What will protect our software-enabled cars?
From advanced navigation systems to entertainment, new cars come with an array of computer processors, sensors, and software. No longer closed systems, connected vehicles must recognize and build a robust cyber security infrastructure.
Today some cars have more than 300 million lines of code, and collect terabytes of vehicular data every year. With the advent of 5G, we are at the very beginning of a data revolution in cars. In the automotive market, connectivity is emerging as a major competitive differentiation. With V2X, OTAs, IoT, Mobility-as-a-Service, and ride-sharing bringing OEMs, telecom, and IT service providers together — future vehicles are going to be bundled with ever increasing computational capabilities.
Connectivity brings with it new risks. Similar to any other conventional software-based device, cars are now vulnerable to exploitation, especially when considering the large number of cars shipped globally. Attacks might come from physical access to a vehicle, or even via Wi-Fi or Bluetooth. But cellular connectivity means an attacker could potentially access a vehicle from anywhere in the world.
With new and stringent standards being designed to embed cyber security throughout the automotive supply chain, carmakers will have to transform their vision from that of a pure hardware manufacturer to an agile software company. And protect drivers from the dangers of manipulation and hacking.
Why secure the entire automotive ecosystem
Vehicles contain many interconnected components with hundreds of Electronic Control Units or ECUs, often developed by multiple suppliers, which make them a hotbed for cyber-attacks. The vehicle comprising of these assorted electrical parts when ideally connected through an internal network is well accessible to hackers. A hacker might take control of safety-critical parts like engines or brakes by gaining access to a tangential electronic management unit. Vehicle’s infotainment system, Tire Pressure Monitoring Systems or TPMS, remote keys, GPS, USB, lighting system, OBD-II, and Advanced Driver Assistance Systems or ADAS, can all potentially serve as entry points.
Most of the attacks for decades were conducted by what is known as white hat hackers, who are researchers busy trying to find every vulnerability, with few malicious, real-world attacks. But in the past five years, black hat or real hackers have emerged.
The automotive industry has experienced a 94% year-over-year growth in hacks since 2016 as reported by CNET.
Over 200 in-vehicle or offboard incidents in 2020, with 57% coming from black hat hackers as reported by Forbes.
And 76% of automotive companies have admitted to having a cybersecurity event according to KPMG.
Manufacturers now know that hacking is a potentially serious matter threatening both product and revenue, and are investing in cybersecurity measures.
The global automotive cybersecurity market is projected to reach $8.61 billion by 2027 as reported by Emergen Research.
As cars evolve faster in terms of technology, legislation is starting to take notice. For instance, the UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) announced that cybersecurity would now be a prerequisite before going on the market. Multiple regulatory agencies have recognized requirements within newly published standards as the basis for certification starting in 2022, and corporations are required to demonstrate a Cybersecurity Management System (CSMS) and a Software Update Management System (SUMS) to maintain the right to sell vehicles in those countries.
Over-the-air or OTA updates have become part of today’s connected devices, and the same functionalities naturally extend to connected vehicles as well. Most cars today become gradually less advanced as new models are launched with the latest and improved technologies. OTA updates are a bid to counter this. Through OTA updates, the software that runs the vehicle can continue to evolve and improve throughout its lifecycle, ensuring that cars can remain relevant and offer improved functionality.
Software downloads for connected cars have been available remotely to new vehicles for some time now. For instance, Tesla’s downloadable upgrades issued for anything, from videogames that can be played on the infotainment screen, to better battery range and safety-critical updates needed to improve braking performance.
OTA is also a pivotal element of autonomous driving technology that ensures smooth and secure navigation and routing. These updates provide terrain and road level data, and allow cars with automation features to acquire new updates on the go. Today, only some vehicle models have Level 1, Level 2, or Level 3 degrees of automation. But OTA is essential to the development of higher levels of autonomy.
Autonomous technology is growing at an incredible pace, which means that apart from general testing, external and internal safety issues like hacking, malfunctioning must be solved. The amount of data that autonomous vehicles gather, analyze, and the process has increased dramatically and will continue to do so in the coming years.
Experts worry that members of the public broadly underestimate the risks of in-car devices and services that, in the course of doing their jobs, also harvest vast amounts of personal data.
Once self-driving cars are fully deployed, malicious hackers might target vehicles to obtain access to the driver’s personal information or control of the vehicle itself. Hence, evolving cyber-risks are a significant issue, and in order to combat highly sophisticated attacks, advanced automotive cybersecurity solutions must be developed to ensure the highest level of security in vehicles.
Shaping automotive cybersecurity
- Cybersecurity has to be baked into a company’s processes right from the very beginning — from design and development through manufacturing.
- An ‘assume harm’ posture will serve the industry well, and guide both software and hardware developers to create systems with cybersecurity built into them, at all levels.
- As automotive ecosystems grow and evolve, software could come from multiple suppliers and run on the same hardware platform. All software must be analyzed for threats and common vulnerabilities, through software composition analysis, penetration testing and periodic risk assessments.
- Such an environment requires defense-in-depth strategies, which include secure updates, secure boot, identity access management, isolation-through-virtualization techniques etc.
- The microchips used within a vehicle’s ECUs must be secured. Secure hardware capabilities include secure storage, tamper detection, hardware acceleration for crypto-algorithms, secure firmware upgrades, secure key updates, secure boot, secure debug and other features.
Such strategies can prepare vehicular systems against attacks, help build the necessary trust in software-enable vehicles, that are redefining the automotive landscape with unforeseen capabilities.