Thursday, March 28, 2024

Solving the Challenges of Automotive Cybersecurity for Connected Cars Fleets

Connected cars have evolved from being an extra to being the norm. As fleets become more autonomous and connected, the complexity of their systems continues to increase. These days, vehicles’ computer systems may include millions of lines of coding. Fleet owners may face new risks from cybercriminals that can break havoc on their business. In this post, we’ll give you an overview of the main cybersecurity challenges of fleets and how to overcome them.

The security challenges of connected cars

The first problem lies in manufacturers’ implementation of cybersecurity measures is still behind. There are no specific automotive standards, just the ISO 26262, which states that a manufacturer is responsible for implementing security measures. But there are other security challenges for connected fleets. Let’s explore.

The security threat landscape

Code-heavy solutions increase the risk of exposure.

The larger and more complex a piece of software, the more likely it is to have vulnerabilities that can be exploited. Automotive software can contain hundreds of millions of lines of code. If you have code-heavy software, the chances of vulnerabilities are exponential. Regardless of the testing, the automotive industry is not yet ensuring secure code line by line.

The complexity of the automotive software supply chain

The automotive industry often integrates third-party software, applications, components, and protocols. For each integrant in the supply chain, the risk of an attacker taking advantage of weak links increases. When multiple actors are involved, and a car software set can be supplied by over 20 suppliers—, implementing cybersecurity protections becomes difficult.

Applying signatures to software should be done when built up in the supply chain. But suppliers are not always aware of potential threats that may affect others. For instance, if a Tier 1 supplier solution has a vulnerability, it can pass down to Tier 2 and Tier 3 suppliers. A cybercriminal can infiltrate a low-level supplier and work its way up there. The problem is compounded by the high interconnection of supply chain integrants. That is why connected cars are at great risk of supply chain attacks.

Diversity of the attacks

Cyberattacks are increasing, not only in number but also in diversity. Attackers can steal cars or break in, control car systems or steal sensitive and private data. Although around for a long time, in-car data collection and storage systems are often overlooked by automotive cybersecurity. With attacks coming from multiple fronts, car fleets and manufacturers need to up their protection game.

Government initiatives fall behind

Connected fleets, if hacked, can be victims of accidents and damage, financial loss, and personal injury. Attackers can target vehicles via their software updates, or any component.

Unfortunately, government initiatives to protect fleets from the impact of a cyberattack are lacking. In a recent study by the University of Exeter, researchers stated that  “It’s impossible to measure the risk of driverless vehicles being hacked, but it’s important to be prepared. We suggest the introduction of insurance backed Maliciously Compromised Connected Vehicle Agreement to compensate low-cost hacks, and a government-backed guarantee fund to compensate high-cost hacks.”(source)

Consequences of getting hacked

Financial loss

An attack in the fleet architecture can be a disaster. First, a company will suffer a loss and of clients and reputation. As a consequence, the financial loss for car hacking can be in the millions.

Loss of personal data

Imagine a cyber attacker getting hold of your car fleet user’s data. Data breaches can result in loss of client’s trust, reputation and money. Not to mention the penalties and fines for noncompliance with regulations.

Fines and insurance issues

A car hacking can result in regulatory issues, with hefty fines. Moreover, most insurance doesn’t cover car fleet hacking. Many times, manufacturers and fleet owners suffer from increases in insurance primes and compensation.

How automotive cybersecurity overcomes the challenges

Car fleet owners can find it overwhelming to protect their fleet against these types of attacks. But there are some strategies you can apply. First, you don’t have control over the manufacturer’s hardware or other software integrated into the system.

  • Conduct cybersecurity hygiene

This may be obvious, but the first line of defense is prevention. Evaluate which parts of the infrastructure you have control over, and how it integrates with your vehicles. Ensure your staff is practicing security hygiene practices. This includes being responsible for data retention, access control, and data loss prevention practices.

  • Leverage a cloud-based automotive security solution

A holistic car protection solution can help protect your fleet. An effective security solution needs to analyze the fleet as a whole, understanding the data at all levels of the fleet architecture, including at the car, driver, app, and server level. By leveraging a cloud solution, you are not tied to hardware issues.

Conclusion

Car hacking can have disastrous consequences for car fleets, financially, and in terms of loss of reputation and business. Car fleet owners can protect their companies from cyberattacks by leveraging automotive security technology and best practices.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles