The world of mobility is moving at such a fast pace that stakeholders need to look ahead in order to keep up. Current technologies — the internet of things (IoT), 5G, and the cloud — have converged to reinvent automobiles and make the smart car a reality. Now, the smart car is poised to take over as the modern vehicle of choice and one area that needs to stay ahead of this development is cybersecurity.
Security researchers have long begun investigating weaknesses of the first connected cars. Contributing our own research on automotive cybersecurity and on its surrounding technologies we are able to get a scope of the connected car attack surface and risks to its supply chain.
Threats on the horizon
The connected car looks and works as a car, but is also essentially a data center on wheels. In fact, it is said that already the modern car runs on a hundred million lines of code and is part of a complex ecosystem and attack surface.
Looking back at the studies done on connected cars from the past decade, we can see that some of the simulated attacks used tactics that seem familiar. Examples of which include manipulation of software updates, escalation of privilege, and data exfiltration. This isn’t surprising because connected cars share hardware, software, and communication protocols from IT. It is fair to assume that, because of their growing connectivity, future vehicles will share more of the IT industry’s problems and risks.
Figure 1. The attack surface of connected cars
For example, connected cars of the future will depend more on the cloud and have fully digital controls. While the cloud opens several advantages, it also introduces risks. As they have been known to in the past, cybercriminals can target third-party cloud-based applications. They can also create more architecture-agnostic malware that can have cascading effects on connected vehicles. OEMs, suppliers, and users alike might one day have to worry about mainstream cloud attacks as well, such as latency issues, denial-of-service (DoS) attacks, and man-in-the-middle (MitM) attacks.
Thankfully, most of the threats and security gaps we know today have been discovered by researchers who have responsibly disclosed them. However, discussing the security of connected cars would not be complete without looking at their supply chain, where attacks are already a reality. It appears that the current automotive supply chain ecosystem is not yet equipped enough with either the expertise or capability to defend itself potential cyberattack risks.
Vulnerability management is not enough
These real-world attacks, alongside threat research, only mean one thing: Vulnerability management alone is not enough to mitigate risks in the automotive software supply chain.
As illustrated in Figure 1, the connected car is part of a supply chain that is already at risk. Ransomware attacks show how cybercriminals have set their sights on the automotive industry and expose the vulnerable side of the supply chain.
The automotive software supply chain faces three potential risks:
- Malware or malicious code injection
- Unsecure code
To raise awareness on the threat of malware and malicious code injection, we only have to look at recent attacks to see how devastating they can be.
In the past year, we have seen a spillover of cyberattacks involving malware, particularly ransomware on the automotive industry. These cyberattacks affected a supplier's internal systems or services, and even an OEM's operations. These attacks also had cascading effects felt throughout the supply chain down to car dealers and customers.
The most frustrating characteristic of supply chain attacks perhaps is how they start small. The attack on SolarWinds and other industries demonstrate the unpredictable impact of a successful campaign on any member of a supply chain. Cybercriminals also have a penchant for attacking weak links while aiming for bigger targets in the chain. The assumption behind this trend perhaps is how it is easier to inject malicious code to a supplier’s software and hardware than directly to an OEM’s.
In general, successful campaigns happen because the possibility of malware and malicious code injection are usually overlooked. Compared to a vulnerability risk alone, malware and code injection are more severe to the supply chain. In a way, a specially designed ransomware injected in the supplier’s software is comparable to a ticking time-bomb. One would not be able detect this malicious code through traditional vulnerability management. The worst case scenario, a nightmare for OEMs, would involve the ransomware activating when affected cars are already on the road. As this illustrates, vulnerability management alone is not sufficient to mitigate automotive software supply chain risks in the face of evolving cyberattacks.
A robust automotive cybersecurity strategy
As connected cars become more mainstream, the automotive software supply chain will likely feature more in cybercriminals’ list of targets. It is important to ensure the supply chain is ready to face such attention. As regulations and guidelines UN Regulation No. 155 (UN R155) and ISO/SAE 21343 signify, the time to act is now. What is important is to build a robust cybersecurity strategy that will encompass the entire supply chain and vehicle life cycle.
Manufacturers would have to conduct their own thorough risk assessment to identify critical areas and to best allocate resources. They can also look to the said regulations for benchmarks, as compliance especially to UN R155 would be key in being a competitive member of the market and proof of state-of-the art vehicles.
OEMs would not have to start from scratch. They can take reassurance from years of threat research that has monitored the very technologies that made the connected car and look to cybersecurity solutions that provide complete protection, from a vehicle’s initial design to the deployment of software update services, and security penetration testing, all in a single integrated platform.