The increased connectivity between vehicles, other road users and infrastructure brings with it a growing risk for manipulation. The easiest way to reduce the risk of cyber-attacks is through prevention and putting security at the heart of vehicle technology from the outset.
Data and connectivity form the basis for the future of mobility and they present new sources of revenue and business opportunities for all stakeholders and users.
“Vehicles are benefiting from a wave of technological innovations that are making transportation safer, more secure and smarter thanks to connectivity,” says Faye Francy, Executive Director of Auto-ISAC, an organisation that focuses on collaboration and information exchange between car manufacturers in the area of automotive cyber security. “However, the very technology that is opening up new efficiency opportunities, also brings with it potential cyber risks for the vehicle.”
How real the risk of cyber-attacks on mobility solutions is has been demonstrated by tech magazine “Wired” in an experiment that has received much attention: hackers attacked a Jeep Cherokee and managed to gain control of not just the windscreen wipers and the sound system, but also brought the vehicle to a standstill on a main road by switching off the motor through remote access.
They even managed to deactivate the brakes and steered the vehicle into a cordoned-off car park – rather than a ditch, given it was white hat hackers. This alone should be cause for concern – but in future, highly automated, networked vehicles won’t just be in operation on the roads. What would have happened if this had been a vicious attack and had involved an air taxi or an autonomous ship?
Cyber-attacks on cars are increasing dramatically
In 2021, analysts from Upstream, a provider of a cloud-based cyber security and data management platform for networked vehicles, found that there has been a dramatic increase in cyber-attacks on cars in which hackers used a combination of the latest technology and sophisticated methods.
“50 percent of vehicle thefts in the United Kingdom in 2021 involved attacks on keyless access systems, and 82 percent of global attacks were carried out remotely without physical access to the vehicle being required,” says Yonatan Appel, founding member and CTO of Upstream.
Standards for greater security
The rise in cyber-attacks on vehicles has triggered the UNECE to introduce regulations for vehicle makers and suppliers by way of the WP.29 framework. The aim of these regulations is to increase cyber security in the automotive sector. WP.29 came into force in 2022. From 2024, for cars to be approved in the EU, they will have to have a certified cyber security management system. ISO/SAE 21434 “Road Vehicles – Cyber Security Engineering” is another standard that has been introduced. It is process-oriented and focuses on the security of a vehicle’s electrical systems, in particular the electronic systems, throughout the entire life-cycle of the vehicle.
Security from the outset
“In order to be successful with our mission to transform the automotive industry through digitalisation, we have to approach the issue of security from the outset through to the very end,” says Markus Brändle, Head of the Information and Automotive Security department at Cariad, the automotive software company in the Volkswagen Group.
This kind of “security by design” approach starts from procurement of the hardware components, continues through to the software design stage and affects all of the communication processes. Generally recognised coding standards, code analysis tools and code reviews all contribute to the reduction of risks. In a seamless security-by-design process, vehicle makers therefore already have to implement coding technology and integrity checks between the digital on-board systems and the backend infrastructure at the product development stage, so that transmitted data cannot be manipulated. However, given that hackers are always finding new weak spots, the systems will only continue being secure if they are continually updated with security patches.
650 million code lines will make up the software of a car in 2025. For comparison: a Boeing 787 only has 7 million code lines.
Source: com-magazin
Secure data exchange
When using V2X communication and over-the-air updates, the security infrastructure used by the two parties exchanging information must be able to effectively secure the information and verify that it is authentic. This involves the use of digital signatures, which protect the data against manipulation and unauthorised access, and the use of certificates, which prove that the respective sender is trustworthy.
V2X data exchange has to be secured on two levels: firstly, within the embedded systems themselves, in the vehicle control devices and in the electronic control systems of traffic infrastructure. And secondly, by a backend system that effectively and securely manages the certificates required for secure V2X communication.
“In view of the current revolution in automotive connectivity and the exponential increase in the number of networked vehicles on the road, it is essential for the automotive industry to understand, predict and fight the increasing threats to cyber security,” says Yoav Levy, CEO and founding member of Upstream.