It’s hard to fathom how small, inconsequential actions can lead to unintended yet devastating outcomes. This “butterfly effect” is the likely reality that will unfold for the automotive supply chain when it is faced with cyberthreats. Indeed, cyberattacks begin small, but they deal heavy losses.
Case in point, the infamous “Sunburst” incident affected hundreds of organizations and left marks on these companies’ reputations. The attack was initiated by a state-sponsored threat actor who used a complex backdoor to infect the continuous integration and continuous delivery (CI/CD) environment of SolarWinds Orion software. They stealthily injected a small loader on the fly, where the malicious code only truly existed when compiling code; as a result, even the best code review tool was not able to find it.
With vehicles becoming smarter and software and hardware becoming more interwoven, it’s only a matter of time before this kind of attack takes place in the automotive industry. Higher computing power in vehicles make them more like computers and equally susceptible to cyberattacks, which means that functional safety would no longer be enough for the modern car. In line with this, vehicle cybersecurity will only become increasingly imperative.
Attacks on the automotive supply chain
Already we are seeing cyberthreats spilling into the automotive supply chain. On February 28, 2022, a major automotive company announced the suspension of 28 operation lines in 14 plants in Japan due to the cyberattack on its automotive parts supplier. However, the threat actors did not only target this automotive parts supplier but other suppliers as well, including a well-known tire supplier and tool supplier.
Figure 1. Automotive industry cyberattack victims based on our scanning of publicly reported incidents
Looking back at the cyberattacks from last year, we saw several automotive supply chain cases. These kinds of cyberattacks affected a supplier's internal systems or services, and even went as far as striking against a car manufacturer’s or an OEM's operations, as exemplified in the previous case. These attacks create a ripple effect that leave additional impacts on car dealers and several services for customers, which is exactly what happened in a different attack on another well-known automotive company in 2021.
Typical attacks begin with a vulnerability or some form of opening. One way that cybercriminals initiate attacks is by using system or network vulnerabilities to intrude into a vendor's network. Another tactic is by gaining unauthenticated access permission, as seen in the attack on Nvidia this year. Like in most attacks, once cybercriminals are inside a system, they will proceed to encrypt data, after which they will demand a ransom in return for unlocking blocked systems. Most modern ransomware groups now either publish their victim list and the types of data they have stolen or threaten to do so in order to pressure their victims further into settling the ransom.
Figure 2. The overview of the roles that targets of cyberattacks have in the automotive supply chain and the number of attacked companies per role
By taking a closer look at and analyzing the attacks, we can say that the entire supply chain faces the same risks, regardless of a company’s role in the same supply chain. The fact is that 70% of the cases we saw were related to ransomware attacks, thus showing that most attackers are after monetary gain. In short, as long as there is an opportunity for cybercriminals to earn money, they will take advantage of this and attack. They can, for example, attack consumers directly by installing a remote-control backdoor on a single vehicle and threaten to destroy a person’s vehicle for a price. The value of the car alone would be sufficient grounds for a victim to consider paying the demanded ransom.
Figure 3. Threat groups behind the supply chain attacks based on our scanning of publicly reported incidents
Currently, the automotive industry is simply not at the same stage as internet companies with regard to dealing with such threats. Internet companies have already faced diverse types of cyberattacks for many years, enough to have developed a solid system and procedure for handling such cases, not to mention well-designed frameworks and mature tools for troubleshooting problems with ease. In contrast, the automotive industry is inexperienced in this area and in fact, the security of connected vehicles is more comparable to that of the internet of things (IoT). However, attacks on connected cars can cost far greater damage and are more likely to endanger human life.
Securing the automotive industry
Manufacturers, stakeholders, and regulating bodies are, at present, working together to stay ahead of cyberattacks. It’s also worth highlighting that OEMs don’t necessarily have to start their security journey from scratch — not when they have years of threat research across different industries to bank on. UNECE WP.29’s regulations and ISO/SAE 21434 also define benchmarks that can serve to guide organizations in developing safer and more secure cars in the future.
Enterprises would do well to espouse a holistic approach to security, as also suggested by the ISO/SAE 24134 standard. A multilayered defense can help guard against modern ransomware and other forms of cyberattacks. Meanwhile, to mitigate supply chain risks specific to the automotive industry, enterprises can begin by ensuring the presence of these measures:
- xNexus can help build awareness mechanisms and early warning for incoming attacks.
- Vulnerability Management Plus allows OEMs to scan vendors' firmware on multiple levels and effectively reduces the attack surface from the beginning.
- Secure OTA patches both known and unknown vulnerabilities for a quick response.
- Filter In Vehicle Network (IVN) messages with IDPS and use it as feedback for the VSOC back end.