As we advance into the new decade and the automotive industry continues to move forward with electric, autonomous and connected vehicles, we know that some doors are closing. Cars are less and less likely to need all the same parts and mechanisms they used to as technology makes the internal combustion engine obsolete; before we know it, the majority of vehicles on the road will be electric and very, very connected. Thus, while some doors close, others open: the market for automotive cybersecurity is poised to grow exponentially in the next 10 years and is quickly becoming a critical industry in the new automotive age.
Evolution of Automotive Technology
For years now, drivers have been able to access important data about their vehicles (mileage, gas reserve, speed) via digital dashboards. This technology has evolved to what we know as the in-car entertainment (ICE) or in-vehicle infotainment (IVI) system, allowing in-vehicle entertainment, mobile phone integration (i.e. hands-free calls) and navigation. Nowadays, new network technologies have been introduced to perform even more complex functions such as steering, accelerating and decelerating, parking and adaptive safety controls.
Considering the goal of many of these new features is driver safety and convenience, it’s hard to argue against their implementation. However, along with the huge improvements in user experience comes an increase in the complexity of in-vehicle networks and the software needed to manage them. It is estimated that software in modern cars exceeds 100 million lines of code; this is more than 15 times greater than the software needed to fly airplanes. This is only one of the reasons that it is essential to provide the automotive industry with adequate security solutions.
Connected Vehicle Security Risks and Challenges
Even existing connected cars rely on wireless and cellular communication interfaces to operate, which exposes them to underlying security risks. However, recent attacks (Tesla Model S, FCA – Jeep and Nissan Leaf) and experiments have revealed that neither the automotive industry nor the security community are prepared for large-scale targeted attacks to the upcoming connected car ecosystem.
Another challenge to automotive cybersecurity is the various electrical components in a car (known as electronic control units, or ECUs) that are connected via an internal network. Without a strong defense, ECUs for a vehicle’s brakes and transmission may be vulnerable to hackers’ control.
Cars today have up to 100 ECUs and, along with their 100 million lines of code, have created incredibly diverse opportunities for ill-meaning hackers. Further complicating matters, auto manufacturers source ECUs from many different suppliers, meaning that no one player is in control of, or even familiar with, all of a vehicle’s source code.
Tracking Automotive Security Vulnerabilities and Cyber Attacks
Thankfully, a major malicious cyber attack on a group of connected vehicles has yet to take place. But the potential danger was illustrated dramatically in 2015 when two white-hat hackers remotely took control of a Jeep Cherokee and cut its transmission on the highway as part of a research initiative. The well-publicized incident prompted Chrysler to recall 1.4 million vehicles.
The threat of automotive cyber attacks will only loom larger as society transitions to autonomous vehicles. But even before autonomous vehicles become widespread, car hacking is already a very real danger: Today, the majority of the vehicles sold globally are connected, meaning that they are vulnerable to cyber attacks.
As in-vehicle wireless and Bluetooth connections become standardized and more vehicles become connected to one another, the threat will only increase. Security practitioners and car manufacturers must provide connected cars with security solutions that address the increasing threat landscape. However, it’s easier said than done – not only are in-vehicle components and technologies incredibly complex, but they were developed without security in mind.
Adopting common security mechanisms used in other application domains (e.g. data encryption) will introduce additional computational time and processing performance. Much like it does with computers and wireless networks, this decrease in processing performance may lead to safety risks as components linked to braking or steering could become unresponsive under the burden of high activity.
Protecting Against Cyber Attacks
All of this is not to say connected cars have no hope for security in the future. For example, defensive software solutions can be housed locally on individual ECUs — for instance, a car’s brakes — to reinforce these ECUs against attacks. Moving up a level, software can protect the vehicle’s internal network as a whole by examining all network communications, flagging any changes in standard in-vehicle network behavior and stopping attacks from advancing in the network.
Next, solutions exist to defend the particular electronic units in a vehicle that are connected to the outside world — for instance, infotainment units. This is a critical layer in the overall cybersecurity defense system, because it represents the border between the vehicle’s internal network and the external world.
Finally, cloud security services can detect and correct threats before they reach the vehicle. They also can send the vehicle over-the-air updates and intelligence in real time.
Connected Vehicles and their Manufacturers
In addition to these layers of protection directly relating to a vehicle’s connectivity, supply chain risk management is a critical element of the overall cybersecurity effort. Compromised physical components can jeopardize the integrity of a car’s security architecture, making it imperative that OEMs only source parts from trusted suppliers.
That said, connected vehicles themselves are not the only ones at risk for cybersecurity threats. Manufacturer and supplier operations could easily be brought to their knees by malware, IoT vulnerabilities, and ransomware implemented by savvy and strategic hackers. If companies don’t prepare now for the future of cybersecurity, they could be spending exponentially more money in the future to rectify preventable security breaches.
Relative to the exceptional vulnerability of connected cars and their manufacturers, there is a surprising lack of attention and effort being put towards resolving it. Automakers and suppliers must join hands with security firms to extend the increasing safety of autonomous, connected cars to their software and data, or else run the risk of being overtaken by more judicious competitors.