Car manufacturers are starting to think seriously about cybersecurity

[msttasnuvanava]

Remember back in 2014 when millions of people woke up to find a U2 album on their devices that they hadn't downloaded? A lot of people were rightly upset. They thought they were the ones in control of what was installed and downloaded on their phones, so it was pretty unsettling to realise that they could be manipulated by third parties. We saw the same thing happen this year, but with darker implications, when users received a system update that was automatically downloaded to their Android devices and contained malware.

What if that happened to your car? We tend to think of a car as a closed unit, where the driver is in full control and responsible for driving. But can you imagine if someone hacked into your car and turned the radio up so loud that you couldn't think or concentrate? Or turned on the hazard lights without your consent? Or worse, what if they disabled the self-driving software and the car couldn't detect obstacles or pedestrians anymore?

As vehicles become increasingly software-defined, cybercrime is set to become how to get usa phone number a big problem. In this article, we'll explore some of the potential risks and what manufacturers can do about them.

Why the automotive industry is at risk

Although the danger associated with cybercrime is well known, the automotive industry is not as mature as other sectors when it comes to its defences. Industries such as financial services deal with sensitive customer data on a daily basis, so security has long been a high priority.

However, many automakers are still in their early days in the technology business. They understand the risk of losing valuable intellectual property, but manufacturers haven’t had to deal with sensitive data in the same way as other companies. Now that vehicles are becoming more like software platforms, however, these automakers are becoming “data businesses.” And that means there are many more areas where criminals could cause damage.

Evolving types of cyber threats

In my previous blog , I talked about the risk of AD/ADAS algorithms developed in the public cloud. But that’s only part of the problem. As automakers move toward cloud technology, there are many more potential attack surfaces.

They could attack autonomous vehicles directly, with adversarial attacks on visual sensors , which is one of the risks I mentioned earlier. New legislation in the EU, Japan and South Korea will make black boxes mandatory in all cars over the next two years. Hackers could infiltrate black boxes to manipulate the data being recorded.

But they could also attack the infrastructure. The cloud backend used by a fleet (as happened in the Gigaset example above) could automatically transmit malware to millions of vehicles at once, instead of just one. In fact, researchers at the Fraunhofer Institute IESE highlight that the risks due to attacks on the IT backend are increasing: the impact could be worse, the attack surface is larger, the driver is powerless to stop an attack, and there are more safety-critical processes that could be affected. This issue is increasingly being addressed in standardisation initiatives such as ISO TR 4804. The Fraunhofer Institute for Experimental Software Engineering has been researching the impact of security for over a decade, and its Safety Meets Security conferences show that interest in this topic is increasing. It recently established an alliance to develop secure system architectures for autonomous vehicles , which includes Volkswagen Group and DENSO, among others.

Another target that attackers are interested in is all proprietary data related to the different technologies that go into a car. This type of data is the source of competitive differentiation for car manufacturers and can help attackers use it for demanding ransomware. According to Accenture, the average cost of such attacks is estimated at $15.8 million for the automotive industry. For most car manufacturers, IT infrastructure is a relatively new thing. But now is the time to take it seriously.

The rules are changing

Cybersecurity isn't just about IP address theft. It could have huge (and potentially fatal) real-world implications. Car manufacturers need to take cybersecurity as seriously as physical crash tests.

The Fraunhofer Institute claims that the investment cost for ensuring cybersecurity in vehicles will increase significantly. Several studies have made realistic estimates for the total cost , including one that predicts that the “ global automotive cybersecurity market will reach $10.92 billion by 2030, growing at an annual rate of 21.7% during 2020–2030, due to the increasing need for cybersecurity among smart vehicles, autonomous vehicles, and connected transportation .” This is in line with previous studies by McKinsey .

Given the risks, it is no surprise that regulation is coming in to keep consumers safe. For example, the UNECE WP29 regulation is already in force. This regulation stipulates:

The need for a Software Update Management System (SUMS ).
The need for a Cybersecurity Management System (CSMS ).
From July 2022, the new cybersecurity regulation will be binding on all new vehicle types in the European Union, and from July 2024 on all new vehicles worldwide.

This became law in 2020. However, I have spoken to maybe eight to ten clients in the industry in the last month or two who didn't even know it exists. The rules will come into effect within a year, so there is no time to waste.

What to do about it

There are certainly serious concerns for automakers around cybersecurity. But it’s not a nightmare scenario: There’s still time to act, partners you can work with, and plenty of clear ways to protect software and vehicles. There are plenty of robust security options that automakers can leverage, especially if they don’t already have cloud security experts on staff. Some vendors, such as Bosch and Continental, have begun including security testing in their “control-as-a-service” offerings.

Dell Technologies is working with new and innovative security partners that are ahead of the curve. One example I recently came across is a company called Pilot Systems , which supports cybersecurity in AD/ADAS software. In IT infrastructure, Dell’s storage portfolio includes cyber protection and recovery solutions based on data isolation. These solutions are powered by machine learning-based models to detect attacks in real time and take actions to minimize the impact of the attack, as well as recover data from an isolated cyber vault.

I'll be speaking about cybersecurity and the development of safety-critical autonomous driving on July 27 at 6 p.m., with a panel including experts from the Fraunhofer Institute and Ward's Intelligence. Register here to join the session or to watch a recording on demand.