Has the automotive industry done enough to secure Connected Cars against cyber-attacks from organised crime?

If ‘’white-hat’’ researchers can hack cars, so can sophisticated organised crime

While carmakers compete fiercely in the Connected Car arena, malicious cyber-attacks on cars from organised crime can and will move from a possibility to reality. Why is it inevitable?

Simply because we expect a proliferation of Connected Cars over the next ten years and considering that more than once ‘’white hat’’ researchers have demonstrated that modern Connected Cars can be hacked, there are many reasons to worry about. To put it simply, in many cases the existing in-network security needs an upgrade to withstand the new cyber-threats that arise from the introduction of the Cyber-Physical System.

Additionally, the amount of personal data (e.g. preferences, behaviour, location, even credit card details) collected and distributed over the network by Connected Cars will increase significantly over the next decade as the Internet-of-Cars develops (OTA, V2V, V2I, Autonomous).

Finally, as the number of connected-to-the-car devices increases, the vehicle’s attack vector will grow exponentially. And what’s worse, what we call Peripheral car cybersecurity will never be 100% robust. Even the smallest breach in car cybersecurity, whether it’s in-vehicle, peripheral and/or cloud security, is enough to draw the attention of sophisticated criminals who look for opportunities to monetize vulnerabilities.


 

Automotive Cyber Security is a far more than just ‘’researchers demonstrating what researchers can do”. We need real-world counter-measures to protect against sophisticated organised crime.

Mike Parris, Head of SBD Secure Car


 

What needs to be done to secure Connected Cars?

What we need is collaborative, proactive, car cybersecurity implemented by a layered-approach to guarantee security and data privacy. This, can included industry-wide standards, mandatory fitment of robust software and/or hardware solutions and certification of peripheral devices among others to protect against network-based threats (LTE), local area-based (Bluetooth, WiFi, etc.) and open software attacks respectively.

However, it is important for consumers to understand that this approach will not eliminate cyber threats, but it can reduce organised crime’s incentives to attack cars as their probability of success and their gain from infiltrating car security will decrease significantly.

 


A multi-layer approach is always a good practice, starting with a holistic process of security by design which involves addressing potential threats right from the requirement and design phase of products

Asaf Atzmon, VP of Business Development, TowerSec


 

Where are we now? And where are we going to?

Has the automotive industry done enough to protect Connected Cars against cyber-attacks? What is the status of the Automotive Cyber Security market in terms of penetration, demand-supply of solutions and market competition? How the cost of fitting cybersecurity solutions affects carmakers’ decisions?

In a nutshell, no official regulation or common standards exist yet but the auto industry is working on voluntary privacy principles which will take effect in January.

But many signs show that the market has the potential to grow exponential over the next 5 years. First, demand for penetration testing and product integration by OEMs is increasing, as a response to the car hackings (and their consequences on brand reputation).

 


In the last six months, the awareness level has risen much higher in the industry. We see a lot more activity in terms of the penetration testing requests we receive and also in terms of evaluation of our product.

Ziv Levi, CEO Arilou Technologies Ltd


 

Additionally, regulatory action has started to develop in the US and Japan while automotive industry standards are already being discussed.

At the same time, we observe significant investment, partnerships, and M&A in the marketplace which demonstrate that key stakeholders are developing their strategies and placing their bets for the years to come.

To get answers to these questions read our new report:

Automotive Cyber Security Market Forecast: the secure Connected Car. Contact us on:

(+44) (0)20 3286 4562 info@auto2xtech.com or visit auto2xtech.com

 

Different Hardware Solutions and Its Applications in Successfully Protecting Connected Car against Cyber Attacks

d


 

The Connected Car, as part of a Smarter World, is highly connected to and interacting with its environment. It brings enormous promises for increased comfort, safety and efficiency. But it also raises questions regarding security and privacy: like all connected device, it also becomes a target for attackers.

Most vehicle hacks actually consists of a number of smaller steps. It usually starts with finding a vulnerability (a ‘bug’) in a system that is remotely accessible. But once you get for example into a car’s telematics unit, you have a good chance of getting into just about any other part of the car such as the ECUs that control engine speed, braking, cruise control, valet parking etc. Therefore, a “defense-in-depth” strategy shall be applied, applying multiple security techniques at different levels in the system, to mitigate the risk of one component of the defense being compromised or circumvented. This means that countermeasures must be applied at the wireless interfaces, but also in the in-vehicle network and individual ECUs (computers).

Although certain security features can be implemented in software, hardware support is required in most cases: sometimes for performance reasons, but more often also for security reasons. Updatability of software is, on the one hand, a powerful feature that allows the manufacturer to manage the product during its entire lifecycle. But at the same this updatability also provides hackers with a means to manipulate the product. Furthermore, software on its own cannot protect against more advanced (physical, invasive) attacks.

Mr Timo van Roermund, the Security Architect of NXP’s business unit Automotive will elaborate on the different hardware solutions and how they can be used to successfully protect the Connected Car protected against cyber attacks, making the Connected Car an opportunity for business and society rather than a threat to us all, in the upcoming event “The China Automotive Cyber Security Summit”(CACSS2016) to be held on 21-22 Jan. 2016 in Shanghai.

CACSS2016 a sister event of our “The 5thAnnual Telematics Summit” hold on 10-11 Sep this year. CACSS2016 will provide a platform for Automotive OEMs, Tier 1 suppliers, Automotive security solution/technology/products developers,IT companies, Mobile data suppliers, Automotive insurance companies, and automotive cyber security experts to address government regulations developing trends, Automotive cyber security standards, updated vulnerabilities, “Black Hat” behavior motivations, State-of-the-Art technology solutions, critical cyber security challenges and collaboration initiatives; Help you to understand tailored smart car cyber security products and solutions, develop a set of effective cyber security management system, improve the capability of protecting smart cars, and build up sustainable and profitable business partnership.

For the past 5 years we have been holding undisputed annual event for the connected care telematics ecosystem. In the largest and most high-profile gathering for automotive and tier 1 telematics executives, we guarantee this event will be the hub from which new contacts, partnerships and strategy are made, with 2016 set to be bigger than ever!

For more information please contact Coco Liu at Tel: +86 21 5271 0279

Email: coco@grccinc.com

Event Website: http://www.acss2016.grccinc.com/index/

4 reasons why car cybersecurity solutions will experience strong demand over the next decade

The era of the Connected Car is here but the next big step of autonomous driving requires multiple layers of security against malicious cyber-attacks and enhanced data privacy, which are largely absent from carmakers’ offerings. However, in the wake of the recent car hacking events (Jeep hack, BMW, GM and Tesla), regulatory action has started to move faster in the US, with other advanced car markets expected to follow.

Recent hacking events will accelerate mandatory fitment of cyber security solutions in advanced car markets

With the SPY Act proposing rule-making within 18 months and final regulations within 3 years of the act’s enactment, there is high probability that fitment of cyber security solutions in new vehicles in the US will become mandatory before 2020.

We expect that regulatory action in Europe and Japan will follow, but after some clear requirements have been established in the US. The ENISA has already agreed with BMW to work on Connected Cars, whereas in Japan the IAC Ministry is working on car cybersecurity guidelines. As fitment of cyber security solutions becomes mandatory, demand for both software and hardware-based solutions will be strong over the next decade and new business models for connected devices will emerge.

 


Timeline of key cybersecurity regulatory events in 2015

Feb 2015 | The SPY Act was introduced to the US Senate by US Senators Edward Markey (D-Mass) and Richard Blumenthal (D-Conn)

Jul 2015 | The Alliance of Automobile Manufacturers’ Auto-ISAC will begin operations in S2-2015

Sep 2015 | The Japanese Internal Affairs & Communications Ministry works on car-hacking guidelines

Oct 2015 | The US Senate passes the (S.754) Cybersecurity Information Sharing Act

Oct 2015 | The European agency ENISA will start working on car data cybersecurity in 2016

Nov 2015 | Rep. Ted Lieu, D-Calif., introduced the Security and Privacy in Your Car Study Act

Nov 2015 | Toyota, Tesla and GM testified before the House Committee on Oversight and Government Reform on the “Internet of Cars”

Dec 2015 | SAE International announced its guidelines (J3061) on Cybersecurity


 

Cyber security product integration in early adopters’ vehicles to come as early as 2016

Responding to recent car hackings, several OEMs, such as Tesla Motors and Daimler, have assigned third parties to conduct threat-penetration and vulnerability analysis in their vehicles. Demand for penetration testing & vulnerability assessments is peaking momentum according to our interviews with executives from Automotive Cyber Security solution suppliers. We expect that by the end of 2016, most of the currently ongoing or announced penetration tests will have finished, similarly to product evaluation for most OEMs. Therefore, talks about product integration will begin for their next-generation vehicles.

Enhanced supply of software, hardware-based solutions and services-frameworks 

More cybersecurity solutions are now available to carmakers as new companies have entered the marketplace in the past 5 years. Most companies are head-quartered in developed car markets, such as the US, Germany and the UK, and in Israel; one of the leading hubs for cyber security globally. Moreover, some of the solutions offered by Cyber Security companies are cutting-edge. There are frameworks that could assist OEMs mitigate cyber security threats, as well as a number of software and hardware solutions that OEMs could embed (or integrate) into their offerings.

Automotive Cyber Security needs to be proactive to dis-incentivise attacks in the in-vehicle network by organised crime

With Connected Car penetration rising fast but car cybersecurity still relatively weak, cars are susceptible to cyber-threats from organised crime. Additionally, the proliferation of personal data stored and transmitted in the car increases organised crime’s incentive to attack vehicles. Therefore, ‘’proactive’’ cyber-attack protection substitutes ‘’keep them out’’ as the leading strategy. This trend will benefit suppliers of detection and prevention cyber security solutions.

What does that mean for growth in the Automotive Cyber Security market?

We assess that in the wake of the recent car hacks by cyber security researchers and US Senator Markey’s report on the vulnerability of modern vehicles to malicious attacks, Automotive Cyber Security will unfold as the key topic in OEMs and suppliers’ agenda for the immediate future. We also expect that the competitive landscape will alter significantly from its current status through M&A and the formation on new partnerships.

The key challenges here are how quickly the level of security and privacy in Connected Cars will rise to sufficient levels to avoid having vulnerable vehicles. Furthermore, how the cost of embedding cyber security solutions to new vehicles will affect OEMs, consumers and other key automotive stakeholders.

For more information read our new report:

Automotive Cyber Security Market Forecast 2015-2025: the secure Connected Car