Home Hacking A deep dive into Automotive Hacking and Mobility Cybersecurity, CIOSEA News, ETCIO SEA

A deep dive into Automotive Hacking and Mobility Cybersecurity, CIOSEA News, ETCIO SEA

by
A deep dive into Automotive Hacking and Mobility Cybersecurity

Undoubtedly, the rise of mobility and Internet of Things (IoT) have significantly contributed to digital optimisation, transformation and the Industrial Revolution 4.0. The popularity of Mobile Computing, Bring-Your-Own-Device (BYOD), mobile commerce, and the transformation of automotive, healthcare, utilities and other verticals to interconnected hybrid systems leveraging IoT, especially Operation Technology (OT) have brought about innumerable benefits on 1 hand, and have significantly increased the breadth and volume of these potential attack surfaces on the other. There is a humongous number of connected vehicles and mobile devices operating remotely, beyond the trusted organisational network security perimeter with many users having inadequate cyber awareness.

The enormous role of cybersecurity can be gauged from the sheer numbers of mobiles, IoT devices and connected automobiles globally. As per Statista’s research, in 2021, there were almost 15 billion mobile devices and this is estimated to exceed 18 billion by 2025. As per this research by IoT Analytics, it is expected that the current number of connected IoT devices globally of over 12 billion will reach 27 billion by 2025. By the end of the first quarter of 2022, there were approximately 1.45 billion vehicles in the world, of which about 1.1 billion are passenger cars.

With the penetration of mobility and IoT accelerated especially after the pandemic period, breaches, hacks, and vulnerabilities in automotive and mobile security can have devastating effects such as monetary losses, downtime, safety and even loss of life.

What is the historical perspective of Automotive Hacking?

The automotive industry has undergone a major shift over the past few years: especially with the buzz around Electric Vehicles, Autonomous Cars, enhanced Safety Features and reduced emissions. Just like other verticals, there has been an increasing penetration of Information Technology, Telecommunications and IoT within the automotive vertical as well. Increased Regulations on Safety Features have added many new systems within the connected cars. Automotive Companies are also looking at monetizing the considerable datasets from their connected vehicles ecosystem, and this McKinsey article estimates a potential of $250 billion to $400 billion in annual incremental value for automotive players in 2030 by unlocking this value from their ecosystems covering mobility insurance, safety, on-demand in-vehicle services including vehicle charging, entertainment and others, R&D optimisation, safety, spare parts and others.

This research by Gartner highlights the importance of digital technology in the automotive ecosystem with software and technology being the key differentiating factors. Trends of automakers to manufacture their own chips, integrating technology and leveraging open source & mobile operating systems into connected vehicles, and monetizing remote Over-The-Air (OTA) software updates necessitate cybersecurity considerations as well.

The 2015 Cherokee Jeep hack transformed automotive cybersecurity forever. Not unlike the attacks on critical infrastructure, hacking into the Wi-Fi, Multimedia, GPS Navigational and most importantly the Controller Area Network (CAN) can take over maneuvering, braking, speed, music and other environmental controls and thus have alarming and severe repercussions on moving vehicles, their drivers and passengers. A few months after this hack, Fiat Chrysler recalled over 1.4 million cars after a software bug was discovered in its U-Connect system. Similar vulnerabilities were discovered in Tesla Model S as well as in GM’s OnStar Remote Link App. Also, there have been several instances of data breaches at Toyota, Volvo and other Auto OEM’s end exposing their customer personal information.

The plethora of attack surfaces have mushroomed to also cover Electric Vehicles Supply Equipment, radar, sonar and visual sensors, keyless systems, tyre pressure systems etc. These attacks, hacks or breaches can now also install malware, steal, spy, and track the vehicles, besides controlling, shutting down, and disabling safety features.

The main challenges plaguing OT security also apply to automotive systems such as infeasibility of frequent security patches, heterogenous and disparate IoT systems and lack of visibility and 3rd party access, as well as vulnerabilities in the 3 IoT layers: automotive chips, controllers and physical devices, edge computing, and cloud application layer. Vehicles nowadays have well over 100 electronic control units and millions of lines of code. Moreover, permeance of GPS and Consumer financial and personal data in connected vehicles can also be misused by unscrupulous elements.

According to Upstream, the frequency of automotive cyberattacks rose by 225 percent from 2018 to 2021 with remote attacks constituting almost 85%.

The cybersecurity issues and concerns will rise along with the regulation, adoption, and popularity of autonomous vehicles in the near future.

How to address automotive cybersecurity?

Role of Guidelines

One of the immediate regulatory responses to the Cherokee Jeep Hack in the mid-2010s was the Guidelines published by the National Highway Traffic Safety Association (NHTSA) in the US a few months after the attack. This advocated a layered and resilient approach to vehicle cybersecurity based on the well-known NIST Guidelines. Incorporating risk-based prioritisation, robust architectures, secure chips, remote firmware updates, timely detection, response and recovery and information/ best practices sharing across industry are its major tenets.

There have been similar guidelines, standards and regulations such as UNECE’s (United Nations Economic Commission for Europe) WP.29, ISO/ SAE 21434 (amalgamating ISO 26262 for functional safety and SAE J3061 for cybersecurity), and SAE J3101.

Automaker Efforts

Similar to other OT systems, automakers need to adopt the ethos of security by design itself, combining functional with cyber safety, handling unpredictable behaviour by preventing faults and protecting against attacks. At the System on Chips (SoC) layer, security must be ensured at booting, updating, storage, authentication and debugging aspects. Besides this, reliance on Endpoint Security, Intrusion Detection, Secure Firmware and Software updates, Communication protocols and most importantly cyber awareness and measures by Leadership, R&D, Design, Engineering and other teams are the most important aspects being followed by automakers.

This article by EY highlights the importance of regulatory guidelines along with Automotive OEM efforts in bolstering automotive cybersecurity

Best practices by Vehicle Users

Automotive and Heavy vehicle users must also exercise common sense and due diligence in ensuring cybersecurity besides physical security of their vehicles. Use of VPN, regular software/ firmware updates, restriction of wireless systems, and similar measures shall go a long way in this journey.

What is the market size for Automotive cybersecurity?

According to this paper by MarketsandMarkets, the automotive cybersecurity market is predicted to reach USD 5.3 billion by 2026, up from USD 2.0 billion in 2021, fueled by more cyber-attacks, regulatory guidelines promoting increasing safety and other automotive systems, and adoption of 5G telecom networks.

How has Mobile Security evolved over the years?

It has been quite surprising that mobile security has not traditionally received as much focus and efforts as network, web or endpoint security. And this is despite the pre-pandemic trends of the majority of workforce believing in the necessity of mobile at work, BYOD policies, increasing Email and business activities on mobile, and share of mobile traffic exceeding 50% in the 2016-17 time-frame.

Having said that, the traditional bedrock of cybersecurity for CIOs and CISOs till the early to mid-2010s was the trusted organisational perimeter/ network with implicit trust of constituent users, assets, data, policies for whom Information Security policies would strictly apply. Antivirus, anti-malware, Email Security, Web Application Firewall, Firewall Management, Database Security, Endpoint Encryption and Security, Intrusion Prevention, and Data Leakage prevention tools along with strict Infosec policies, best practices, dos and don’ts and escalation matrices would be enforced. The small proportion of out of office staff would be managed through a combination of Company provided devices, strict Bring Your Own Device (BYOD), VPN and Infosec policies.

Although CIOs and CISOs did implement Enterprise Mobility Management (EMM), Mobile Device Management (MDM) and Mobile Application Management (MAM) in the pre-pandemic time periods, these measures and systems have not kept abreast of the implosion in the mobility ecosystem. Besides BYOD, a mushrooming of all ranges of devices and tablets, different Operating Systems and versions, public Wi-Fi & spoofing, a plethora of consumer applications and communication protocols have necessitated security leaders to look at more holistic, proactive systems focussed on mobile threat defence and resilience.

The pandemic with extended remote and hybrid working, home Wi-Fi, gig working and accelerated mobility and IoT adoption, brought even more disruption and attack surfaces to the mobility ecosystem. With extended periods out of the Trusted Network Approach, the pandemic period saw a rise in mobile threats and attacks on account of data leakage, spoofing, spyware, phishing, mobile ransomware, improper session management and cryptography. Deloitte’s research in 2020 reported a 3 fold increase in cyber-attacks in some countries, also attributed to mobility and Work From Home endpoints, This KPMG research highlights the extent of COVID-19 based ransomware itself during the early days of the pandemic, luring unsuspecting users to click fraudulent links related to information, vaccines, government assistance, sanitizers, oxygen, collaboration tools, and other bait.

What have been the major cyberthreats in the mobility world?

Social Engineering (phishing and smishing,) Trojans, Distributed Denial of Service (DDoS), Spoofing, Malware, Mobile Ransomware, attacks on multiple layers across IoT Devices and wearables, Fraudulent Wi-Fi powered Man in the Middle (MiTM), and Data leakage through malicious apps have beleaguered companies and mobile users throughout 2020, 2021 and 2022. In addition, targeted attacks on enterprise EMM, MDM and MAM systems have risen considerably. Mobile commerce, the Dark Web, Cryptocurrency and increased sophistication and tools deployed by cyber criminals have also spawned massive leakages and frauds. These downsides are over and above the threats posed by device loss and damage. This article by Deloitte highlights the extent of possible data theft and regulatory obligations for factory reset and stolen phones.

How are CISOs and CIOs addressing mobility cybersecurity?

CIOs/ CISOs have embraced Zero Trust Architecture (ZTA) in their move from cyber defence to cyber resilience. In May 2021, in response to the SunBurst SolarWinds breach, the Biden Administration in the US issued an executive order mandating strict adherence by the U.S. Federal Agencies to NIST 800-207 as a fundamentally required step for Zero Trust implementation. As a result of this, the same consideration has applied to private sector and government vendors, customers and other stakeholders. Private enterprises are also ensuring their current and proposed ecosystem partners also follow similar Zero trust architectures and these are also in consideration during evaluation and onboarding of newer partners in their ecosystem. Governments and regulators across the world are crystallising and publishing their regulatory frameworks for mobility cybersecurity.

The principles of ZT cover mobility and IoT devices, users, policies, and architectures in addition to on-premise, cloud & container environments, network devices, firewalls, routers and other endpoints. Robust layerised enterprise security frameworks encompassing physical and virtual infrastructure, platforms, applications and users, encryption, secure communication, micro segmentation-based traffic flow, data protection/ encryption/ anonymization, least privilege user access, multi-factor authentication, password management, automation and orchestration have been some of its basic tenets covering contractors, and gig workers as well.

Tools for Mobility Endpoint Protection as well as Detection and Response are being incorporated in systems such as Extended detection and response (XDR), Security Access Service Edge (SASE), Identity and Access Management (IAM), Cloud Access Security Broker (CASB), Cyber Asset Attack Surface Management (CAASM) etc. Since assets, users and entities are now across on-premise, data centres and the cloud across the extended enterprise, decentralised risk and decision making, moving from Compliance and Security functions to Security Behaviour and Culture programs (SBCPs), consolidation and convergence of cyber security solutions and of vendors along with Cybersecurity Mesh Architecture (CSMA) help provide a proactive, uniform and integrated security framework and posture based on ZT.

Besides these mobility cybersecurity tools that incorporate AI/ ML, CISOs are working with CHROs to also implement best practices for mobile device protection and usage across employees and contract workers. Enforcing Infosec policies covering best practices, Dos and Don’ts and checklists of Email, Browsing, Application access, Wi-Fi access, mobile downloads, password and device protection, backups along with escalation matrices and reporting mechanisms are the priority areas of enterprises. Considering the fact that cyber-awareness is still in a growing phase, companies are leveraging gamification and rewards and recognitions along with open communication, collaboration, and culture in the training and awareness campaigns.

What is the Mobility Cybersecurity Market Size?

According to this paper by Allied Market Research, the mobile security market is predicted to reach USD 22.1 billion by 2030, up from USD 3.3 billion in 2020, covering both Endpoint Protection as well as Endpoint Detection and Response.

Summarising up

Cyber Aware and Ready CEOs who are simplifying the Information Technology environment also contribute immensely in building resilient, ever responsive and agile organisations, as this PWC article mentions. This is especially true of the automotive and mobility ecosystem where there is an accelerated environment of threats, vulnerabilities and attacks, while user safety, convenience, comfort and risks need to be managed carefully. Resilience, Preparedness, Proactive Threat and Response Management, Secure Communication, Updates and Back-ups are the basic tenets of having high performance, engagement and satisfaction along with security.

The CIO-CHRO High Tech Hi Touch Axis is driving cybersecurity awareness, principles and considerations across design, architecture and all functions. Culture and Communication are hence of paramount importance and leadership teams are relying upon building awareness and accountability of risk and security within business, suppliers and employees, running mock drills or crisis games to simulate the response during a mock cyber crisis, as this article by Deloitte mentions.

Mobility, Connected and Autonomous Vehicles are bringing immense disruption, convenience, comfort and a host of other benefits. Incorporating proactive Zero Trust based Cybersecurity Principles and ethos would ensure a high degree of opaqueness, response and recovery from hackers and adverse cyber events.



Source link

Related Articles

Translate »