Originally published in PenTest Magazine
These days, the average new car has more than 100 million lines of software code-that’s 15 times the amount of software needed to fly an airplane. Complicating matters, automakers are sourcing code from different suppliers and may not be familiar with all the code used in their lineups.
While consumers love the convenience of modern cars, they introduce complexity and increase the attack surface, creating opportunities for malicious hackers not only in the vehicle itself, but along the entire value chain. According to various studies, automakers could lose approximately $1.1 billion from a single attack. This estimate seems outrageous, until you consider Fiat Chrysler Automotive’s recall of 1.4 million vehicles after the infamous 2015 Jeep hack. Collectively, the automotive industry is estimated to lose up to $24 billion before 2023.
A recent cybersecurity report identified 29 potential attack vectors among the millions of endpoints in a connected car’s ecosystem. Attacks involving the remote hijacking of vehicle controls are considered somewhat low risk because they require expert skills. However, five high-risk attacks-including electronically jamming safety systems and launching DDoS attacks-were found to require “limited understanding of the inner workings of a connected car and can be pulled off by a low-skilled attacker.”
Automotive players face countless threats to their Information Technology (IT) and Operational Technology (OT) environments, which have been exacerbated by the abrupt shift to remote work and ongoing challenges related to the pandemic.
Image Source: Pia Capra & Hien Nguyen, Boaz Allen Hamilton
Budget constraints and the cybersecurity talent shortage have made keeping up with the threat landscape difficult. The availability of post-exploitation frameworks and as-a-service models have created what Magna International Global Information Security Officer Peter Elliot calls a “reduced barrier to entry” for attackers. Recognizing the difficulty of successfully attacking organizations on their own, they’re establishing new, intricate relationships to help disguise their identities. As a result, we’ve seen a dramatic increase in the volume and frequency of attacks against the automotive industry, including denial of service, ransomware and IP theft.
And, while automotive organizations are looking to protect networks and systems, they’re also working aggressively to secure the vehicles themselves and mitigate safety risks.
The recent SolarWinds and Kaseya attacks highlighted the need to prioritize supply chain risks. The automotive industry’s extensive and complex supply chain includes the frequent integration of third-party software, components, applications, and communications protocols that present a variety of cybersecurity weaknesses. Additionally, the ongoing chip shortage has demonstrated just how vulnerable the industry is to disruption.
Contracts between automakers and their suppliers have seen significant shifts over the past year. In addition to traditional terms and conditions, automakers increasingly require partners to comply with a growing list of demands, along with emerging cybersecurity regulations and standards, including UNECE WP.29, TISAX, TPISR and ISO/SAE 21434. Firms must show evidence of the cybersecurity frameworks they’ve implemented, adherence to policies, the efficacy of their controls, and proof of successful audits to do business with a growing number of OEMs.
Image Source: Automotive Cybersecurity Network (ACSN)
Meanwhile, the electrification of vehicle propulsion systems and associated charging infrastructure are increasing opportunities for exploitation. The nexus of EVs, EV charging stations, and power grids creates complex cyber-physical interdependencies that can be exploited.
Like any connected device, EV chargers face a variety of cyber threats. Attackers can target EV charging system hardware and software, apps for locating and paying for charging station services, and wireless communication links. Charging stations can be a conduit for DDoS attacks, ransomware, and data theft. Several vulnerabilities have already been identified in commercially available Extreme Fast Charging (XFC) systems that-if compromised-could inflict severe damage to power delivery systems and even threaten the power grid itself.
Likewise, if safety systems that ensure EVs are operating within safe parameters are disabled, the risk of catastrophic failure increases significantly. Documented cases of EV battery fires are a case in point. Earlier this year, an EV started a fire at a home in Virginia that displaced a family and caused about $235,000 in damage. Firefighters spent an hour trying to douse the flames only to have the fire start back up an hour later, then reignite for a third time after being towed to a dealership.
Vehicles with increasing levels of autonomy are also hitting the roads. With advanced sensors, these vehicles interact with their environment in real-time. By combining lane-keeping assistance, traffic detection, traffic signal and crash avoidance capabilities, they seem to promise a future of enhanced safety and convenience. However, their use of artificial intelligence (Al) presents security risks. Adversarial machine learning techniques such as evasion or poisoning attacks could endanger lives. Additionally, AVs are vulnerable to cybersecurity challenges affecting physical sensors, controls, and their connection mechanisms.
According to a recent report from the EU Agency for Cybersecurity (ENISA) and Joint Research Centre (JRC), the most notable cybersecurity challenges associated with physical components include:
Sensor jamming, blinding, spoofing, or saturation: Attackers could blind or jam sensors to gain access to the vehicles. This allows malicious actors to feed AVs with artificial intelligence models with inaccurate or incomplete data to undermine model training.
Given the hurdles involved in overcoming these issues, it’s clear that many challenges remain before the industry can safely achieve fully autonomous (level 5) capabilities.
While the automotive attack surface is immense and difficult to comprehensively secure, the industry will continue to evolve toward a future of fully autonomous, electrified vehicles.
Organizations like Automotive Security Research Group (ASRG) and Auto-Information Sharing Action Center (ISAC) are taking steps to bring interested parties together, share information and best practices, and work collaboratively to address threats to automotive players and passenger safety.
OEMs and suppliers are increasingly investing in tools, technologies, and training designed to address evolving cybersecurity risks. Secure-by-design software coding techniques are being utilized and validated by advanced testing services that include penetration testing. Automotive firms are also expanding their use of Zero Trust, layered defenses, and security operations technologies such as security information and event management (SIEM) and security orchestration, automation, and response (SOAR).
At the Automotive Cybersecurity Network (ACSN), we encourage organizations not to lose sight of the basics. This includes maintaining a comprehensive inventory of software assets, ensuring strong patch management practices, implementing MFA wherever possible, and continuously monitoring systems for indicators of compromise (IOCs). We also recommend ongoing security awareness training, constant static/dynamic testing of core technologies and interfaces, and an incident response plan with executive buy-in and support, which is regularly rehearsed and includes a cyber-insurance component.
Automotive technology is transforming rapidly, and the potential mobility benefits are profound. The promise of high-performance, clean-energy, electrified vehicles is exciting. The vision of a world nearly devoid of traffic accidents and fatalities is incredible. But an acceptable level of safety and trust in connected vehicles can’t be realized without cybersecurity, and the question remains: with challenges ranging from bloated software to supply chain vulnerabilities to rapidly evolving threats, will the industry find ways to balance security with functionality while remaining profitable?
Kurt is also co-founder and Managing Director of the Automotive Cyber Security Network (ACSN), a forum for automotive industry professionals to connect, exchange knowledge and engage in a community focused on securing the automotive sector. Kurt has more than 25 years of management experience, including 13 years leading global teams in the automotive industry.