In the first half of 2019, the number of reported cyberattacks on vehicles more than doubled over the same period last year, to 82 from 32, according to a report from Upstream Security. That might not sound like many, but the growth rate and diversity of such hacks are cause for concern.
Just under half the attacks were so-called relay theft, which involves amplifying remote keyless entry signals to steal cars and, in some cases, demand a ransom from the owners. In a further 18% of attacks, hackers took control of back-end servers to track and control vehicles remotely. One particularly troubling (but, thankfully, white-hat) attack broke into a GPS tracker app. The attacker was able to see the location of thousands of vehicles and could send commands to open doors and shut down engines. Other attack vectors include mobile-device attacks through insecure third-party apps, such as telematics, and on-board diagnostics (OBD) port attacks. One such OBD attack (by a security company) on a Tesla was able to flood the Controller Area Network (CAN) bus with messages via a Bluetooth diagnostics module. The resulting influx of error messages shut down both the front and rear motors.
NTT Security provides strategic and technical consultancy for automotive security for tier-one suppliers and OEMs, starting with securing applications for back-end infrastructure for connected cars and, more recently, working on the whole connected-car environment. “From a security point of view, the in-car attacks are the most sophisticated,” Bader said. “But when we’re talking about the business risks, the business risk is greater for the other attack vectors. If I hack a car, it’s usually only one car, but if I hack back-end infrastructure, or a network connecting to a fleet, then this has a much bigger impact on the OEM or tier-one supplier.”
Hacking a fleet could have serious repercussions. Research has shown that an attacker would only need to stop 20% of vehicles in a built-up area such as Manhattan to cause gridlock and result in chaos.
Who is responsible for securing the connected car? OEMs have a legal responsibility to the car owners, Bader said, but when an incident happens, OEMs will often look to tier-one suppliers to look into the root cause of the problem. Instead, the question should be: Who is responsible for specifying security features within the OEM?
“OEMs have to provide specific requirements, which is challenging, because they have to define who is responsible within the OEM for providing this,” Bader said. “Is it the security department? Is it the IT department? Is it the engineering department? At the moment, no one knows. There is still some discussion around it, and it’s somewhat challenging.”
The IT department is generally responsible for everything outside the car itself, with the engineering group taking the lead for in-car communications. These departments will need to work together to address security risks as the environment changes into more of a classic IT structure for autonomous vehicles. “There is still a lot of thinking in silos,” said Bader. “[OEMs] need to establish a more constant exchange with different departments from a business perspective.”
While most tier-one suppliers provide baseline security for their products and others are working to do so, this can create further problems for the OEM. “You have the challenge of who is collecting all this information from the specific tier-one suppliers and providing an overlay structure for correlating and assembling all this information,” Bader said. “[In most cases], this is still under construction.”
The industry is gradually moving toward ISO 21434. The new standard, heavily based on SAE J3061, tackles cybersecurity in the automotive industry. It’s due to be finalized before the end of the year; draft versions are available so that companies can prepare.
“[ISO 21434] means that the OEMs have to establish a framework for cybersecurity for connected cars, resulting in pushing the tier-one suppliers to provide more and more maturity for these security topics they have to address,” said Bader. “What we see at the moment is that the OEMs are pushing out standards and requirements that the tier-one supplier has to fulfill and has to prove [it has fulfilled], because from a legal point of view, the OEM is responsible in case of an incident.”
Aileen Ryan, chief strategy officer at UltraSoC, also sees security requirements being pushed down the chain onto tier ones. “Legally, today, it’s the OEM who is responsible for security of the vehicle, but [OEMs] are already taking measures to ensure that their supply chain is at least paying regard to J3061,” she said. “My expectation is that once 21434 is ratified, they will start to mandate that all the suppliers in their supply chain are compliant with that as well. That doesn’t necessarily mean that the liability [for security] will change, but it gives the OEM the potential to cascade some kind of legal challenge further down the value chain, if they feel that they need to.”
“It is about embedding a cybersecurity culture in your organization, if you’re playing a role in the supply chain for automotive,” said Ryan. “It talks about the kinds of cybersecurity processes and design and development methodologies that [OEMs] would expect to see, which, like 26262, would be auditable.”
SAFETY VS. SECURITY
There is a tendency in the industry to think that safety and security are separate issues, Ryan said. While functional safety is a well-known issue because of ISO 26262, security is not at the same level of maturity, because the corresponding standard is still under development. “Safety issues are really a subset of security issues,” she said. “There is no safety without security.” Today, she said, OEMs tend to “have teams that are working on security and teams that are working on safety, and there doesn’t appear to be adequate communication between those two groups.”
UltraSoC, based in the U.K., provides semiconductor IP that monitors what is happening on-chip in real time to help detect malicious activity such as attacks. “Our monitoring can look for certain situations that we know are not allowed to happen on the chip. For example, we can watch to make sure only allowed sections of the chip are accessing certain areas of memory,” Ryan said. “If we see something untoward happening, we can raise an alarm. In our next generation of products, we will also be able to prevent that situation from taking place.”
The company recently won a £2 million grant from Innovate UK for a project that will move toward integrating intelligent capabilities on chip. The project, in collaboration with Coventry University, cybersecurity consultancy Copper Horse, and the University of Southampton, will use UltraSoC’s embedded on-chip analytics to identify security problems quickly and reliably. Machine-learning experts from the University of Southampton will work with UltraSoC to develop algorithms to identify potential hacks.
“The goal is to have an on-chip analytics subsystem that observes what’s happening on the chip, like we do today, but build up a picture of what is normal operation for that chip,” Ryan said. “That normal operation might change over a period of time — perhaps with aging, [or] perhaps different software loads that get put onto the vehicle will change the performance and signature of the chip. Then we will intelligently monitor for deviations from normal, which could be a failure or a safety issue, or could indicate malicious intrusion.”
While the automotive value chain has traditionally been static, Ryan said the industry is changing. Increased attention on cybersecurity is making room for startups and SMEs, like UltraSoC, and there are companies springing up in Silicon Valley and internationally to address the problem.
“What we see in the automotive sector at the moment is that it’s a time of very significant disruption, with lots of new entrants providing niche capability focused on the security or cybersecurity angle of automotive,” she said. The concept of “coopertition,” where competitors work together to tackle common issues, is also emerging. “It’s becoming a much more open environment where the bigger organizations are actively looking for new ideas that will help them. They’re engaging with startups; they’re starting to behave quite differently,” said Ryan. ■