OEMs in the spotlight
Attention is turning towards the role of OEMs in the cybersecurity chain when it comes to strengthening digital defences for vehicles, writes Emilio Campa, Associate Analyst at GlobalData
Cybersecurity in vehicles must be extensive, defending both the frontend and backend of vehicle systems and all the infrastructure upon which connected cars rely. But cybersecurity is competing for attention with many other major automotive issues, which means many automotive companies are not sufficiently protected. However, best practices will be introduced over the next decade, giving automotive companies the chance to change.
Cyberattacks cause severe reputational damage and are expensive to remediate. Since the infamous Jeep hack reported by Wired in 2015, the automotive industry has been painfully aware of the importance of cybersecurity. In this incident, two researchers remotely hacked into a Jeep from several miles away and shut off its engine. The story attracted global media attention and resulted in Fiat Chrysler Automobiles, now Stellantis, issuing a voluntary recall of 1.4 million vehicles in the US. Fiat Chrysler estimated that the story cost it around $1 billion.
Automakers are often ill-prepared for the various cybersecurity threats. Cybersecurity is not a core competence for original equipment manufacturers (OEMs), meaning they lack the technical expertise required to implement effective cybersecurity measures. This leads to outsourcing, with OEMs often meeting only the most basic cybersecurity requirements to save on cost. This is not enough.
The cybersecurity vulnerabilities specific to the auto industry are numerous. Hackers could compromise the safety of advanced driver assistance systems (ADAS) of a vehicle in use or, worse, manipulate any autonomous functionality to directly cause a crash.
Bad actors could also access vehicle occupants’ private information such as current location, previous GPS destinations, or smartphone contacts. As automakers increasingly rely on over-the-air (OTA) updates to remotely add or upgrade vehicle features, cybersecurity efforts will be needed to ensure these methods are insulated from threat actors.
At a higher level, automotive companies are also at risk of industrial cybercrime, such as the theft of valuable tech secrets or damage to their digital infrastructure.
Insurance firm Munich Re expects global cybercrime damage across all industries to reach $10.5 trillion by 2025 compared to $6 trillion in 2021.
The risk of cybercrime in the automotive industry continues to grow as vehicles become more connected and manufacturers introduce more digital functions. Cybercrime already poses a significant threat to automotive players, with the well-known case of the Landwind X7 copying the design of the Range Rover Evoque being a prime example.
Ransomware attacks impacted Honda, Volkswagen (VW), Peugeot, and Kia in 2020 and 2021, with other OEMs suffering data breaches. Many of the largest OEMs are still woefully unprepared, as demonstrated by a 2021 CyberAware survey of the 14 OEMs responsible for $1.1 trillion in car industry revenue annually. CyberAware identified over 800,000 unprotected documents hosted on exposed servers, clouds, and databases, with 215,000 employees having exposed or compromised credentials. The exposed information included commercial details, email exchanges, contracts, invoices, and technical data.
Although the automotive industry faces many threats, there is still hope. Governments around the world are beginning to implement standards and regulations for cybersecurity in vehicles.
For example, in Europe, the UN Economic Commission for Europe (UNECE) formally introduced Regulation 155 in January 2021. This requires automakers to ensure sufficient processes are in place to promote cybersecurity, that vehicles are using appropriate cybersecurity architectures, and that they can demonstrate cybersecurity risk mitigation.
The US and China, among others, are also introducing their own rules around cybersecurity in vehicles. Although auto players will have to be aware of the regulatory landscape they are playing in to ensure compliance, these guides will help OEMs implement the best practices possible.