News
Architecture and Hardware

Keeping Control of the Wheel

Posted
A connected car under cyberattack.
One automotive cybersecurity expert suggests the risk of a hack affecting the safety of a consumer connected vehicle is "minimal. Attacks targeting personally identifiable information, including Bluetooth sniffing attacks on smartphones and address books,

"The rising need for cybersecurity will trigger investments over the next few years. We expect to see the market grow from US$4.9 billion in 2020 to US$9.7 billion in 2030, with software business representing half of the market by 2030," according to "Cybersecurity in automotive: Mastering the challenge," a 2020 market study by global management consulting firm McKinsey & Company.

The study "Automotive Cybersecurity Market: the Development of Autonomous Cars and Other Notable Growth Drivers," by market intelligence firm Infinity Research, identifies the market forces advancing automotive cybersecurity as including:

  • The development of autonomous vehicles with wireless connections.
  • The increasing number of in-vehicle electronic control units and their wireless connections.
  • Regulatory mandates and standards targeting the cyber-safety of vehicles and data .

Nobody wants criminal hackers in the driver's seat. "Much of the motivation to implement enhanced security systems stems from advances in in-vehicle capabilities. Progress in these internal capabilities includes Advanced Driver Assistance Systems (ADAS). These systems necessitate heightened computer control over sensitive actuators (drive by wire, including steer by wire, throttle by wire, and brake by wire)," says Josh Siegel, assistant professor of computer science and engineering at Michigan State University (MSU).

According to the 2021 HSB Cyber Car Tech Survey by cyber risk insurer HSB Group, more than a third of U.S. consumers say they are concerned about the cybersecurity of connected cars. Another third say they fear a computer virus, hacking incident, or other cyberattack that could damage or destroy their vehicle's data, software, or operating systems.

To MSU's Siegel, growing hacker expertise suggests automotive cyberattacks are unleashed by criminal hackers with malicious intent, and not just discovered by researchers to bring vulnerabilities to light. There have been targeted hacks turning vehicles into espionage devices at military bases and disabling engines, so the individual has to take other transportation to work, says Siegel. "I assume that nation-states or well-resourced entities are executing these attacks," says Siegel.

The 2021 Global Automotive Cybersecurity Report by connected vehicle cybersecurity provider Upstream Security, found that malicious blackhat hackers last year carried out 55% of automotive cyberhacks to disrupt business, steal property, and demand ransom. Whitehat hackers and researchers, including those participating in automotive bug bounty programs, performed 38.6% of hacks, the report says. Bug Bounty programs pay white hat hackers a reward or "bounty" for finding critical vulnerabilities in an organization's software.

Siegel suggests that "for the average consumer, the risk of a hack affecting safety is minimal. Attacks targeting PII (personally identifiable information), including Bluetooth sniffing attacks on smartphones and address books, are more widespread than safety hacks." Bluetooth sniffing uses specially configured dongles to detect devices using Bluetooth communications.

Against this disturbing backdrop, established cybersecurity and technology firms are working on automotive cybersecurity solutions. For example, an Argus Cyber Security media release and the Argus website describe how that company is applying its automotive cybersecurity suite, along with Microsoft Azure IoT for automotive applications, to give automakers an end-to-end cloud-based cybersecurity solution. Argus Cyber Security includes an automotive Security Operations Center (SOC) where cybersecurity team members work together using security tools to monitor, analyze, and respond to cyberattacks; the SOC will take a load off of automakers who would otherwise have to conduct these security activities internally. Argus Cyber Security also provides onboard monitoring, insightful reporting, protection against attacks on in-vehicle electronic control units (ECUs), and Over-the-Air (OTA) software updates.

Meanwhile, Panasonic and McAfee are building Vehicle SOCs in tandem with an Automotive Intrusion Detection System (IDS) product for monitoring, accurate detection, and early response to attacks, according to a news release from Panasonic. Koichi Kawashima, manager of McAfee's Solution Service Dept., says McAfee will provide professional services support to Panasonic's Vehicle SOC, supervising the development and management of the installation's systems, as well as its strategy, policies, and processes. McAfee also will provide incident response services. Incident response is a set of security activities that happen after a security incident, such as a breach or attack, to contain the incident, stop the attack, remove infections, and return systems to normal.

However, not everyone sees these approaches as the best ways to secure connected cars. Speaking of the McAfee/Panasonic collaboration, Siegel said, "From what I understand, their solution is primarily reactive. By definition, an IDS is an intrusion detection system."  Siegel said what connected cars need is not intrusion detection, but intrusion prevention and mitigation. While intrusion detection monitors and reports malicious network activity, intrusion prevention and mitigation blocks known bad network traffic.

Siegel acknowledges, "The Argus /Microsoft solution seems a bit more comprehensive than the McAfee/Panasonic solution. It provides provisions for in-vehicle security, in-cloud security, and even protection for software updates."

The more that connected cars evolve, such as by adding 5G connectivity, the more automotive cybersecurity will have to mature, with approaches that security experts have been using for years on enterprise systems and networks.

Says Jithesh Joshy, head of cyber research at U.K.-based automotive research and consultancy organization SBD Automotive, "As connected vehicles become increasingly sophisticated, it is essential to adopt a layered defense-in-depth approach to security. This approach includes the deployment of several independent security methods at different layers in a connected car systems architecture to reduce the risk of having a successful attack due to a single, compromised component."

The most effective solutions, says Joshy, "typically focus on the separation of domains and secure gateways, secure storage, and secure boot, as well as intrusion detection and protection systems (IDPS)."  Secure boot protects computer system startup processes. Secure access to different networks, often including different kinds of networks, is the work of Secure Gateways. Secure storage prevents unauthorized access to the data within. By separating these items from each other, an attacker with access to one could not easily gain access to another and gain greater control of a connected vehicle.

David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More