Automotive cybersecurity tactics and protocols will have to adapt not just to changing threats, but also to changing models of how we utilize vehicles.
Automotive cybersecurity – and especially the cybersecurity of
autonomous vehicles – has been a major source of discussion in the cybersec
community ever since 2015’s infamous hack of a moving Jeep.
Though autonomous vehicles have been around for a while, the threat
landscape they face has changed significantly in recent years. The focus used
to be on securing these vehicles against vulnerabilities introduced during design or
Now, as cybersecurity threats have become more sophisticated and adaptive,
there is a growing consensus that automotive security needs to take the same
step: away from a retroactive focus on eliminating security holes and towards
real-time vulnerability scanning systems.
In this article, we’ll look at the changing threat landscape in the
automotive sector and explain why the sector needs to make the transition to real-time
See also: A New Wrinkle in Autonomous (and Manned) Vehicles
The Changing Threat Landscape
Technology has revolutionized almost all aspects of the automotive
industry, improving efficiency and profitability at every stage from production
to sales. However, each novel use of technology also gives rise to new
cybersecurity challenges. For this reason, it’s important for automotive
manufacturers to take a holistic approach to the cybersecurity of their
There are, essentially, three levels of cybersecurity threat for
automotive companies. The first is shared with almost every other organization:
corporate systems. These systems likely hold valuable IP and personally
sensitive information, but also contain details of the cybersecurity measures
The second attack vector occurs at production plants. While today’s
highly automated production systems have made automotive manufacturing safer
and more efficient than ever, they are also vulnerable. An insufficiently
secure manufacturing process can potentially have a consequential effect on the
security of the cars it produces.
Then there is the security of the autonomous vehicles themselves. This
is often the most high-profile element of contemporary automotive cybersecurity
because it is the most apparent to consumers. However, in reality, autonomous
cars may be compromised just as easily via a “traditional” corporate
hack on the manufacturer as a real-time intrusion attempt.
Responding to this range of threats has been difficult, due in part to
some unique features of the automotive industry.
The first is the increasing complexity of contemporary vehicles. The
number of potential points of attack is already high enough to make totalizing
defensive strategies unworkable, and this will only get worse in years to come.
One reason is the number of vehicle nodes (ECUs) keeps increasing to support
the demand for additional functionalities. Today, an average vehicle may
contain around 30 units, and complex vehicles can comprise up to 100 units.
Secondly, most modern vehicles contain systems built by multiple
stakeholders, each to their own standard. This makes it difficult to integrate
all potential attack surfaces into a single, static cybersecurity defense
platform. There are signs this is changing, not least due to IBM’s dedicated automotive security
testing service, but
recent successful cyber attacks on cars leveraged the vulnerability that can
result from interconnections between components.
Third, even where OEMs have put in place sophisticated cybersecurity
systems, their suppliers might let them down. Indeed, it seems that the
concerns about the security of contemporary vehicles has not yet reached the
suppliers who build parts for them: in recent research by McKinsey, only 10
percent of automotive suppliers say cybersecurity ranks high on top
management’s agenda, compared to 35 percent of OEMs. Around 45 percent consider
external partners’ security (i.e., sub-suppliers) as being important to very
important, compared to more than 60 percent of automakers.
Real-Time, Edge AI
Meeting these challenges requires a shift in the mindset and practices
of the automotive industry. One major overhaul is long overdue – the deployment
of real-time, edge-focused AI security systems on autonomous vehicles.
Until now, implementing cybersecurity systems on autonomous vehicles
has largely been a one-time event. Systems are designed to prevent unwanted
intrusion, placed on vehicles at the time of manufacture, and then forgotten.
Given the highly dynamic threat landscape that these vehicles now face, this is
It also lags far behind the cybersecurity systems employed in other
sectors of the economy. Even small operations likely will take advantage of
inexpensive VPN software that allows for real-time data encryption, and larger firms with more impressive budgets might
opt for AI-driven intrusion detection systems. But up until now, these same
tools have been missing from autonomous vehicles.
There are signs that this is changing, however. As smart car computational capabilities increase, several firms have developed real-time
systems to protect against cyberattacks. The best of these provide highly
configurable deterministic and rule-based firewalls that incorporate machine
and deep learning technology and that control access and authentication across
all of a vehicles’ linked systems.
The promise of these real-time systems is that autonomous vehicles may
be able to protect themselves against novel threats, or even assess their own
vulnerability to them. Systems that provide predictive maintenance for smart cars are already on the market. There is
(theoretically) no reason why these might not be extended to the digital
components of these same cars.
Of course, it is also worth recognizing that the automotive industry is changing rapidly. Cybersecurity protocols will have to adapt not just to changing threats, but also to changing models of how we utilize vehicles. As we’ve previously reported, AI and blockchain have a significant role to play in the future of the industry, and might also provide extra security for autonomous vehicles.
For now, though, let’s get the foundation right, and give smart cars
the same level of protection as the average small business.