Product Security Glossary

Automotive Cybersecurity

What is automotive cybersecurity?

Automotive cybersecurity is a set of practices and principles that are designed to protect today’s Internet-connected automobiles from being exploited by malicious hackers.   

Why do we need automotive cybersecurity?

Unlike older automobiles, today’s automobiles are connected to the Internet of Things for a variety of reasons.  As you drive a modern automobile, it constantly sends telemetry data back to its manufacturer or fleet manager.  It will also have contact with your satellite radio provider and will even communicate with other automobiles in the immediate vicinity. 

In this new operational environment, we need automotive cybersecurity for both data privacy and for safety.  Telemetry data, if intercepted, could help an attacker build a profile of where you go and what places you visit.  Other IoT-connected systems include collision avoidance systems, automatic braking systems, and systems that automatically summon help in case of an emergency. 

Another reason why we need automotive cybersecurity is that on modern automobiles braking, acceleration, transmission control, and steering systems are now controlled electronically, rather than by mechanical linkages.  If the designers of these systems disregard the basic concepts of automotive cybersecurity during the design stage, it could be possible for a remote attacker to take control of a vehicle while someone is driving it.  Indeed, this has been done.  Several years ago, a pair of automotive cybersecurity researchers had a journalist drive an IoT-connected car on the highway, and demonstrated how they could find the car by searching for it on the Internet.  Then, they actually did take control of the vehicle by penetrating the car’s entertainment system, and then moving laterally into the car’s critical control systems.  It was only a demonstration and they didn’t mean any harm to the journalist, but they did scare him a bit.  Fortunately, these researchers worked with the automakers to fix the vulnerabilities that could allow this exploit to happen. 

There are two ways in which attackers can compromise an Internet-connected vehicle.  They can do so completely via wireless means, or they can use the car’s electronics access ports to either plant malware or to reconfigure the car in a malicious manner. 

How do we implement automotive cybersecurity? 

The first step of implementing proper automotive cybersecurity has to occur in the design phase.  Automotive electronics systems must be designed in a way that separates critical control systems from any system that could be penetrated by an attacker. Systems must be vetted, preferably in an automated fashion, to make sure that proper security measures are used. The systems must have proper access controls on critical configuration files, limit to minimum potential attack surfaces, and use up to date software components with no known vulnerabilities. Also, systems should include anomaly-based intrusion detection systems.

Compliance with the industries standards and best practices is vital for automotive cybersecurity. The new WP.29 - UN Regulation on Cyber Security and Cybersecurity Management Systems and the Automotive Grade Linux Security Blueprint are two great examples of automotive cybersecurity documents that should be followed. 

Still, as with all other software systems, security-related bugs can occur.  So, there must be a way for auto manufacturers to provide software and firmware updates for every automobile that they produce.  Ideally, these fixes should be pushed out automatically over the air, so that customers won’t have to go back to the dealers to get the updates. These firmware updates, just like the original systems, should be thoroughly tested before they are deployed to make sure that the fixes are not introducing an even bigger security problem.  

And, even though automakers have to compete with each other for business, they also need to cooperate with each other for safety-related matters.  By sharing threat intelligence and lessons-learned with each other, automakers can contribute in a meaningful way to automotive cybersecurity.