partner augmenting Continental’s global R&D competence. In this regard, he will oversee the growth of competence, innovation potential, and capacity.
Prior to this, Klotz was Director R&D within Continental’s Interior division, responsible for advanced product development and systems engineering. Klotz has more than 15 years of automotive engineering experience, in areas spanning vehicle testing, project management, customer and product strategy, simultaneous engineering, and innovation.
Klotz also launched and led the Silicon Valley office for Continental in 2013. He studied Mechanical Engineering and Business Administration (German Diplom Wirtschaftsingenieur) at the Technical University Carolo Wilhelmina in Braunschweig, Germany.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.