From its inception, the automotive industry has been shaped by innovation and disruption. In recent years, these transformations have taken shape in rapid digitization, ever-growing Electric Vehicle (EV) infrastructure, and advanced connectivity. These shifts have redirected the automotive industry, meeting and surpassing customer expectations for what vehicles should accomplish. However, they have also opened the door to cybersecurity concerns — and the last year has shown just how much of an impact these threats can have.
Recently, Upstream published their 2023 Global Automotive Cybersecurity Report. In it, they explored the cybersecurity threats that plague the automotive industry, as well as the things the sector can do to protect itself as these threats continue to evolve. Here’s a closer look at five important findings in this comprehensive document.
Lesson #1: New Attack Vectors Are on the Rise
As the automotive industry becomes more connected and digitized — and automotive companies open new revenue streams as a result — the attack vectors are evolving beyond traditional stakeholders. According to the report, the top cyberattack vectors in 2022 were telematics and application servers (35%), remote keyless entry systems (18%), electronic control units (14%), automotive and smart mobility APIs (12%), infotainment systems (8%), mobile applications (6%), and EV charging infrastructure (4%).
Looking a little closer, some of the emerging attack vectors include:
- Vehicle subscription services: Subscription services for in-car features, for example, require drivers to share Personally Identifiable Information (PII) with their provider, opening the door to identity- and authentication-related attacks.
- Third-party automotive mobile apps: These apps are designed to enhance the driver’s experience and often require information like the driver’s PII and sensitive vehicle data that’s appealing to bad actors.
- EV charging networks and infrastructure: Rapid growth in the EV landscape has increased the potential for attacks via charging ports. This is prompting all EV stakeholders to do more from a cybersecurity standpoint.
- Fleet management: The Internet of Things (IoT) has allowed for fleet management software that leverages data collected from vehicle fleets. Connected fleet infrastructure has many advantages, but also creates multiple attack vectors for attackers that could impact multiple fleet vehicles simultaneously.
- New insurance models: Insurance is evolving with the use of telemetric data that focuses on driver behavior and usage. This often requires real-time monitoring with devices installed in the vehicle — devices that can be compromised by attackers infiltrating the insurance company’s network.
- Smart mobility APIs: In 2022, the number of automotive API attacks grew by 380%. As the use of this technology continues to increase, so do the risks associated with APIs.
This shift to new vectors means that automotive companies need to take an approach to cybersecurity that’s more focused on technology and IT, and less on vehicle-centric security models.
Lesson #2: Attacks Are Increasingly Sophisticated
As the automotive industry continues to change and grow, so does cybercrime. In fact, cyberattacks are becoming even more refined to match the evolution in the industry.
For starters, nearly all attacks (97%) are being conducted remotely, and 70% of remote attacks are perpetrated at long range, i.e., not near the vehicle, that rely on network connectivity.
Bad actors are also refining their approach to ransomware, which occurs when a criminal has access to key digital infrastructure and holds it ransom for a high dollar amount. They often manifest as massive data breaches, denial of service, and production shutdowns that impact the entire supply chain. In a time where supply chain issues are already rampant, this is particularly problematic.
As vehicles become more connected to everything, Upstream expects attacks that leverage these connections to become much more prevalent in the coming years.
Lesson #3: Cybercrime Has a Massive Impact
Businesses that are victims to cyberattacks can be negatively impacted in a number of ways:
- Data and privacy breaches: Automotive providers have access to a wealth of personal and usage data, as well as sensitive information related to their business. Losing this data can be catastrophic.
- Financial and reputational impact: Recovering from a cyberattack is expensive, as it requires patching the vulnerable areas and conducting thorough audits to make sure there aren’t any others. It also potentially compromises customer trust.
- Vehicle thefts and break-ins: Keyless car thefts are becoming increasingly common, and cyber incidents are one driving factor. This puts providers in an awkward position they need to remedy.
Lesson #4: Regulators Are Evolving Their Policies — and the Industry Has to Keep Up
The regulatory space is shifting to expand the scope of cybersecurity protection and measures. Industry standards like WP.29 and ISO/SAW 21434 now emphasize the importance of having high standards for cybersecurity practices and analysis at every stage of a product’s lifecycle. For example, fuzzing an automotive computer while the product is being developed allows you to proactively improve cybersecurity and build safer vehicles from the start.
Beyond enforcing better practices for cybersecurity in the sector, these regulations and guidelines also provide uniform terminology, methodology, targets, and scope for the entire industry to get on the same page.
In addition, as the industry responds to government targets for electrical infrastructure and smart mobility, legislators and regulatory bodies are becoming more aware of cybersecurity risks to vehicles, infrastructure, and consumer privacy. They are also starting to work on new regulations to address these risks. This will continue to be the case with the ongoing emergence and development of autonomous vehicles.
Lesson #5: Security Is Everyone’s Responsibility
Today, cyberattacks in the automotive industry aren’t solely limited to vehicle producers. Every component of the supply chain and supplementary features is vulnerable to these threats. These attacks aren't just targeting data for financial gain, but also to compromise public safety and infrastructure. From EV infrastructure suppliers, to smart mobility services providers, and everywhere in between, all automotive stakeholders need to take direct action to protect their assets and their customers. Only then will the industry be able to continue its digital transformation at a rapid and safe pace.
While there are ongoing concerns for the automotive industry when it comes to cybersecurity, there are also various steps being taken to become more resilient. As stakeholders adopt new security software, improve their auditing capabilities, and leverage new regulations, they are setting themselves up to evolve with the threats and protect their users and data. In fact, according to the report, 2023 will see increased collaboration within the automotive ecosystem, accelerating holistic protections across the industry.
About the Author:
Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.