Automotive cybersecurity critical focus for safety of passengers
- The rising need for automotive cybersecurity will trigger investments, and the market is expected to grow to US$9.7 billion in 2030
- There are currently no specific regulations in the US around automotive cybersecurity
- Experts have warned that automakers are behind the curve when adopting cybersecurity best practices
Automotive cybersecurity is going to be vital for automakers as the industry races to build more autonomous, connected cars and electric vehicles. However, experts have warned that automakers are behind the curve when adopting cybersecurity best practices.
As cars become more connected and dominate the agenda of automotive industry leaders in recent years, they’re also becoming increasingly susceptible to cyberattacks.
Vulnerabilities expose need for automotive cybersecurity
Recent vulnerabilities surfaced in Honda and Acura’s cars through the communication with its remote keyless entry function. According to researchers, easily intercepted radio signals from the wireless entry key fob on almost any Acura vehicle could allow a threat actor to lock, unlock, and even start the car.
The confirmed vulnerable models were the 2009 Acura TSX, the 2016 Honda Accord V6 Touring Sedan, the 2017 Honda HR-V (CVE-2019-20626), the 2018 Honda Civic Hatchback, and the 2020 Honda Civic LX.
Honda also faced a cyberattack in June 2020 which impacted its operations around the world where one of its internal servers was attacked externally. The company halted its UK plant alongside a suspension of other operations in North America, Turkey, Italy, and Japan.
Meanwhile, university researchers critically hacked and stole a Tesla Model X in November 2020 with a Raspberry Pi, a key fob, and a replacement engine control unit. Researchers from Keen Security Lab also demonstrated that it was feasible to gain local and remote access to infotainment, T-Box components, and UDS communication above a certain speed of selected BMW vehicle modules.
The breaches have also included EV home chargers being controlled by accessing the home Wi-Fi network, while malware infection caused significant production disruption at German car parts manufacturer Rheinmetall.
Rising need for automotive cybersecurity
A new report from Trend Micro Incorporated states that 125 million passenger cars with embedded connectivity are forecast to ship as progress advances towards fully autonomous vehicles.
The advancement will create a complex ecosystem comprising cloud, Internet of Things, 5G, and other vital technologies. It also features an enormous attack surface comprising millions of endpoints and end-users.
The report also warns that “vehicle connectivity introduces significant new risk vectors and potential attack points that adversaries such as cybercriminals, hacktivists and even unscrupulous operators, could exploit to achieve objectives such as disruption, interception, or corruption of data.”
The rising need for automotive cybersecurity will trigger investments, and the market is expected to grow to US$9.7 billion in 2030, with the software business representing half of the market by 2030, according to McKinsey. The report states that Software and electrical/electronic (E/E) components are, and will continue to be, among the key innovations in modern vehicles.
Regulating vehicle security
The new WP.29 regulations were drawn up by The United Nations Economic Commission for Europe (UNECE) and approved in June 2020.
The automotive sector had a framework to put processes that identify and manage cybersecurity risks in vehicle design. This includes verifying that risks are managed, ensuring that risk assessments are kept current, and attacks are monitored.
The analysis of successful or attempted attacks, review of cybersecurity measures in the light of new threats, and ensuring security lifecycle management (across the development, production, and post-production phases) are also part of the framework.
WP.29 regulations have been adopted by the European Union and will be mandatory for all new vehicle types from July 2022. South Korea and Japan have also committed in the meantime. However, there are currently no specific regulations in the US around automotive cybersecurity.
30 September 2022
28 September 2022