- Security TWENTY
- Women in Security Awards
It seems that almost every part of both business and society has become connected and the last few years have shown that the automotive industry is no exception, writes Matt Marks, Sales Manager Europe at data security company Certes Networks.
In fact, research suggests that by 2023, there will be as many as 775 million connected cars on the road. The FBI has been warning of cyber attacks in the automotive industry since 2018 and the introduction of internet-connected vehicles and even self-driving cars means the threat is continuously growing. In fact, one report estimates that cyber attacks on the automotive industry could cost $24billion to connected car manufacturers in the next five years alone.
In its report, the FBI wrote that “the vast amount of data collected by Internet-connected vehicles and autonomous vehicles [has] become a highly valued target for nation-state and financially motivated actors.” From legacy systems that can’t be patched, to the quick escalation of vehicle connectivity and software as the demand increases for integration with personal devices and remote access, the automotive manufacturing industry has many potential vulnerabilities and issues to address.
The types of cyber threat on the automotive industry are many and varied, with cyber attackers stepping up their activities to include ransomware, phishing attacks and corporate espionage, creating huge potential to wreak havoc. In 2017 for example, Honda Motor Company suffered a major WannaCry ransomware attack in its plant computer network, forcing it to temporarily pause production in the plant that usually has a daily output of 1,000 vehicles. In 2020, the company was the victim of another cyber attack, which affected its ability to access its computer servers, use email and make use of its internal systems. Production around the globe was halted, with the virus quickly spreading throughout its network.
Now that hackers no longer need physical access to a vehicle to carry out an attack, the number of threat vectors has increased; vehicles in motion are a prime example as hackers can target the embedded connectivity modules. This was highlighted as far back as 2015, with the well-known Jeep white hat attack.
But it’s not just the manufacturing sites and the cars themselves that are at risk; the attack surface is far wider. Autonomous cars bring many more unprotected access points, with access gained to internet-connected cars actually opening back-door access to enterprise computer networks of major companies (as demonstrated through the recent Honda cyber attack).
Additionally, as well as looking to access the data held within an enterprise’s computer network, there is also the possibility that terrorist hacker groups will use the opportunity to exploit autonomous cars as a stepping stone for a disruptive attack on a nationwide transportation system or grid, such as by interfering with or hacking charging stations to gain access to power companies. Furthermore, by remotely stalling even just 20pc of vehicles on a grid system in a major city, gridlock traffic could be caused, therefore preventing emergency services from accessing a potential incident. This was demonstrated in a study by the Georgia Institute of Technology and Multiscale Systems, where in simulations of hacking internet-connected cars, the researchers froze traffic in Manhattan nearly solid.
There is clearly a lot at stake – hacking connected vehicles is actually just a single part of the threats that face the automotive industry.
A data-centric approach
The threats might seem daunting, but the automotive industry has the same technology as other industries at its fingertips that can keep out malicious actors. Other industries, such as financial services or utilities, have been facing these threats for some time; and the most secure organisations will be those that have recognised that attempting to secure the infrastructure is not the same as protecting the data that traverses the network.
When a data-centric approach is the priority it will ensure that the vast amount of data currently collected and utilised by the automotive industry is kept secure, regardless of the technology and network infrastructure that is in place. One way to achieve this is through crypto-segmentation which enables organisations to create fine-grained policies, whereby keys are automatically rotated in short intervals in order to keep data secure and safe from potential cyber attacks. It is this type of security strategy that ensures data is kept secure, wherever it may be in the network.
It is the data that presents the biggest opportunity for hackers, therefore by ensuring strategies are in place, like crypto-segmentation, risk can be eliminating by enabling policy and enforcing that policy at a highly granular level.
Recognising severity of threat
The FBI has made a clear warning, and the sheer volume of data collected both from automotive companies and the vehicles themselves, is growing day by day and demonstrates that this threat is serious. The risk is not just to automobiles, or even a single organisation, but to the entire automotive industry and national transportation networks.
Cyber attacks have already taken place in this industry and with a data-first security approach that secures network data versus the network infrastructure, organisations can eliminate risk and a strong security posture can be established.