Society Technology Automotive cybersecurity threats and risk mitigation January 15th, 2021 Connected cars are essentially data centers on wheels, with multiple processors and units connected to different cloud services. This complex infrastructure must be protected in order to withstand cyberattacks on the car’s software and backend. In this article, I will discuss some of the most common automotive cybersecurity threats, and how you can prevent them from affecting your connected car services. Connected car networks need to be encrypted A connected car uses several different kinds of networks, among them the onboard diagnostics (OBD) system and the controller area network (CAN). Historically, the latter used to be relatively easy to attack, as these networks were often unencrypted. However, more and more car makers use onboard ethernet – a common network technology that is easier to protect. An unencrypted connected car network could be used to steal or hijack a car’s security certificate, for example. That certificate could then be used to simulate the vehicle, posing as the car to the systems that the car communicates with, in order to elicit valuable information about the driver, the car, its load, and more. As connected cars become increasingly complex, we should expect the number of connected systems they use to increase as well. Connected car software may be targeted by malware and ransomware Connected cars rely on the phones, apps, key cards, etc. that are connected to it. A malicious app can infect a phone and potentially spread its infection to the car, if the onboard systems are not sufficiently isolated and protected. A car’s sensors or operating system can be hacked and altered to make the car assume that some malicious software is in fact benign. In the future, there is also the risk that ransomware will be used against unprotected vehicles. In this scenario, all vehicles by a certain manufacturer could be hacked – essentially kidnapped – and held hostage. The backend solution also needs to be able to withstand a cyberattack, so that no vehicles (or fleets) may be hacked that way. Public key infrastructure certificates improve automotive cybersecurity Vehicle-to-vehicle communication (V2V) and vehicle-to-everything technology (V2X) allow cars to communicate not just with their backend, but with other cars and traffic infrastructure – such as toll stations, traffic lights, road signs – as well. This increases the cybersecurity demands of connected cars, as they need to always send and receive data securely. It is thus critical that the car’s communication partners can be trusted at all times. Public key infrastructure (PKI) is a network technology that uses certificates for authentication. These certificates enable the secure identification of, and communication between, devices. For connected cars, it means that different part(ner)s in the connected ecosystem can be authenticated through encryption and message signing. In Europe, the European Telecommunications Standards Institute (ETSI) has already developed standards for PKI under C-ITS, Cooperative Intelligent Transport Systems.. Make sure your connected car services come with built-in cybersecurity At WirelessCar, we work with – and recommend – security by design. For car makers, it means that cloud services, backend solutions and other digital infrastructure need to be secure from the very beginning. Retrofitting your cybersecurity once the damage is already done will be very inefficient and costly. By using PKI, you ensure that your data cannot be manipulated by anyone, at any point in the process. The backend needs to provide the car with certificates, which can be used to encrypt data, and signed to authenticate it. As owners of this data, car makers need to be able to fully protect it. Third parties must of course be able to protect the data as well, when it is used in their connected car services. Over-the-air updates and cyberattack detection are crucial to automotive cybersecurity Today’s cars, and those of tomorrow, should be expected to last for many years. That means that their communication channels and digital ecosystems will develop over time. As such, these need to be maintained and updated continually. Over-the-air updates ensure that this is done with continuity, without the need for physical service center maintenance. If a connected car or fleet starts to communicate in an atypical way, that needs to be detected immediately and reported reliably. The indication that someone is trying to hack into a car, for example, should preferably come from several sources. The network, the backend servers, and the car itself can all send data alerting operators and service providers of possible cybersecurity threats. A Vehicle Security Operations Center (VSOC) can receive this data and act on it, 24-7. As of the time of writing, WirelessCar is in the process of building a VSOC together with one of our customers. We will return to this subject in the near future. WirelessCar’s work with automotive cybersecurity WirelessCar is currently undergoing the ISO/IEC 27001 certification process, and we work according to the NIST SP 800-53 standard. We make sure that security is a cornerstone of our entire way of working. Similarly, security by design and defense in depth are key concepts in the services we build and provide. In 2020, we began to arrange our WirelessCar Quality & Cybersecurity Fridays; one of several internal initiatives dedicated to automotive cybersecurity. These Friday events cover different aspects of this topic, including knowledge transfer about automotive cybersecurity throughout our organization. We honor the cybersecurity and data trust that OEMs place in us Our customers trust us with a lot of highly important data related to their vehicles, customers and future planning. WirelessCar would not be able to deliver our high-quality services based on this data if we did not handle it with utmost care. We know the value of it, and thus the importance of practicing professional, secure data isolation at all times. We are proud to be a trusted partner and service provider to car makers around the world. With that trust comes the responsibility to always maintain the integrity of your data. It is safe with us, and we will not share it with any other OEM. The notion that it is easy to hack a vehicle is a myth; it certainly is not. Still, it is something that all car makers need to be prepared for. Defending your connected cars and their services and systems – and being able to verify the data they send and receive – will only become more and more important. This not least considering the United Nations’ UNECE WP. 29 Cyber Regulation, which will likely have a major, positive impact on automotive cybersecurity in the years to come. WirelessCar is already working in accordance with this regulatory framework; you can read more about this in an upcoming article here on our blog. I hope you enjoyed this article on automotive cybersecurity. If you have any questions, email me at Anders Bolinder. Make sure you also check out the other, related articles here on our WirelessCar blog: Why OEMs should provide call center services for connected cars, Enhance your service portfolio through your existing connected car cloud, How does edge computing benefit connected cars?, and many more. Anders Bolinder Contact