There is no question that the automotive industry is one undergoing constant innovation and digital transformation. Nowadays, people expect to stay connected when commuting in their vehicles at all times and locations. Modern cars will have built-in navigation systems, Wi-Fi access, as well as in-vehicle infotainment systems (a combination of entertainment and information delivery to drivers). Alas, with the rise of new technologies, comes the rise of new hacks and gateways for cyber criminals to penetrate car systems.
Yet, it is also true that these cyberattacks are not just occurring out of new technologies, there is still clearly a lack of scrutiny over vulnerable open-source components within a company’s software code. This is confirmed by a 2019 survey by Synopsys and SAE International on current cybersecurity practices which found 62% of professionals interviewed believe malicious attacks on software and open source components are bound to occur in 2020 within the automotive industry. Clearly, these security holes are major contributors as to why malicious actors have been so successful in penetrating systems and networks.
This article intends to enlighten readers on the problems which certain hacks can cause to the automotive industry and its customers, as well as insight into ways this industry could prevent future exploits as part of their digital transformation.
What can go wrong?
Cyberattacks to the automotive industry can have health, financial and reputational consequences. Take the examples below:
- A scary reality is if the hackers access the brakes or steering wheel. We have already seen an example of this in April 2019, where a hacker broke into two GPS tracking apps (ProTrack and iTrack). This resulted in access to personal data, the monitoring of the vehicle location and the ability to stop the engine altogether. This type of hack could cause serious accidents and therefore threatens the health and safety of the passenger.
- Automakers also have to take care of cybersecurity within their designs or else they could suffer severe financial repercussions. For example, a global automaker recalled around 1.4 million cars in 2015 due to cybersecurity risks, resulting in the potential cost of the OEM (Original Equipment Manufacturer) of nearly $600 million. The impact here is not only financial loss, but the automaker loses a certain amount of credibility as a provider, further damaging their business.
- Losing control of a web or mobile app also has its downfalls. Ransomware attacks or data breaches could expose a lot of sensitive data, as well as stop systems from running. As automotive companies compile a significant amount of this customer data, they become a plausible target for hackers. For example, in April 2019, Toyota announced a breach had exposed the data of up to 3.1 million customers. This disrupts the business, causes financial problems and most certainly diminishes the reputation of the company. Additionally, the leaking of software IP can also be damaging to a business, as it can give information to hackers for future exploits.
Cybersecurity is like a seatbelt
Until 1966, cars were often made without seat belts. But now, it would never cross the mind of any manufacturer to not include seatbelts in the design of a car, as it would be a major risk to the health and safety of the passenger. Here we can make a parallel with cybersecurity. In the same way there is a blatant risk of not wearing a seatbelt due to the possibility of a car accident, there is also a major risk of letting software-driven devices run without having secured their entire software supply chain to de-risk the possibility of a cyber attack via a vulnerable software component. Everyone should wear a seatbelt in a car, so why does the automotive industry not treat cybersecurity with the same mentality?
It is suggested the automotive industry lacks a standard approach for dealing with cybersecurity. This problem can stem from the relationship between OEMs and suppliers. Currently, contractual arrangements often do not allow OEMs to test the end-to-end cybersecurity of a vehicle platform made up of parts from different suppliers. Subsequently, this makes it hard to achieve strong cyber security when automotive software is developed and tested.
Businesses within the car industry, may feel that they haven’t got the time to focus on cybersecurity. Too many companies will not feel the urgency until they have experienced a cyber attack themselves. For that reason, there seems to be a shortage in cybersecurity professionals globally. A Cybersecurity Workforce study has interviewed over 3200 security professionals around the world and found that the number of unfilled positions has risen from 2.93 million in 2018 to 4.07million in November 2019.
How to improve cybersecurity in a constantly evolving industry?
For manufacturers and suppliers in the automotive industry, there is a need to prioritise cybersecurity as part of the automobile’s e-safety. Collaborators in the automobile value chain must take into consideration the digital life cycle of the vehicle’s software as part of the vehicle’s holistic life cycle. Therefore producers of intelligent cars (or their electronic subcomponents) powered with software must include these 4 pillars:
- A good baseline: understanding the relevant legislation in the OEM markets and making sure to uphold all the existing cybersecurity standards involved. This will help all parties deliver secure software.
- Enforce a security-by-design culture within the engineering process. This should focus on secure development practices, software testing and new supplier-audit processes that include cybersecurity issues. Here there should also be testing or evaluating the components within code, to check for vulnerabilities.
- Monitor the cybersecurity of cars on the road. This means having a clear view of a vehicle’s configuration and setting up a security operations center for cars. Here the center could use correlation and artificial intelligence to detect adverse events and respond efficiently. The use of new technologies adds to how the industry needs to digitally transform to address cybersecurity effectively.
- Ensure software updates to vehicles pass security and safety tests. This should be run by the OEM through a software-engineering approach. This shows automakers are testing and securing changes to the vehicle as part of their continuous maintenance.
For other business providers working within the automotive industry it is also important to adapt to changing technologies so that your cybersecurity is up to date. For example, there are many companies now promoting different ways to own a car through web and mobile apps and shared-platforms such as Turo, Drover or Avis. Here criminals could target the business because of the abundance of sensitive customer data. This could be supported when Verizon’s Data Breach Investigation report saw 60% of the time, web apps are the unlocked doors that hackers use to access user data or bring your business to a stand still. These are some tips to protect your apps:
- Make sure to secure vulnerabilities within your business code – more than 40% of cyberattacks originate in software servers, vehicle mobile apps and the infotainment system combined. Addressing software vulnerabilities should be a consistent practice as they are discovered daily and hackers exploit them automatically using bots and programs. The scale of vulnerabilities which a company could obtain over time is seen through the example of Uber who have 1,345 resolved bug reports and have paid out over $2.3 million. To understand the scale, Uber has received up to 111 bug reports in the past 90 days.
- Implement a cyber resilient culture within your business. To go through digital transformation, companies need to adapt to the growing sophistication of cyber criminals. This means there needs to be qualified teams with expertise ready and prepared to respond to malicious actors. Clearly this is something which needs to be implemented with more rigour in the automotive industry, as FleetNews’ recent survey of 500 businesses in the sector found that 65% did not have a cyber security team.
- Look into the future. When investing in new technologies, understand how this will impact your business models, operational processes and the user experience. Successful transformations also depend on how firms manage digital transformation process through leadership and governance (not solely its implementation). If businesses don’t keep up with evolving technologies, how will they be able to keep up with the growing sophistication of hackers? Research by Accenture has highlighted the advantage which digital transformation provides to companies: early innovators are 67% more likely to outperform compared to 18% for market share protectors.
Let Meterian be your seat belt
Meterian can automatically inventory your open source components and analyse them to check if they are up-to-date or have any publicly disclosed security and licence risks. Get started on building a proactive defence for your customer data and software IP as your business goes through digital transformation. Try our FREE web scanner today to get a preview of what kind of potential vulnerabilities are in your website. We can provide more in-depth analyses for all your software code bases. Get in touch today.