28th March - Valencia.
Can new measures, management and new skills help to address the balance between innovation and risks of attack?
As with many industries, the automotive sector is becoming increasingly dependent on computer technologies to provide the performance and differentiating features expected of its products. The growth of connectivity and devices which can be updated in-situ makes in the security of such technologies (cybersecurity) crucial. The risk presented by cyberattack will depend on the potential outcome.
With the accelerated penetration of mobility and IoT, there is an increase in the number of automotive hackings i.e., gaining unauthorised access to a vehicle’s computer systems. Automotive vehicles use Bluetooth and Wi-Fi technologies to communicate, which makes them more prone to cyber-attacks.
In a recent article in US Cybersecurity Magazine, it is stated, "...over 40% of automotive cybersecurity issues are related to back-end application servers.”
According to Deloitte, Cybersecurity threats demand attention since they pose new risks to safety, security, and privacy. A significant challenge associated with these cyber threats is to balance the functionality that is improving and transforming performance and user acceptance with the associated risks.
Manufacturers must take steps to improve automotive cybersecurity moving forward.
The need for Cybersecurity
Currently, a standard car consists of more than 100 million lines of code, and it is predicted that by 2030, there will be 300 million lines of code. The loophole in even one of the components within a vehicle could enable hackers to steal data or perhaps intervene in the function.
But it is not just the connected car, one of the major risks is the infrastructure around the cars because the more you have a big infrastructure to connect the cars, the ‘attack surface’ is growing. It’s not just the number of cars which are connected, through sensors, IoT etc, it’s number of services. Many cars and vehicles can connect to smartphones via Vehicle-to-Everything (V2X). By attacking a single vehicle, hackers can gain access to other potential targets like cell phones. They can then potentially attack other vehicles too.
The risk for Electric Vehicles’ is even higher because the infrastructure is much bigger because of the charging facilities.
Autonomous vehicles represent a particular challenge for cybersecurity experts. The issue with these technologies is that they rely on artificial intelligence (AI) and machine learning (ML) to function. AI and ML are both particularly vulnerable to evasion attacks and sensory manipulation.
AI relies on external inputs to understand its environment. When hackers attack an autonomous vehicle, they can hijack its sensors – either making the vehicle stop in its tracks or taking total control. By taking control of these vehicles, bad actors and cybercriminals can do extreme damage. Securing AI technologies and ML is essential to protecting the future of highly autonomous vehicles.
One of the main targets for any hacker would be the infrastructure to get the data, because it’s very sensitive data which attackers want to monetise.
Embedded Systems in Automotive
Embedded systems aid in the delivery of a wide range of operational technology particularly in connected cars, from adaptive cruise control, airbag, telematics and traction control to in-vehicle entertainment systems, collision sensors, climate control, radio and anti-lock braking systems etc.
Focus is still being placed on physically securing devices, but not enough work is put into defending against software-related assaults. Even the most basic and easily avoidable application security risks and vulnerabilities are still prevalent in modern embedded devices.
As a result, Embedded systems and other types of specialised software can be particularly vulnerable to brute force attacks if they do not have a password “cool down” to prevent repeated accesses from occurring.
Embedded Cybersecurity
Embedded cybersecurity is the name given to a set of cybersecurity measures to safeguard the embedded systems from all kinds of malicious activities including hacks and breaches. It ensures that the embedded systems have proper mechanisms in place to mitigate the potential cyber-attacks. However, to ensure security there is a need to know where the risks exist. There are many challenges to successfully eradicating the risks.
The biggest challenges of Embedded Cybersecurity
1. Lack of Standardisation
Standardisation helps any technology maintain regularity throughout all its functionalities. There are no set standards for cybersecurity measures in embedded systems. Although there are a few emerging players in the auto and other rising industries working upon the solution for this.
The National Highway Traffic Safety Administration (NHTSA) in US is now encouraging entities to document how they incorporated vehicle cybersecurity considerations into Automated Driving Systems, including all actions, changes, design choices, analyses, and associated testing, and ensure that data is traceable within a robust document version control environment. Industry sharing of information on vehicle cybersecurity facilitates collaborative learning and helps prevent industry members from experiencing the same cyber vulnerabilities.
Standards and guidelines are now being developed to assist these stakeholders in playing their part to secure connected vehicles. It is addressing cybersecurity practices suppliers and original equipment manufacturers can put in place both at a programmatic level (e.g., risk assessment, security testing, vulnerability reporting/disclosure) and at a product/vehicle level (e.g., cybersecurity design controls).
2. Use of Third-Party Components
Most of the embedded system devices require either third-party software or hardware to function. This leads to security gaps due to not having thorough tests on the assembly for flaws and vulnerabilities. This can lead to threats associated with the Firmware including:
3. A Direct Internet Access
The embedded system devices are usually connected directly to the internet. Most of them do not get the secure covering of the enterprise firewall. This makes these systems exposed to undetected network attacks.
4. Being Out of Date
The threats online are continuously upgrading. But the embedded systems are slightly behind in terms of constant up-gradation. This makes them susceptible to a lot of bugs and hackers can easily exploit their vulnerabilities.
5. Lack of skilled engineers
One of the biggest challenges is that most developers out there are unaware of how to develop secure embedded systems. The lack of standardisation that we mentioned in the first point, is the main reason for this. Also, the complications of embedded applications contribute. The automotive sector therefore requires highly knowledgeable embedded engineers with the right skills to put the correct measures in place. But where to find them?
The global universe for expertise to manage embedded cybersecurity is small so it requires specialists who can find this type of embedded engineer. Specialists like CIS who have experience of placing the highly skilled embedded engineers at the right place and time to ensure complete security to new and evolving innovations in connectivity and mobility for the automotive and other sectors. Make sure your Embedded Cybersecurity needs are covered contact CIS on 0034 963 943 500 or info@cis-ee.com.