As automakers add more technology to vehicles, they have become more vulnerable to cybersecurity ... [+]
All that technology stuffed into today’s cars and trucks is making drivers and passengers safer, more comfortable and better entertained. But as infotainment and advanced driver assistance systems become more sophisticated and capable, they’re also becoming increasingly vulnerable to cyberattacks that can range from annoyances to disabling vital safety and operational controls.
Experts at recent auto technology conferences as well as several industry reports paint disturbing pictures of how a severe shortage of skilled software engineers, inadequate planning and testing by automakers before vehicles go into production, unintended entry points such as Bluetooth links and a lack of software standards are all contributing to creating fertile, rolling targets for malevolent hackers.
Roy Fridman, CEO, C2A Security
“There is a vulnerability of millions of cars on the road. If a hacker wants he can just go and do it,” said Roy Fridman, CEO of cybersecurity technology firm C2A Security in an interview during the Automotive Cybersecurity Detroit 2023 Conference held in Ann Arbor, Mich. in March.
Indeed, modern vehicles have gone from mechanical beasts to rolling computers—what’s known as software defined vehicles or SDVs.
Top-of-the line vehicles contain 1,000-3,000 microchips, as many as 150 electronic control units or ECUs operated by up to 150 million lines of software code according to a report by the National Center for Manufacturing Sciences (NCMS).
That amounts to four times more lines of code than a fighter jet, and projected to rise to 300 million lines of code by 2030, according to a report by the United Nations Economic Commission for Europe or UNECE.
“With every line of code, the cyber risk to modern vehicles increases, and security researchers have demonstrated its impact and cost,” warns McKinsey and Co. researchers in a report titled “Cybersecurity in Automotive.”
But the conveniences and capabilities consumers demand provided by all that technology creates a situation where there must be trade-offs but there’s no bartering.
Dennis Kengo Oka, Senior Principal Automotive Security Strategist and Executive Advisor at Synopsys ... [+]
“I think there's always some balance there between security and usability. So the more functions and features you want as a user, the higher the risk for vulnerabilities and potential threats against a vehicle,” said Dennis Kengo Oka, Senior Principal Automotive Security Strategist and Executive Advisor at Synopsys Software Integrity Group in an interview during the recent WCX 2023 auto technology conference in Detroit organized by the SAE. “As you can imagine, if we didn't have any of these features, we don't allow the vehicle to be updated or we don't allow any Wi Fi or Bluetooth, then it would be so much harder for an attacker to actually try to attack the vehicle.”
The prevailing thought is cybersecurity must not be some sort of device or software slapped on after an attack or somewhere in the middle of the vehicle design process, but rather an integral element very early in the process.
One tactic is what’s known as fuzz testing where proposed vehicle software systems are intentionally sent signals that might create the type of havoc a hacker might attempt.
“The goal there with fuzz testing is you want to have many test cases, as many of these misuse cases, to test if there's any abnormal behavior, which could have a root cause and that there's a vulnerability and then you can analyze that. If you find that there's vulnerability, you want to fix that before any before you release that product and really attackers go in and target that vulnerability,” explained Kengo Oka.
Another key tactic is building in cybersecurity defenses that operate automatically such as those produced by C2A Security, which enters the picture long before vehicle design even begins, working with all the teams.
Dvir Reznik, C2A Security vice president of marketing.
“So we're bringing everyone into this automated platform. We import Excel files. We understand that current OEMs security protocols, their requirements, we can integrate with whatever tool they're using in the development side,” said Dvir Reznik, C2A Security vice president of marketing in an interview. “And then when the developer sits in and says, okay, now I need to develop this new feature, I need to develop this app, so these are also the five security requirements that are most important to include in the code.”
That assessment is echoed by Synopsys's Dennis Kengo Oka who noted, “OEMs and suppliers need to really do this type of testing on their own before they release the product. Because if you don't do the testing, there are attackers out in the world, who will most likely do that type of testing and find vulnerabilities and either report them or try to do something malicious. So if you do that testing on your own, as an OEM or supplier, you will reduce the risk of anyone finding those vulnerabilities because you will find them first and you have the chance to fix them.”
Isometric illustration of a hacking attack or security breach. 3D rendering
But as automakers push to fulfill the demands of customers who want an increasing amount of technology available when they get behind the wheel, they're challenged by an acute shortage of people with the expertise to keep up with that demand.
“There's like a three million engineer shortage in the U.S. alone,” observed Reznik. “What the industry needs, not just automotive, the entire industry essentially, if you're looking at cybersecurity, especially skilled cybersecurity engineers, not a million but still is a large number and what we are hearing from our customers in numerous occasions is that it's mostly around staffing. They just can't hire enough people.”
That's no excuse, of course, for failing to protect drivers and passengers from cybersecurity attacks.
The UNECE developed regulations that went into effect in the European Union in 2021 that set minimum standards for automotive cybersecurity technology.
Add to the cybersecurity mix, a new vulnerability created by electric vehicle charging stations that are connected in the cloud.
“It's another sort of wormhole in the network,” said C2A Security's Roy Fridman, “so then that's a target of hackers.”
Fridman believes just as car buyers examine vehicle stickers for features and price, they'll expect to be assured, in writing, they're safe from hackers.
“In a couple of years you will see like you have the N-CAP ratings of safety, yes, you will have either the same thing with security. It just makes a lot of sense,” said Fridman.
Still, the trend is rapidly moving towards increasing complexity of on-board vehicle technology to match consumer demand and innovation and for automakers, demand for cybersecurity will only increase as one speaker at the March cybersecuity conference warned, “it's not a nice to have, but a must.”
