Because mobility is becoming more digital and networked, automotive cybersecurity is becoming more crucial. Many nations will make cybersecurity measures required for new car registrations as early as 2022.
The change in mobility is being driven by automation and connectivity, which is progressively turning cars into “computers on wheels.” Cyber fraudsters target contemporary automobiles in the same way that they attack computers.
Today’s automobiles include about 100 million lines of software code, with the amount continuing to rise. According to business experts McKinsey, it might reach over 300 million lines in a few years. In contrast, a passenger plane contains around 15 million lines of code, while a mass-market PC’s operating system has over 40 million.
Because of the large quantity of code in automobiles, hackers have a lot of options for cyberattacks.
Whereby we will most likely need to change our perception of cybercriminals. It is not worth the effort to control a single automobile in order to steal it. It’s more about stealing data.
“Many people think of the hacker in the black hoodie, crouching in his dark cellar. But when it comes to cyber attacks in the automotive sector, we’re dealing also with organized crime, industrial espionage and the theft of know-how,” says Manuel Götz, head of the ZF AI & Cybersecurity Center.
Theft of commodities is also a possibility in the case of commercial vehicles, as is the hijacking of whole fleets in the future — with a greater level of automation.
Table of Contents
As many control units, as many attack opportunities
However, how can cyber hackers get access to car data in the first place?
“Hardly anyone tries to tap the encrypted information in transit today. The encryption is too complex for that. Instead, hackers are targeting vulnerabilities at the ends — the vehicle itself, the backend or the networked infrastructure,” says Michael Eisenbarth, responsible for cybersecurity at the ZF AI & Cybersecurity Center.
Around 100 distinct control units may currently be found in automobiles. Each one has its own software and is linked to the others. As a result, every ECU is a possible entry point for cyber attackers and must be well safeguarded.
“On the ECUs, there is not enough computer capacity for the encryption that would otherwise be used. This is a potential vulnerability,” explains Eisenbarth.
To address this gap, manufacturers and suppliers are increasingly relying on physical hardware security modules (HSM), which are physical modules that hold and control the key directly. Hardware security chips like this will soon be standard in every ECU.
Automotive cybersecurity threats come from unexpected places
The increased connection of automobiles with their surroundings is another possible entry point for hackers. Vehicles will become more interconnected with one another, with traffic infrastructure, and with the cloud. With more automation, V2X communication will rise significantly.
Vehicles will connect with traffic signals, traffic signs, charging stations, and mobile phones more often. And it is exactly these infrastructural components that are currently mostly unprotected. This emphasizes the need of securing the vehicle from outside cyber threats, such as through a firewall.
Cybersecurity regulations and standards are being implemented more and more
Automotive cybersecurity has grown in importance in recent years and will continue to do so in the future. Two new standards created by the UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) make cybersecurity necessary for the licensing of new vehicle types.
The rules will apply to passenger automobiles, vans, lorries, and buses, and they will contain standards for four different categories:
- Managing cyber threats to vehicles
- Designing cars to be secure from the start to reduce risk across the supply chain
- Detecting and reacting to security breaches across a fleet of vehicles
- Introducing a legal foundation for over-the-air upgrades to onboard vehicle software, enabling safe and secure software updates and assuring vehicle safety.
From July 2022, the new cybersecurity law will be obligatory for all new vehicle types in the European Union, and from July 2024, it will be necessary for all new cars manufactured. Other nations, such as South Korea and Japan, are interested in adopting the rule.
In tandem, the International Organization for Standardization (ISO) and the Society of Automotive Engineers have established the ISO/SAE 21434, Road vehicles – Cybersecurity engineering standard (SAE).
It was released in 2021 and focuses on cybersecurity in the designing of electrical and electronic (E/E) systems in automobiles. The standard’s implementation is designed to assist manufacturers in keeping up with evolving technology and cyber-attack strategies.
The ZF AI & Cybersecurity Center are approaching the cybersecurity issue in a holistic manner
“We are already very far along in implementing the standards. We make them mandatory in the development of our products,” says Götz. For the company, however, the topic of cybersecurity encompasses more than the implementation of standards. “We take a holistic approach to the topic. This ranges from threat assessment and software delivery to secure over-the-air updates,” says Götz.
As a result, the ZF AI & Cybersecurity Center has been formed in the German city of Saarbrücken. The Center collaborates closely with academic institutes such as the renowned Helmholtz Center for Information Security (CISPA) on future cybersecurity technologies and conducts research with them.
In addition to developing core ideas for several ZF business divisions, the ZF AI & Cybersecurity Center also offers assistance for client projects.
For threat monitoring, ZF collaborates closely with and is a member of the Automotive Information Sharing and Analysis Center (Auto-ISAC), a U.S.-based association of OEMs and suppliers dedicated to strengthening the worldwide automotive industry’s resilience and response to cyber-attacks.
However, no matter how carefully automobile manufacturers and suppliers prepare for cybersecurity, the struggle against cyber thieves will always be on. This is also owing to the fact that mobility is evolving, with new digital goods and services appearing on a regular basis.