//php echo do_shortcode(‘[responsivevoice_button voice=”US English Male” buttontext=”Listen to Post”]’) ?>
Passivity remains the all-too-common posture across much of the automotive industry when it comes to cybersecurity. Many organizations still appear to think they will get serious about cybersecurity if and when they are forced to comply with governmental regulations.
Beware that the complexity of automotive cyberattacks is changing rapidly. It is time to become more proactive about comprehensive protection. Events in recent years demand that automakers, original equipment manufacturers (OEMs) and third-party suppliers do more than merely check the boxes of emerging regulatory frameworks and standards. For example, a Trend Micro report in 2021 identified vulnerable parts of the supply chain and the complexity of supply chain security.
The supply chain is clearly at risk, and cybercriminals are geared to expoit it. Cybersecurity must look at not only the car itself but also its manufacturer, its suppliers and its dealerships.
A sea change is underway in automotive cyberattacks. Cybercriminals who can target vulnerable suppliers to reach into a manufacturer’s network could compromise huge numbers of vehicles. Our 2022 analysis of 52 significant automotive cybersecurity incidents illustrated the range of attacks on the industry—across different levels of the supply chain, from supplier to vendor, and at almost every production stage.
Cybercriminals initiate attacks by exploiting system or network vulnerabilities to intrude the vendor network or by gaining unauthenticated access permission, then demanding ransom in return for unlocking blocked systems. Conti, LockBit and Hive were among the ransomware families most prominent in automotive cyberattacks last year.
Indeed, the automotive industry is unusually given to this type of supply chain attack because of its long-established heritage of interconnected ecosystems of component partners. As connectivity continues to pervade electronic vehicles and the cloud increasingly controls the car, it follows that the cybercriminal who can access the cloud by compromising any component supplier can also control the car.
Furthermore, autonomous-driving systems and advanced driver-assistance systems are reducing the human involvement required for vehicles to operate—and creating new opportunities for cybercriminals to unpredictably interfere with and disrupt vehicle performance and even harm human life.
In-vehicle infotainment is another potential entry point for cyberattacks. Ransomware and data breaches already dominated cybersecurity incidents in the automotive industry last year, and more connected cars, the rise of software-defined vehicles and software-based components, and greater use of open systems stand to add up to even greater susceptibility to known and unknown vulnerabilities.
We seem to still be in a first phase of respect for cybersecurity in the automotive industry, where the primary concern remains, “How am I going to comply with regulations?” A second phase is starting to gather form, in which some isolated examples of what could be turned into broader-scale cyberattacks are appearing in markets around the world.
A third phase is inevitable: the constant threat of supply-chain attacks in which companies with even robust cybersecurity can be impacted by cybercriminals uncovering the most vulnerable places to attack among interconnected partners.
What can members of the ecosystem do in practical terms today to sufficiently prepare for what’s next?
You don’t know know what you don’t know. So the first step is for automakers, OEMs and other suppliers to hire cybersecurity professionals who are equipped to analyze operations and empowered to prioritize the new capabilities to implement. Each different player in the value chain will have different priorities in terms of which area of its operations will need to be addressed first, based on its unique role and relationship to the rest of the supply chain.
Everyone in the ecosystem shares the desire to “see the unseen” before it’s too late. Now is the time for organizations at every level of the automotive supply chain to take action by making sure they have the internal competency to evaluate and rethink cybersecurity capabilities.