Automotive players continue to see an increasing number of cybersecurity attacks across a variety of hardware and software access points.
Automotive players continue to see an increasing number of cybersecurity attacks across a variety of hardware and software access points. A column in early May summarized a lot of cybersecurity trends. Most of the data came from Upstream Security and their yearly reports on automotive cyberattacks.
Automotive industry cybersecurity is much more complex than PCs, tablets, and smartphones. There are multiple reasons for these complexities, ranging from multiple ECUs and access points to smartphone apps that may connect to both vehicle infotainment systems and cloud services.
Cybersecurity is a difficult problem across the auto industry — today and in the future. Cybersecurity standards and regulations for the auto industry are now in effect and will require continuous and extensive efforts by OEMs and suppliers.
The next table is a summary of Upstream’s cybersecurity data for the first half of 2022. I also reviewed Upstream’s database of publicly reported cybersecurity incidents, which had 129 entries from January through July 2022. Using past years’ seasonality, this projects to over 270 incidents in 2022. The data is available as a searchable database.
Upstream identified two emerging cyberthreats and their potential impact on end users, OEMs, and the entire mobility ecosystem. The automotive industry should worry about these cyberthreats and add solutions as soon as possible:
EV charging infrastructure
The charging infrastructure is just getting started and will expand greatly in the next decade. Based on U.S. Department of Energy data, there are over 47,000 charging stations and nearly 118,000 charging points in the U.S. These numbers will double and probably triple in the next decade or so. Other regions will have similar charging station growth.
These charging stations have wired or wireless communications with multiple connections: the customers’ smartphones, EVs, local communication network (usually Wi-Fi), charging network’s cloud platform, electrical infrastructure, vehicle-to-grid (V2G), and likely other future sources. All of this creates new opportunities for cyberattacks.
Upstream included several examples of cybersecurity issues with charging infrastructure that were identified in 2022:
Upstream also listed previous EV charging cybersecurity problems in its EV white paper:
To monitor and secure the many EV charging risks, the OEMs will need extensive monitoring via a vehicle security operations center (VSOC) of both vehicles and charging stations. Securing EVs and the charging networks will depend on cloud-based monitoring that can understand charging-specific data to identify individual, regional, or widespread anomalies. It is likely that leading charging station operators will require their own VSOC and need to cooperate and coordinate with OEMs and fleet operators.
Connected-vehicle software APIs
Software platforms use application programming interfaces (APIs) for communication, data transfers, and similar operations. APIs sit between applications, sit between an application and a web server, or act as an intermediary layer that processes data transfer between systems.
APIs offer a simple and efficient interface for expanding functionality and improving the connected-vehicle experience. APIs are becoming core tools for new and fast-growing revenue opportunities for OEMs, suppliers, and technology partners. They provide critical points of connectivity to lower software development time and bring together data and services from a broad and diverse range of systems.
APIs present a pathway for agile data access, better digital experiences that can generate new revenue streams. Applications by OEMs and mobility service providers use APIs to interface with ECU-based systems for key utility and functionality. APIs also facilitate the activation of vehicle features and the delivery of subscription-based services, such as remote unlock, remote start, enhanced entertainment, and other features. Protecting APIs from malicious actors seeking access to mission-critical systems and sensitive data is essential and extremely important.
However, APIs can become a liability and pose one of the greatest threats to the emerging connected-vehicle ecosystem. APIs can trigger actions in the vehicle, making hacking a vehicle possible without needing physical access or being in proximity to the vehicle.
Upstream found several automotive API-based vulnerabilities that made headlines in the first half of 2022:
The number of automotive API attacks has increased significantly despite OEMs employing advanced IT cybersecurity protections. IT-based solutions are struggling to handle the scope and magnitude of vehicle attacks. These solutions may lack the context and understanding of how vehicle ECUs and software behave and operate.
Creating automotive-centric and API-focused cybersecurity is essential to combat growing hacker activities. This will increase API value for OEMs and their suppliers. It will also avoid the safety and privacy risks from exposing critical back-end and web systems. API security solutions tailored specifically for automotive applications must provide the full range of cybersecurity functionality and contextualize vehicle data to understand how APIs are used and when they are suspicious.
Upstream Security is a great resource for tracking and understanding automotive cybersecurity trends, vulnerabilities, and new risks. It also has a large cybersecurity product and service portfolio of cloud-based cybersecurity solutions.
Upstream’s mid-year report on emerging cybersecurity threats focused on two new dangers: EV charging vulnerabilities and software API liabilities.
The rapidly growing EV charging infrastructure has a large potential for cybersecurity disruption and will require rapid solution development and deployment. The cyber protection of current charging infrastructure is often deficient. Both OEMs and charging network operators need to cooperate to solve these cyber weaknesses.
The API vulnerabilities are also a growing problem — especially because OEMs and their partners are planning to generate revenue streams from apps and software-as-a-service based on API usage.
Automotive cybersecurity remains a difficult problem despite much effort to create large solution portfolios. Cybersecurity regulations are now in effect across regions, with Europe taking the lead. The U.S. still lags in terms of having automotive cybersecurity regulation and legislation.
Hopefully, NHTSA’s Sept. 7, 2022, release of its “Cybersecurity Best Practices for the Safety of Modern Vehicles” will help. It is an update to its 2016 edition. The document describes NHTSA’s guidance to the automotive industry for improving vehicle cybersecurity.
1Grafana is a multi-platform open-source analytics and interactive visualization web application.
This article was originally published on EE Times.
Egil Juliussen has over 35 years’ experience in the high-tech and automotive industries. Most recently he was director of research at the automotive technology group of IHS Markit. His latest research was focused on autonomous vehicles and mobility-as-a-service. He was co-founder of Telematics Research Group, which was acquired by iSuppli (IHS acquired iSuppli in 2010); before that he co-founded Future Computing and Computer Industry Almanac. Previously, Dr. Juliussen was with Texas Instruments where he was a strategic and product planner for microprocessors and PCs. He is the author of over 700 papers, reports and conference presentations. He received B.S., M.S., and Ph.D. degrees in electrical engineering from Purdue University, and is a member of SAE and IEEE.