- So, how big is the (potential) problem?
- The importance of cybersecurity by design
- Today’s cyberthreats — tomorrow’s new business opportunities?
Internet-connected vehicles, many of which already have (semi-)autonomous features, will completely change transportation as we know it. They are anticipated to prevent many of our road accidents in the future, reduce pollution and congestion, and lower the need for parking spaces. To enable connected vehicles to accomplish all of this, they will need to be equipped with sensor technology and wireless interfaces that connect them to the internet, infrastructure, external devices and systems, and, of course, other road users. And while this connectivity will introduce incredible functionality and offer many benefits, vehicles that are this interconnected, complex, and increasingly programmable will inadvertently also introduce more attack surfaces that can be exploited, exposing us to a great number of privacy and (cyber)security risks. The good news is that car manufacturers are increasingly incorporating hardware, as well as software, to protect self-driving vehicles from cyberattacks. In fact, according to MarketsandMarkets, the automotive cybersecurity market is projected to grow from $2.0 billion in 2021 to $5.3 billion by 2026, at a CAGR of 21.3 per cent. The bad news is that cybercriminals are keeping pace and developing more and more advanced hacking capabilities. So, how will we protect tomorrow’s cars from cyberattacks?
“And if you consider the fact that more and more people will be relying on connected car technologies in the years to come — not only for efficiency and safety but for infotainment as well — and that every car that’s connected to the Internet of Things will produce around 30 terabytes of data on a daily basis… well, then it’s not difficult to see that (cyber) protecting these vehicles will become paramount”.Richard van Hooijdonk, trendwatcher and futurist
So, how big is the (potential) problem?
According to the Connected Car Overview, 2020-2030 report, the connected car space will grow to 2.5 billion ‘connections’ by 2030 — which is 1.8 billion connected vehicles plus 0.7 billion aftermarket devices. More and more channels will start intertwining; think connected devices, connected infrastructure, cloud storage, and so on. And as cars are increasingly resembling computers on wheels, containing multiple chips with millions of lines of code each that control every conceivable action and reaction — from braking systems to temperature and more — it becomes clear that securing these vehicles is a complex challenge.
Futurist and trendwatcher Richard van Hooijdonk says: “And if you consider the fact that more and more people will be relying on connected car technologies in the years to come, not only for efficiency and safety but infotainment as well, and that every car that’s connected to the Internet of Things will produce around 30 terabytes of data on a daily basis… well, then it’s not difficult to see that (cyber) protecting these vehicles will become paramount, not only for the safety of the passengers but also to actually enable the potential benefits of these technologies to materialise”. Cars are increasingly becoming part of the smart device and digital services ecosystem, and in the future, our ‘personalised cars’ will even become part of our digital identities.
So, let’s delve into the various rather creepy things connected cars of the future will be able to do — and the threats that could jeopardise the safety of the people in (and around) them. Being really just like any other smart device, connected cars with their embedded sensors, microchips, microphones, and cameras will collect all kinds of information, such as your location, how much fuel you use, billing information, whether you wear your seatbelt, how fast you drive, how aggressively you brake, the shops, restaurants, and other establishments/people/institutions you visit, what music you listen to, the number of telephone calls you make and to whom, and your activity on social media. Sure, car manufacturers might state that all of this information will merely enable them to improve their products (and insurers might claim that this information helps them determine the cause of accidents). And sure, they might promise never to share your information with others without your consent. But stop to think for a moment about how valuable this data is to others, such as (other) companies, law enforcement, and government agencies.
Then there’s the issue of potentially infected devices that are connected to your car, such as your smartphone, entertainment systems, key fobs, telematics, third-party apps, and so on, that could spread this infection to the software systems of the car. And we can only imagine what could transpire should cybercriminals manage to get control over your car. They could, for instance, activate the vehicle’s microphone and listen to your conversations, disable the car’s security system, or disable your brakes and cause a crash. We’ve all read about the 1.4 million vehicles that Chrysler had to recall after hackers managed to hack a Jeep and took over the car’s dashboard, brakes, steering, and transmission in 2014. And in 2021, from his home in Germany, a 19-year-old managed to break into dozens of electric cars in 13 countries, controlling the cars’ lights, locks, and temperature. He also managed to discern owners’ email addresses and their cars’ locations. From these examples and various more recent breaches, it’s not hard to see how, going forward, ransomware could be used against insufficiently secured vehicles, potentially holding entire corporate fleets of connected cars — or those of a certain carmaker — hostage until the hackers are paid. Cybercriminals or state actors could even hijack a fleet of self-driving vehicles and transform them into weapons on wheels. Infected or hacked vehicles could also pose serious risks to the environment in which they operate, such as the cell towers, satellites, and servers they communicate with, but also infrastructure, such as vehicle charging stations, sensors embedded in roads, bridges, or buildings, or smart traffic management systems.
Even though the current risk of your car being hacked is still quite low, in the near future, all vehicles will become smart devices, which will make them sought-after treasure troves containing highly sensitive information. Connected cars will require significantly advanced levels of protection against all kinds of threats, and corporations will need to provide their self-driving fleets with the same type of security they use to protect their office networks, such as intrusion detection systems, firewalls, and patch management solutions. And at the point of manufacture, carmakers will need to focus on security by design, zero-trust architecture, encryption, and so on.
“To ensure that the foundation of a vehicle’s critical security system is safe, vehicles must be secure by design: security must be embedded within every aspect of the vehicle. There will always be new threats, but a car should be capable of stopping cyberattacks through standalone solutions that do not require any human intervention”.Moshe Shlisel, CEO GuardKnox
The importance of cybersecurity by design
With billions already having been pumped into connected cars and related technologies, it’s clear that we’re firmly on the road to ever-increasing connected driving, leaving the pre-internet era far behind us. All of the elements that make up the connected automotive ecosystem, including car manufacturers, regulatory bodies, federal lawmakers, cybersecurity experts, security suppliers, and so on, will have to collaborate to enhance existing processes and improve existing security measures to ensure that the vehicles of the future will be adequately protected from ransomware, malware, botnets, DDoS, and various other security risks. But until governments impose rigorous cyber standards for connected vehicles, drivers, passengers, and other road users will remain at serious risk.
The most important first step is security by design, which means that security should be embedded during the design phase for each aspect of the vehicle — from GPS and infotainment to telematics and more — before the car is manufactured, and not as an afterthought. Millions of connected cars are already on the road with no cyber protection whatsoever, which is a recipe for disaster. Moshe Shlisel, CEO at GuardKnox, a company that offers automotive manufacturers cybersecurity solutions, explains: “Vehicles should not need constant human interaction with the cybersecurity aspects of a vehicle in order to prevent cyberattacks. To ensure that the foundation of a vehicle’s critical security system is safe, vehicles must be secure by design: security must be embedded within every aspect of the vehicle. There will always be new threats, but a car should be capable of stopping cyberattacks through standalone solutions that do not require any human intervention, and which are not learning mechanisms but rather deterministic”. All of these millions of connected, semi-autonomous cars already on the road will now need to be retrofitted with aftermarket cybersecurity solutions to protect them.
Today’s cyberthreats — tomorrow’s new business opportunities?
These automotive cybersecurity threats, which are expected to increase in frequency as well as in scale and severity, will also lead to new business opportunities for car manufacturers, who will increasingly become service providers as well, as making and selling the hardware alone will no longer be sufficient. According to Allied Market Research, a significant number of businesses will be moving into the adaptive security market in the years ahead. Adaptive security involves the analysis of behaviours and events that can help smart systems prevent attacks before they occur. Leveraging analytics technology, adaptive security protects against targeted, as well as opportunistic attacks, insider threats, and more. The specialised security software can be used to continuously analyse potential threats, calculate risks, and provide security solutions that can be scaled up or down, depending on the situation at hand. And as automotive cybersecurity needs will likely encompass the entire mobility ecosystem, business opportunities abound in various other related areas and industries as well. We’re not only talking about the protection of the actual vehicles, but also their charging stations, the devices they are connected to, and the data streams between these vehicles and external devices, smart city elements, the cloud, and many other interfaces.
With cars becoming increasingly connected to everything — including other vehicles, parking metres, and traffic management systems — and driver preferences and requirements rapidly evolving, we’re seeing the connected car industry continuously adapting. Connected vehicles are, in a way, not very different from smartphones and other smart IoT devices: they are connected to the internet and communicate with other smart equipment and systems, and in doing so, they transmit and receive data. And while all of the latest technologies and the data needed for them, such as advanced driver assistance, increased personalisation, and ubiquitous connectedness, are improving comfort and road safety, they also expose drivers, other road users, and the connected ecosystem of smart devices and systems to cyberattacks. This not only necessitates the need for the implementation of rigorous cyber standards for connected vehicles but the implementation of cybersecurity by design as well. The need for solutions is expected to drive the growth of the worldwide automotive cybersecurity market in the years to come and provide opportunities for businesses in the connected automotive sector to provide retrofitted aftermarket cybersecurity solutions.