Plug-in electric and at least partially autonomous connected cars are a common sight on roads around the world. 

The software and electronic component market for those vehicles is projected to grow from $238 billion to $469 billion between 2020 and 2030. Both cybersecurity and ‘privacy by design and default’ have been holistically embedded into operations across many manufacturers, supply chains and delivery infrastructures. But, these are vulnerable to cyberattacks, as are the vehicles themselves once they leave the assembly line. They need cyber resilience standards as much as any other computer. 

On Oct. 7, 2020, X-Force Red, IBM Security’s team of hackers, and IBM’s global automotive team will present a webinar about new security mandates for connected cars. They will discuss common attack scenarios the mandates should help protect against, and what manufacturers can do today to begin the compliance process.

Register now

Bringing Security Out of the Assembly Line 

Securing intellectual property, such as new designs, concepts, tooling/technologies and strategic plans, has been a focus in manufacturing plants for many years. Once they get on the road, connected and automated vehicles (CAVs) are vulnerable to cyberattacks. This includes the physical vehicles, technologies and services they connect to and communicate with. 

While manufacturers have excelled in security in development, production and engineering, they do not consider cybersecurity gaps as often. For example, they may dismiss cybersecurity monitoring of connected cars on the road. Threats to vehicle integrity and production line availability as a result of a cyberattack are also areas that require maturation and a stronger operational resilience focus. 

Threat Vector 1: Vehicle Component Complexity  

CAVs are fundamentally highly interconnected architectures that provide a range of key services via a gateway electronic control unit (ECU) with telematics and communications embedded. These services include the powertrain (engine and transmission), the chassis control subnet (steering, airbag, braking), body control subnet (instruments, climate control, door locking) and the infotainment subnet (telephone, navigation, audio/video). Alongside these components are a range of external connections, such as USB, Bluetooth, WiFi, ZigBee, GPS, Wave, 3/4/5G, OBD, GSM and many others. This complex connected infrastructure can leave vehicles exposed to a range of vectors.

Damage/loss of sensitive data in the cloud, failure or malfunctions of systems, power supply or errors in software, interception of information, such as locking of doors or garages, tampering of vehicle controls and identity fraud/theft are all possible threats.

Threat Vector 2: Power Grid Disruption

One emerging threat vector that can be defended against with greater cyber resilience is an attack that targets electric vehicles (EVs). This threat vector is a demand-side cyberattack using multiple plug-in EVs and high-wattage charging stations. Recent research highlights this as a realistic scenario involving multiple EVs being hacked simultaneously during a charging cycle with the aim of disrupting the power grid or causing blackouts. This risk was highlighted by the National Institute of Standards and Technology, which stated the energy and transportation sectors have “very little understanding of each other’s concerns and approaches to cybersecurity.”

To address these risks, regulated standards are needed for current and future vehicles to mandate requirements for CAVs with cybersecurity controls, testing and technological measures. This can provide assurance during the manufacturing, assembly and inspection processes alongside ongoing security updates to connected cars during their lifetimes.

Threat Vector 3: Mobile Devices

Mobile devices have now become a key and a method of controlling multiple key functions, such as locks, headlights, infotainment, climate control, wipers, the horn and even the movement of the vehicle. These devices and apps are known to have a range of vulnerabilities. For example, poor password requirements, code errors, outdated operating systems, susceptibility to malware/viruses and poor user practices provide a range of threat vectors to a CAV. For example, a malicious actor may have installed an app on a user device which could then access the legitimate app for the CAV and obtain a vehicle identification number (VIN). Once a VIN is obtained, the attacker could install a legitimate app and potentially take control of the vehicle.

Threat Vector 4: The Human Element

Automotive employees will need to develop new skills and change the way they work. This leads to transformation in engineering, design, sourcing, program management, sales and service. All employees and stakeholders will need education related to cybersecurity. A recent example of a Tesla employee being approached by a criminal gang to deploy malware highlights the need to embed a strong culture of awareness, as well as controls to prevent rogue employees from causing disruption of damage.

Threat Vector 5: Financial Crime

The CAV payments market is expected to reach over €537 billion ($636 billion) by 2030. While the threat of malicious attacks and physical theft have been a concern for some time, the most common threat vector may be financial gain by organized criminals. As CAVs will have multiple technologies that provide payments for a range of services (such as fuel, subscriptions, tolls, parking or food and drink), there is a risk of payment data being compromised.

What’s Next for Connected Cars? 

Now, automotive players can adopt uniform cybersecurity standards to protect the connected cars and other vehicles they design and manufacture. These include the United Nations Economic Commission for Europe (UNECE) WP.29 cybersecurity, International Standardization Organization ISO 24089 — Software Update Engineering or the upcoming ISO 21434 Road vehicles — Cybersecurity engineering standards.

These standards are key because advanced technologies and the increased connectivity of vehicles significantly increase the risk of cyberattacks. Additionally, in a vehicle, the risk of physical injury is added to the risk of loss of data. Successful cyberattacks could lead to financial and reputational damage as well as significant regulatory fines for manufacturers.

Ultimately, cybersecurity standards and regulations such as WP.29 and ISO/SAE 21434 can benefit automotive industry stakeholders. By embedding a strong culture of cybersecurity, cyber risk quantification, threat/risk management, governance and technological controls and processes, these standards can help keep vehicles, drivers and pedestrians safe.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today