Plug-in electric and at least partially autonomous connected cars are a common sight on roads around the world. 

The software and electronic component market for those vehicles is projected to grow from $238 billion to $469 billion between 2020 and 2030. Both cybersecurity and ‘privacy by design and default’ have been holistically embedded into operations across many manufacturers, supply chains and delivery infrastructures. But, these are vulnerable to cyberattacks, as are the vehicles themselves once they leave the assembly line. They need cyber resilience standards as much as any other computer. 

On Oct. 7, 2020, X-Force Red, IBM Security’s team of hackers, and IBM’s global automotive team will present a webinar about new security mandates for connected cars. They will discuss common attack scenarios the mandates should help protect against and what manufacturers can do today to begin the compliance process.

Bringing Security Out of the Assembly Line
Securing intellectual property, such as new designs, concepts, tooling/technologies and strategic plans, has been a focus in manufacturing plants for many years. Once they get on the road, connected and automated vehicles (CAVs) are vulnerable to cyberattacks. This includes the physical vehicles, technologies and services they connect to and communicate with. 

While manufacturers have excelled in security in development, production and engineering, they do not consider cybersecurity gaps as often. For example, they may dismiss cybersecurity monitoring of connected cars on the road. Threats to vehicle integrity and production line availability as a result of a cyberattack are also areas that require maturation and a stronger operational resilience focus. 

Threat Vector 1: Vehicle Component Complexity  
CAVs are fundamentally highly interconnected architectures that provide a range of key services via a gateway electronic control unit (ECU) with telematics and communications embedded. These services include the powertrain (engine and transmission), the chassis control subnet (steering, airbag, braking), body control subnet (instruments, climate control, door locking) and the infotainment subnet (telephone, navigation, audio/video). Alongside these components are a range of external connections, such as USB, Bluetooth, WiFi, ZigBee, GPS, Wave, 3/4/5G, OBD, GSM and many others. This complex connected infrastructure can leave vehicles exposed to a range of vectors.

Damage/loss of sensitive data in the cloud, failure or malfunctions of systems, power supply or errors in software, interception of information, such as locking of doors or garages, tampering of vehicle controls and identity fraud/theft are all possible threats.

Threat Vector 2: Power Grid Disruption
One emerging threat vector that can be defended against with greater cyber resilience is an attack that targets electric vehicles (EVs). This threat vector is a demand-side cyberattack using multiple plug-in EVs and high-wattage charging stations. Recent research highlights this as a realistic scenario involving multiple EVs being hacked simultaneously during a charging cycle with the aim of disrupting the power grid or causing blackouts. This risk was highlighted by the National Institute of Standards and Technology, which stated the energy and transportation sectors have “very little understanding of each other’s concerns and approaches to cybersecurity.”

To address these risks, regulated standards are needed for current and future vehicles to mandate requirements for CAVs with cybersecurity controls, testing and technological measures. This can provide assurance during the manufacturing, assembly and inspection processes alongside ongoing security updates to connected cars during their lifetimes.

Threat Vector 3: Mobile Devices
Mobile devices have now become a key and a method of controlling multiple key functions, such as locks, headlights, infotainment, climate control, wipers, the horn and even the movement of the vehicle. These devices and apps are known to have a range of vulnerabilities. For example, poor password requirements, code errors, outdated operating systems, susceptibility to malware/viruses and poor user practices provide a range of threat vectors to a CAV. For example, a malicious actor may have installed an app on a user device, which could then access the legitimate app for the CAV and obtain a vehicle identification number (VIN). Once a VIN is obtained, the attacker could install a legitimate app and potentially take control of the vehicle.

Threat Vector 4: The Human Element
Automotive employees will need to develop new skills and change the way they work. This leads to transformation in engineering, design, sourcing, program management, sales and service. All employees and stakeholders will need education related to cybersecurity. A recent example of a Tesla employee being approached by a criminal gang to deploy malware highlights the need to embed a strong culture of awareness, as well as controls to prevent rogue employees from causing disruption of damage.

Threat Vector 5: Financial Crime
The CAV payments market is expected to reach over €537 billion ($636 billion) by 2030. While the threat of malicious attacks and physical theft has been a concern for some time, the most common threat vector may be financial gain by organized criminals. As CAVs will have multiple technologies that provide payments for a range of services (such as fuel, subscriptions, tolls, parking or food and drink), there is a risk of payment data being compromised.

What’s Next for Connected Cars? 
Automotive players can adopt uniform cybersecurity standards to protect the connected cars and other vehicles they design and manufacture. These include the United Nations Economic Commission for Europe (UNECE) WP.29 cybersecurity, International Standardization Organization ISO 24089 — Software Update Engineering or the upcoming ISO 21434 Road vehicles — Cybersecurity engineering standards.

These standards are key because advanced technologies and the increased connectivity of vehicles significantly increase the risk of cyberattacks. Additionally, in a vehicle, the risk of physical injury is added to the risk of loss of data. Successful cyberattacks could lead to financial and reputational damage as well as significant regulatory fines for manufacturers.

Ultimately, cybersecurity standards and regulations such as WP.29 and ISO/SAE 21434 can benefit automotive industry stakeholders. By embedding a strong culture of cybersecurity, cyber risk quantification, threat/risk management, governance and technological controls and processes, these standards can help keep vehicles, drivers and pedestrians safe.