Automotive Cybersecurity – NOT for tomorrow; we need to ACT NOW

In 2015, Jeep Cherokee was remotely hacked by two security researchers that created a storm on cyber threat to the vehicles. This triggered a series of events leading to the establishment of ground rules for higher cybersecurity in Automobiles. Since then cybersecurity has gained enough impetus and is now on the critical radar for most concerned stakeholders. Automotive eco-system is going through a major transformation, which we now address as CASE (Connected, Autonomous, Shared Services & Electrification). All these changes are contributing to increasing cyber-attack surfaces in a vehicle. A California based consumer-advocacy group is putting it in starker terms, warning a mass cyberattack against such vehicles could lead to huge casualties. It is projected that by 2024 there could be a $24 billion loss due to cyber-attacks on automotive. 

This is a wake-up call for the industry.

In this automotive transformation era, we see that the vehicles & supply chains are getting more software-centric & technology driven. A modern vehicle comes with 100 million lines of code that is only going to increase with new technology advancements. The threat to the vehicle eco-system is not limited to a vehicle, entire ecosystem is getting connected. New internet-driven business models are emerging like Ride Share, vehicle ownership is moving towards the leasing model. As the vehicle is being shared, stronger cybersecurity is extremely important. Upcoming Autonomous vehicles plan to use Cloud as an additional computing layer.  We’re advancing towards Electric Vehicles & connected infrastructure like e-Tolls. This entire transformation relies completely on connectivity. 

Along with Connectivity, vehicle control is also moving to the machine. The Intelligence is moving from Human to Vehicle, where Autonomous or Connected Vehicles can make human decisions. A vehicle is like multiple computers on wheel where different segments are getting connected that includes – Healthcare services, a growing In-vehicle Marketplace, and connected home appliances via IoT. 

Projections show that by the year 2022, 100% of vehicles manufactured will be connected. 

Connectivity is of different kind, a connected vehicle that communicates with external services through different network interfaces as well as within vehicle components & sensors, an Autonomous vehicle that interacts with the environment around them to gather intelligence & electric vehicle that communicate with external interfaces like Charging Station. We are moving towards an era, where everything will be inter-connected. 

Great for society BUT A Cyber Criminal’s delight –it opens so many entry points to enter a vehicle.

So what are these threats?

These threats are very real and very dangerous, as you might be completely unaware of an enemy who is keeping an eye on your every move, waiting for an opportunity to attack. Even if a vehicle does not have Connectivity by default, it is still vulnerable as any cybercriminal in the form of a malicious insider or service technician can enable Connectivity in your vehicle. An attack can be as simple as Vehicle Theft or Ransomware attack to as serious as taking a remote control of the vehicle that can result into human life. Of course, not so much focused on an individual vehicle, but when we talk about shared mobility as well as Over-the-Air (OTA) Update, a mass attack is very much possible. It can directly be related to national security, which is a much bigger concern.

Cyber Threat can impact $1.5 trillion of automotive industry. 

Alarmed? Well, all these are very compelling reasons for us to critically look into the security aspects. Automotive sector in India considered as the backbone of the Indian manufacturing industry that is contributing to 7.5% of GDP. Transportation is a critical infrastructure for any Country. If a major cyber-attack takes place, it can cripple not only the economy but also make it difficult to contain as we do not have an optimized security protocol in place for immediate response. Due to infrastructure setup, in India, we may face a higher threat to human loss. It is critical to safeguard this industry and community from any mass attack.

I will elaborate more of these threats from the perspective of four important mass-attack segments as well as their damage potential.

Mass attack use-cases

1. Connected Vehicle Subsystem: Connectivity puts the vehicles at risk to get attacked remotely – there are multiple connected interfaces available in a vehicle, like Cellular, Wi-Fi, Bluetooth, GPS, RF, voice-command-based systems, etc. These can give an entry point to the cybercriminals to take control of the vehicle while being away at a remote location. Vehicle architecture is such, if cybercriminals can get into the vehicle, they can take complete control of the vehicle. Almost all controls are driven by software communication. A threat can also present itself when cybercriminals implant malware within the vehicle component and put it in dormant state and which can be triggered at any time. 

Over-the-Air (OTA) updates can make it a mass threat. After implanting malware, a cybercriminal can trigger the attack on a fleet of vehicles with just a single SMS. That is why, while OTA is very critical for operational efficiency, an equally competent Security measure is required for its success, else it can become a serious issue to CISOs & CEOs. 

A vehicle is full of electronics, and Hardware Backdoor Entry is another threat that can trigger a mass attack.

2. Two-wheelers & Ride Share: While all the ‘connectivity related’ attacks apply to two-wheelers as well, a big threat to the millions of bikes on the road is via vehicle Electronics. A cybercriminal can hack and convert a regular bike into a remotely controlled one, within minutes. A cybercriminal can get these 10 min anytime when your bike is parked outside. The scary part is that the attack can be as dangerous that could result in a human life.

Considering this threat, the Rideshare bikes are at a high risk as it can be easily accessed by criminal groups and leave them triggered like a mobile bomb. Rideshare companies need to give serious thought to embedding layered security within their system.

High the number, Higher the risk– In India, there are almost 34 million vehicles on road, and nearly 22 million vehicles are manufactured every year. Most of these are extremely vulnerable.

3. Mobility: Mobility is primarily driven by the data, generated/captured by the vehicle. Imagine if the data that comes to your Mobility platform is malicious, and the kind of chaos it can create. 

Here I would like to take an example of AIS 140 regulation, which was a great step to being able to provide immediate assistance in case a passenger is in a distressing situation. However, consider that a cybercriminal uses a GPS jammer/spoofer on the vehicle, which costs even less than INR 1000. In such a scenario, the backend system will not have a correct vehicle location. In case of a panic message, all the control agencies may go to a different location, thereby completely fooling the Vehicle Tracking & Geo-fencing system.

Manufacturers use a lot of vehicle data for their research and development of future vehicles. Insurance companies to access driving behavior for insurance products. These can all go haywire, in case of untrusted or malicious data being sent and result in huge monetary losses.

4. Lastly, Electric Vehicles & Charging Infra: EVs are being promoted in a big way as an initiative towards clean energy. Secure charging infrastructure is a MUST for a successful EV policy. It is possible to attack unsecured EVs through vehicle sensors or charging stations. Cybercriminals can bypass the BMS to initiate Overcharging or Overheating which would cause the vehicle to catch fire. Charging stealing can be a monetary loss to the individuals or the business.

This could result in Big Business Loss as well as Brand Image

Jeep Cherokee attack costed the company more than 600 million USD, to recall 1.4 million vehicles and fix the issue. Not to mention, how much brand image loss this could have caused. With connected system and subscription based services, Cybercriminals can hack a backend server to impact vehicle warranty & registration violations. In a recent survey taken by Total Dealer Compliance, 84% of consumers said they would not buy a car from a dealership after a data breach. Another global survey finds that 85% of consumers have big concern on cyber attacks in the connected cars.

Vehicle Cyber Threat has become a CEO issue. 

So what is the Right Protection Strategy for Automotive Eco-system?

Cyber Security CAN NOT be an afterthought, it must be part of every phase of the system development cycle including hardware requirement and design, system requirements, software design, validation, testing, etc. True protection means end-to-end protection along with an effective strategy to identify and minimize the risk in case of an attack, faster response time as well as information sharing with others to safeguard from similar attacks to minimize the loss.

A vehicle must have multi-layers of protection:

• Protection from attacks through external interfaces (e.g. Remote Attacks, OBD II, UBI dongles, etc.) 
• Host Security for any runtime attacks on the system (e.g. Buffer overflow attack)
• Protection from In-Vehicle Network Attacks (e.g. Detection & Prevention from the single malicious message, sensor-based attacks, etc.)

High Need for Automotive Cybersecurity Regulations in India

Regulations are essential for smooth functioning of any system. They strengthen the market, protect the rights and the safety of the citizen. Considering the danger posed by Cyber threats to Automotive, every major country has put a regulation or define a standard. 

UNECE (United Nations body) has passed a regulation WP.29 to ensure the security of connected vehicles. 56 countries are a signee to this decree. 

There are many more:

• UK: “Principles of Vehicle Cyber Security for Connected and Automated Vehicles” mandates the use of cybersecurity for connected vehicles and autonomous vehicles.
• European GDPR stipulates protection of privacy and personal data including location, identity, etc. for which automobile cybersecurity is a necessity.
• ACEA’s framework makes cybersecurity a necessity for all member OEMs (which includes 16 of the world’s largest automobile manufacturers). 
• USA: The onus of security of connected vehicles, autonomous vehicles, and mobility providers is on OEMs and component manufacturers according to the regulations such as – US Senate Bipartisan Principles for Automotive Cybersecurity.

India must have a regulation on automotive cybersecurity. We should agree to WP.29. The 2019 amendment to the Motor Vehicle Act empowers the government to enforce a recall of all vehicles which endanger the driver or other road users. Failure to comply can result in a penalty of up to INR 100 Cr or imprisonment up to 1 year, or both. It is not clear if this can cover cybersecurity, if not, India Motor Vehicle Act must include this for the rights and safety of the citizen.

General Liability policies do not cover cyber risks.

Cyber Insurance is another big topic. Cyber Insurance policies currently available are highly customized for clients in a new and quickly growing market. The Insurance Regulatory and Development Authority of India has set up a panel to explore possibility of a basic standard product structure to provide insurance cover for individuals and establishments to manage their cyber risks.

A Reality Check

We have to accept that there are many vulnerabilities exist in the automotive segment. Today the automotive industry is highly driven by software and connectivity and as we naturally keep pace with the evolving technologies, these vulnerabilities are going to grow. A deeper understanding of the attack chain and the right protection mechanism is the only key to solve the problem at hand. 

While thinking about adversaries, we must consider all channels, whether it is physical access, remote attacks to the vehicle, malicious insider, rogue service technician, or others. This way of thinking will help in building the right threat model and the right protection strategy. We also need to acknowledge that an attack on one vehicle is not constrained to that particular make or brand but it can be applied across all brands, as the same supplier might be providing the devices to multiple manufacturers. Vehicles and attacks on IT systems are different. You can shut down the machines/servers but you cannot control stopping all the vehicles.

The reality is that we live in an era of cyber-crime. Automotive cyber threat is a serious issue that we cannot take lightly and must address ASAP. We must think about our 1.3 billion fellow countrymen, and how every day, every individual comes closer to such cyber risks. It is required for the safety of them, for their monetary loss. We cannot afford to be reactive, as it can be catastrophic. We MUST ACT NOW.

Author:

Vishal Bajpai, Co-founder and CEO of SecureThings, is a visionary leader, motivator, technology expert and product strategist for the emerging markets. His mission is to create awareness and safeguard society from cyber threats, especially in the automotive eco-system. Vishal is passionate about autonomous & connected vehicles cyber security in emerging markets, evangelizing and building innovative solutions to solve real problems for customers.

Published in Telematics Wire