By Kolawole Samuel Adebayo

In an increasingly interconnected world, the evolution of the automotive industry presents an exciting yet daunting prospect.

As vehicles continue to offer modern features such as app-to-car connectivity, remote control access, and driver assistance software, a huge risk lurks in the shadows.

The physical safety of things like airbags, rearview mirrors, and brakes is well accounted for; yet cybersecurity auto safety concerns are rising to the fore.

What used to be a focus on physical safety has now shifted to cybersecurity due to the widened attack surface that connected cars present. The rapid advancements in electric vehicles (EVs) has only served to heighten these concerns.

Funso Richard, Information Security Officer at Ensemble, highlighted the gravity of these threats. He told Last Watchdog that apart from conventional attacks, such as data theft and vehicle theft, much more worrisome types of attacks are emerging. These include ransomware targeting backend servers, distributed denial of service (DDoS) attacks, destructive malware, and even weaponizing charging stations to deploy malware.

Risk of compromise

The National Highway Traffic Safety Administration defines automotive cybersecurity as the protection of automotive electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation. The risk of compromise is not just theoretical; there have been instances where vehicles were momentarily commandeered.

Notably, in 2016, Nissan suspended a remote telematics system in its all-electric hatchback, the Leaf, due to a vulnerability in the NissanConnect app’s server. More recently, Sultan Qasim Khan, a principal security adviser with a UK-based security firm, tricked a Tesla into thinking the driver was inside by rerouting communication between the automaker’s mobile app and the car.

Rising regulations

As the attack surface broadens, original equipment manufacturers (OEMs) find themselves in a unique position. Roy Fridman, CEO at C2A Security, emphasized the complexity of the automotive industry, citing the intricate supply chain, the exponential growth of software in modern vehicles, and the heavily regulated environment as contributing factors.

In terms of regulations, Fridman highlighted WP.29 UN R155, for which C2A Security’s David Mor Ofek helped to draft, as a key regulation that makes car manufacturers liable for the entire supply chain of their products. However, he warned against a cursory compliance just to satisfy the regulatory bodies, emphasizing the need for OEMs to truly understand and address the threats.

“These laws imply that whether in design, development, production, or post-production, car manufacturers must have full visibility into the security of their software products through a cybersecurity management system (CSMS),” Fridman says.

Richard echoed this sentiment, emphasizing the importance of secure design principles and the need for evidence of implemented cybersecurity controls from third-party suppliers. He noted the temptation for OEMs to kit up new models with the latest features without assessing their security implications, but urged manufacturers to prioritize security.

“It’s not enough that smart automakers are doing their best to secure their products, a supplier could be the weakest link,” Richard says.

Consumer trust

This increased focus on automotive cybersecurity is also reflected in the consumer market, with customers putting more emphasis on their security posture and overall risk management. Fridman suggested that this trend presents an excellent opportunity for OEMs to build trust with their customers, and he expects to see more of this development in the future.

According to Fridman, there will be a shift from the mechanical side of car development to the software side, with the industry witnessing a proliferation of the Software Defined Vehicle (SDV). This implies an even greater potential for cyberattacks as more devices get connected and the demand for software-powered smart cars increases in an IoT-powered world.

The Automotive Cybersecurity Market Global Forecast by MarketandMarkets corroborates this, predicting a rising demand for automotive cybersecurity solutions among OEMs globally – and noting that a passenger car equipped with modern connected features already has more than 100 million lines of code.

Richard added that smart vehicles will play a significant role in smart city development and the “connected everything” concept. This means that smart cars will redefine how we understand IoT in the next few years, becoming one of the leading data generators of connected devices and internet activities.

The comments of Fridman and Richard show consensus gelling in the cybersecurity community that connected vehicle safety  must jump ahead of emerging regulations.

“The EV charging grid is left estranged from any formal guidelines, despite recent security breaches, increased interest from malicious hackers, and FBI warnings,” notes Fridman, “We should all double down on this front.”

Editor’s note: Kolawole Samuel Adebayo is a Last Watchdog special correspondent based in Lagos, Nigeria.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

---

May 15th, 2023