Largely controlled by computer modules, semiconductors and software, today’s vehicles are more akin to smartphones than the rolling containers of mechanical parts of the past. The increasing dependence on sophisticated electronics and sensors is vastly improving vehicle performance, safety and amenities for drivers and passengers as well as creating networks of so-called “connected vehicles.”
To show how complexity is growing, a published report on vehicle cybersecurity reveals autonomous vehicles contain between 300 million to 500 million lines of software code. Compare that to a Boeing 787 Dreamliner commercial jet with 15 million or a premium car such as a Mercedes C-Class with 100 million lines of code. And it is not just vehicle complexity. There is also the sophisticated technology infrastructure necessary to design, engineer and build cars and trucks containing all those capabilities.
All good, except those same technologies are also the prime portals into an automaker’s internal infrastructure and its vehicles for cyber crminals. Their illegal activities not only threaten the safety of occupants but can cost OEMs millions of dollars to combat and repair. They can cause mayhem threatening occupants’ safety by taking control of the vehicle. Cybercriminals can also infect vehicle systems with harmful malware or ransomware holding a vehicle’s control hostage in exchange for payment.
How dire is the situation? According to a report by Israeli security firm Upstream, which monitors cyberattacks, “cybercrime, including automotive-related cybercrime, is more profitable than the global illegal drug trade, at $600 billion annually versus $400 billion.”
That same report revealed in 2020, the average cost of a data breach was $3.86 million. Even worse, the average time to identify and contain a breach in the auto industry was nine months.
Examples of Attacks
This huge growth in the amount of code and project complexity in vehicles rising at an exponential rate means more cybersecurity risk for OEMs and suppliers. In fact, cybersecurity incidents and hacks have experienced 94 percent year-over-year growth since 2016.
Some recent examples:
--January 2020: A Mobileye 630 PRO and Tesla Model X hack fooled the ADAS and autopilot systems to trigger the brakes and steer into oncoming traffic.
--February 2020: 19 vulnerabilities were found in a Mercedes-Benz E-Class car, allowing hackers to control the vehicle remotely, including opening its doors and starting the engine.
--June 2020: Honda had to stop production in a number of its plants due to a ransomware attack that targeted its networks in Europe and Japan.
A hacker was able to gain control over Tesla’s entire connected vehicle fleet by exploiting a vulnerability in the automaker’s server-side mechanism.
Perhaps the most famous case involved the 2015 takeover of a Jeep Cherokee by two hackers as an experiment to demonstrate just how vulnerable a vehicle can be to cybercrime. They attacked the Cherokee through its infotainment head unit, controlling the SUV’s transmission, braking, even its air conditioning.
While consumers demand vehicles with more technical bells and whistles, connectivity and amenities one report reveals a good many of them are spooked by how easily their four-wheel electronic marvels can be hacked. That has the potential to cost automakers billions in lost sales.
A survey published in 2020 found that 84 percent of consumers would not buy another car from a dealership if their data had been compromised by a breach in the past. A separate study determined 80 percent of consumers have said they would not buy from an automotive company that has been hacked.
With billions of dollars in lost revenues, consumer trust and prestige on the line, automakers and suppliers are faced with putting up defenses against cyberattacks that can come from both within their ranks as well as from external sources. What makes the task even more difficult is that determined and skilled hackers often figure out how to breach defenses soon after they are mounted.
Organizations such as the National Highway Traffic Safety Administration and Auto-ISAC have developed guidelines and recommendations for deflecting cyberattacks, however they are basically suggestions. New rulemaking by the United Nations Economic Commission for Europe (UNECE), while well-meaning, has the potential to bankrupt manufacturers if not managed properly.
Starting in the European Union from July of 2022 and staged to July of 2024, the regulations require a proper Cybersecurity Management System (CSMS) and Software Update Management System (SUMS). These are needed to operationally monitor and adjust security long past the sale of the vehicle. Failure to complete rigorous upfront engineering could result in billions of dollars of opportunity costs.
If manufacturers fail to meet the approaches laid out by the regulations—which require them to manage vehicular risks, securing the vehicles by design to mitigate risks along the value chain, detecting and reacting to ongoing risks and providing secure software updates—automakers will not be permitted to sell vehicles globally. Given the historical difficulty in quickly ramping-up a qualified cybersecurity team, the short timeframe to comply has led to what could best be described as panic hiring of engineers and specialists in cybersecurity.
The potential dangers lurk when companies turn to outside or offshore staffing agencies who provide such personnel at a lower cost, but who are less skilled. The alternative of turning to higher-cost consultants may bring aboard more proficient staffing but only as a short-term solution.
Without built-in loyalty to the company, such contractors can be threats from within as they are often considered “privileged users” since they control critical elements such as key management or detection algorithms.
A Forester study predicts insider data breaches will increase 8 percent this year while a study by Ponemon Institute found cybersecurity threats from “employee or contractor negligence” increased from 10.6 percent in 2016 to 14.5 percent in 2019. Insider cyber threats from those determined to be “criminal and malicious insiders” rose from 3 percent to 5.4 percent during the same period.
At Kugler Maag Cie, an automotive consulting company, we strongly urge automakers and suppliers to not hire on a hair trigger just to make an impending regulation deadline but rather protect their long-term cybersecurity by taking a more deliberate approach. This means adopting the philosophy of “hire slow, fire fast” which translates into taking the time to fully screen applicants to ensure their skill level, experience and honesty.
Catching such vulnerabilities before vehicles hit the marketplace is money well spent. A lesson is learned from a case in 2015, when hackers compromised the 2009 Chevy Impala. It took General Motors nearly five years to fully protect the vehicles from the hacking technique used in the attack.
The fact that hackers are resourceful in finding vulnerabilities demands a multi-layered defense that includes bolstering security in the vehicle and internal IT network and using cloud security to detect and thwart cyber-attacks.
The situation is likely to escalate. Experts predict that in the next ten years there will be 966 million connected cars on the road all “talking” to each other and really, the world offering all sorts of information and by extension, opportunities for hackers. By 2025, connected vehicles will comprise nearly 86 percent of the global automotive market.
The dizzying speed of development of vehicle technologies is truly a wonder aimed at improving our safety, convenience and enjoyment of life on the road. But without strong and constant defenses, the actions of cyber criminals can exact a stiff cost in lives and livelihoods.