Automotive cybersecurity tactics and protocols will have to adapt not just to changing threats, but also to changing models of how we utilize vehicles.
Automotive cybersecurity – and especially the cybersecurity of autonomous vehicles – has been a major source of discussion in the cybersec community ever since 2015’s infamous hack of a moving Jeep.
Though autonomous vehicles have been around for a while, the threat landscape they face has changed significantly in recent years. The focus used to be on securing these vehicles against vulnerabilities introduced during design or manufacturing stages. Now, as cybersecurity threats have become more sophisticated and adaptive, there is a growing consensus that automotive security needs to take the same step: away from a retroactive focus on eliminating security holes and towards real-time vulnerability scanning systems.
In this article, we’ll look at the changing threat landscape in the automotive sector and explain why the sector needs to make the transition to real-time threat detection.
The Changing Threat Landscape
Technology has revolutionized almost all aspects of the automotive industry, improving efficiency and profitability at every stage from production to sales. However, each novel use of technology also gives rise to new cybersecurity challenges. For this reason, it’s important for automotive manufacturers to take a holistic approach to the cybersecurity of their vehicles.
There are, essentially, three levels of cybersecurity threat for automotive companies. The first is shared with almost every other organization: corporate systems. These systems likely hold valuable IP and personally sensitive information, but also contain details of the cybersecurity measures taken.
The second attack vector occurs at production plants. While today’s highly automated production systems have made automotive manufacturing safer and more efficient than ever, they are also vulnerable. An insufficiently secure manufacturing process can potentially have a consequential effect on the security of the cars it produces.
Then there is the security of the autonomous vehicles themselves. This is often the most high-profile element of contemporary automotive cybersecurity because it is the most apparent to consumers. However, in reality, autonomous cars may be compromised just as easily via a “traditional” corporate hack on the manufacturer as a real-time intrusion attempt.
Responding to this range of threats has been difficult, due in part to some unique features of the automotive industry.
The first is the increasing complexity of contemporary vehicles. The number of potential points of attack is already high enough to make totalizing defensive strategies unworkable, and this will only get worse in years to come. One reason is the number of vehicle nodes (ECUs) keeps increasing to support the demand for additional functionalities. Today, an average vehicle may contain around 30 units, and complex vehicles can comprise up to 100 units.
Secondly, most modern vehicles contain systems built by multiple stakeholders, each to their own standard. This makes it difficult to integrate all potential attack surfaces into a single, static cybersecurity defense platform. There are signs this is changing, not least due to IBM’s dedicated automotive security testing service, but recent successful cyber attacks on cars leveraged the vulnerability that can result from interconnections between components.
Third, even where OEMs have put in place sophisticated cybersecurity systems, their suppliers might let them down. Indeed, it seems that the concerns about the security of contemporary vehicles has not yet reached the suppliers who build parts for them: in recent research by McKinsey, only 10 percent of automotive suppliers say cybersecurity ranks high on top management’s agenda, compared to 35 percent of OEMs. Around 45 percent consider external partners’ security (i.e., sub-suppliers) as being important to very important, compared to more than 60 percent of automakers.
Real-Time, Edge AI
Meeting these challenges requires a shift in the mindset and practices of the automotive industry. One major overhaul is long overdue – the deployment of real-time, edge-focused AI security systems on autonomous vehicles.
Until now, implementing cybersecurity systems on autonomous vehicles has largely been a one-time event. Systems are designed to prevent unwanted intrusion, placed on vehicles at the time of manufacture, and then forgotten. Given the highly dynamic threat landscape that these vehicles now face, this is simply inadequate.
It also lags far behind the cybersecurity systems employed in other sectors of the economy. Even small operations likely will take advantage of inexpensive VPN software that allows for real-time data encryption, and larger firms with more impressive budgets might opt for AI-driven intrusion detection systems. But up until now, these same tools have been missing from autonomous vehicles.
There are signs that this is changing, however. As smart car computational capabilities increase, several firms have developed real-time systems to protect against cyberattacks. The best of these provide highly configurable deterministic and rule-based firewalls that incorporate machine and deep learning technology and that control access and authentication across all of a vehicles’ linked systems.
The promise of these real-time systems is that autonomous vehicles may be able to protect themselves against novel threats, or even assess their own vulnerability to them. Systems that provide predictive maintenance for smart cars are already on the market. There is (theoretically) no reason why these might not be extended to the digital components of these same cars.
Of course, it is also worth recognizing that the automotive industry is changing rapidly. Cybersecurity protocols will have to adapt not just to changing threats, but also to changing models of how we utilize vehicles. As we’ve previously reported, AI and blockchain have a significant role to play in the future of the industry, and might also provide extra security for autonomous vehicles.
For now, though, let’s get the foundation right, and give smart cars the same level of protection as the average small business.