Automotive Cybersecurity: risks, compliance, and actors affected

During the CSET Conference – the international event dedicated to cybersecurity for businesses and infrastructures promoted by START 4.0 – Sababa Security made its contribution by organizing a round table on automotive cybersecurity, which involved several experts in the field. With smart technologies impacting different verticals, the automotive industry has also undergone significant technological changes that led to several innovations in the autonomous vehicle sector. Supported by concerns related to road safety, increasing congestion (and not only), the number of connected vehicles is constantly growing, though often underestimating the risks associated with them.

Explore the topic in more detail by reading the panel discussion moderated by our CEO Alessio Aceti, involving Giuseppe Faranda, Omar Morando, Andrea Tomassi, Gianfranco Vinucci, and Pierluigi Avvanzo.

We all travel on vehicles – cars, coaches, subways, trains or planes – that are increasingly connected and subject to digital risks. This is an issue that has been talked about for a long time. Is there a moment when the automotive industry realized that there was a cybersecurity problem? How did the industry react to this and what will change in terms of regulations and homologation requirements?

Yes, there is a day 0, which coincides with the awakening from the great enthusiasm of wanting to put more and more features inside vehicles. They realized that the topic of automotive cybersecurity is of fundamental importance, especially for those industries that are going through a digital transformation. It all started in 2015, with the famous successful attempt to hack a Jeep Cherokee by two American researchers, Charlie Miller and Chris Valasek, who began to be interested in the automotive world and to show that there were indeed vulnerabilities. From that day on, almost all companies in the industry started to structure themselves with internal cybersecurity teams, others acquired companies for that or relied on external ones.

The changes in regulations started with a generic standard, SAE (Society of Automotive Engineers) J3061, which collected good practices and guidelines for the automotive industry on cyber security. This standard was later transformed into the ISO 21434 (Road Vehicles – Cyber Security Engineering), which covers the entire life cycle of the vehicle, from design to dismissing. This standard was then used by the regulatory body responsible for setting homologation requirements to introduce the UN Regulation No. 155, which stipulates that – starting from 2023 – all car manufacturers must comply with and be certified on specific requirements relating to cyber security.

Giuseppe Faranda, CEO at Drivesec

When we talk about risks and cybersecurity, we are also talking about awareness: often people do not have the perception of how real the risk is. What is the level of exposure, perceived and real, of cyber-attacks in a modern vehicle, be it private or public? Are we only talking about the protection of personal information or also about potential damage to property and people?

We are not just talking about personal information that can be exposed. Today we have vehicles that interact with each other to exchange traffic information (V2V – vehicle to vehicle), vehicles that communicate with infrastructures (V2I – vehicle to infrastructures), vehicles that exchange information with any entity that may affect, or may be affected by, the vehicle itself (V2X – vehicle to everything). There are therefore different technologies that allow a vehicle to interact with the outside world and this can be done in two ways: short range mode – which implies being close to the vehicle in order to communicate – or long range mode, implying 4G/5G communication. The information that can be retrieved is not just personal data or statistical data from the vehicle, but it is possible to access the interior of the vehicle itself.

Why? Inside a vehicle model there are 100/130 electronic control units that can be totally updated remotely and communicate with internal networks that should be protected, but this does not always happen. The security aspect is no longer just data protection, but protection of the different access modes to the vehicle itself. In the work of a security researcher, when a vulnerability is found, the moral and professional obligation is to inform the manufacturer so that he can fix it. But if it is a cyber-criminal who finds it, it is a different story.

We are therefore dealing with a very large attack surface, and the risks are hardly perceptible by the average user that is outside the cyber security industry. It is no coincidence that starting from 2023 there is a legal obligation for manufacturers to meet certain automotive cybersecurity requirements by actually proving that their vehicles are sufficiently secure, given the level of technological knowledge of the moment.

Omar Morando, OT Cybersecurity Director at Sababa Security

How does ASRG help to manage these critical problems and which scenarios do you consider important?

ASRG is an association that has more than 7,000 members and is present in more than 20 countries. Our ultimate goal is to create awareness in a world – the automotive world – that is changing. I would like to highlight two aspects: security and safety. At ASRG we want to bring these two values together and create knowledge.

In the automotive industry, a paradigm shift is necessary in order to comply with new regulations. Our aim is to create and spread knowledge among the participants to our initiatives, creating networks and collaboration.

No less important is also the ASRG Academy Network activity, which aims to put in contact the most widespread organisations in order to create an exchange of information, at university level and involving important partners.

Andrea Tomassi, ASRG Italy Chapter President & Founder – ASRG EU Lead

We mentioned the regulatory aspects related to automotive cybersecurity, not only once the vehicle is on the road, but also during the production process. How and what are the most important aspects to consider?

We are still at a fairly preliminary stage. Companies are currently trying to chase the new regulations and to bring in a series of processes and technological tools that can support the transformation of these homologation requirements into something concrete.

Much reference is made to the design and development phase of any connected vehicle, which is undoubtedly a very important issue as the sooner vulnerabilities are identified, the easier it will be to fix them and bring to the market a product that meets certain cyber security requirements.

However, it is still vital to carry out continuous monitoring of the vehicle even once it is on the market. Why? First and foremost because production times are very short today. We get cars delivered quite quickly, but the vehicles will be on the streets for several years and, as said before, they have more than 100 control units inside, which are connected to each other and with the outside world.

While some vulnerabilities may be discovered in the development and production phase, some will only be detected once the car is on the market. For this reason, it is fundamental to have a continuous monitoring process to understand if there are vulnerabilities that have not been identified yet or if there are signals that may indicate unusual cyber security behaviours.

Gianfranco Vinucci, COO at PC Automotive

In practical terms, what tools are available to implement these processes?

We are talking a lot about the Vehicle SOC, i.e. a Security Operations Center that, instead of collecting data from servers, computers and systems, it collects them from vehicles and only takes into account those information that are useful in terms of security. This is a very popular topic today because there is a real need to continuously monitor all communications from the vehicle to the back-end – i.e. to companies and organizations that provide services to connected vehicles – as well as the flow of information from these back-ends to the vehicle (switch-off, switch-on).

The Vehicle SOC can certainly help. Similar to what happens in the IT and OT environments, the Vehicle SOC would collect data from different sources (vehicle, research companies, service providers), aggregate them, and apply rules to identify anomalies. At this point, it would be necessary to articulate a process of investigation of the anomaly to verify if it is related to a real threat and then a process of Incident Response to understand how to deal with it (in the most positive case, maybe it can be done through a remote update).

It is a continuous process that must be activated for both the car and the related services.

Gianfranco Vinucci, COO at PC Automotive

Speaking of more futuristic vehicles, such as Air Taxi, what is the relationship with cybersecurity?

In 2020, the Automatic Dependent Surveillance-Broadcast (ADS-B) protocol, which transmits GPS coordinates, altitude, speed and the vehicle’s identification number in clear text, has become mandatory for all flying vehicles (including drones). This is a data transmission that can have a major impact on security: all it takes is a transreceiver from the ground to listen to this data, being able to delete it from the air or transmit different coordinates. Any aircraft – private or operators’ (e.g. medical) – flying below 3,000 meters transmit data that can be auscultated and easily modified, and this represents a risk for national security.

The important thing here is to create a redundant response and this must be based on 3 fundamental pillars, not only focusing on software, but also taking into account hardware and firewalls.

Pierluigi Avvanzo, CTO at OilChain Inc.

From the point of view of those companies developing aftermarket solutions, what will be the impact, considering that access to on-board information is a key element for these players?

The important thing here is to reach a good compromise between the safety of a car and the development of all the businesses that are around the connected vehicles.

For example, the connected car sometimes needs to be repaired. There is the workshop service that allows you to replace the control units, and this can happen both in the car manufacturer’s ‘official’ workshops and in independent workshops. The car then moves from a completely closed environment to a completely open one, which must, however, be protected.

You have to manage an intelligent environment that can connect. This means that access to the car must be managed on the basis of roles and authorisations – there will be authorization for activities that have to be done by those who are in charge of collecting positioning information, of maintenance or charging. There must be interaction between those developing the car’s security system and all those who need the data.

Giuseppe Faranda, CEO at Drivesec

What is the state of maturity of cybersecurity in public transport and the supply chain?

As mentioned before, by 2023 you have to be cyber safe with your vehicles. The automotive manufacturers are responsible for the cybersecurity of their vehicle, which also involves tier 1 and 2 providers who supply the electronic control units, radar sensors and other things. It is a chain, and the providers also should adapt for the vehicle to be compliant. The problem is that the chain is extremely long and the involvement – in terms of responsibilities – of all the actors, to date, is left to the sensitivity of the service providers themselves.

There are after-market products that are not the responsibility of the manufacturer and do not fall within the scope of homologation certification of the vehicle, though they can represent the weak link that breaks the chain.

There is a need to conquer the market as happened with smart home devices, when there was a rush to launch the next fridge that was telling you what to buy, but without taking into consideration the cybersecurity aspects of it. While on the one hand there is finally awareness of the critical aspects of automotive cybersecurity, we are still lagging with regard to infrastructure because it will take a few more years, a few more incidents, and a few more new regulations to make us run for cover.

What we need to do is get ahead and train people to get this important message across. There is information that is really critical and there are security aspects that can no longer be postponed or delayed. These are issues that need to be spread, we need to raise awareness of the existing risks in a clear way. Another problem is that this issue is not taken into consideration because it is often not understood. It is a very delicate, sophisticated topic that requires specific skills and therefore we need to use simple language that everyone can understand to clarify what the real exposure is and which practical and relatively simple solutions can be found.

Omar Morando, OT Cybersecurity Director at Sababa Security

The growing digitalization in the automotive industry is increasing the complexity of modern vehicles: every point of connection is a potential “entrance door” for hackers, thus making automotive cybersecurity a necessity that can no longer be ignored if we want to avoid the compromise of both critical safety functions and customer privacy.