With today’s revolution in automotive connectivity and the exponential growth in the number of connected vehicles on the road, it is imperative for the automotive industry to understand, predict, and combat rising cybersecurity threats.
Leading international market research company ResearchAndMarkets.com states that the global automotive cybersecurity market is expected to grow from US$2.04 billion in 2022 to US$4.16 billion in 2026, at a compound annual growth rate of 19.5%.
Global Market Insights, another global market research and management consulting company, notes that the passenger vehicle segment held over 81.9% of the automotive cybersecurity market share in 2021. It also highlights that commercial vehicles are more prone to cyberattacks, however, due to the emerging trends of vehicle connectivity and surging hybridisation, electrification, and automation in automobile technology.
“Historically, trucks have been largely self-contained electronic systems, so protection against external attack was not a significant risk,” explains Josh Foster, Garrett Motion’s* connected vehicles division general manager. “However, increasing digitalisation and the associated interfaces like Bluetooth, wireless, cameras, sensors, and other advanced driver assistance systems that are an important part of today’s truck world are making these highly complex systems more vulnerable to outside cyberattacks.”
Florian Rehm, a cybersecurity expert at the commercial vehicle control systems (CVCS) department of ZF Group**, agrees – adding that today’s passenger vehicles have as many as 100 electronic control units (ECUs), compared to only five ECUs two decades ago. “And instead of each ECU controlling one task, the functions are distributed across multiple ones,” he points out. “Additionally, a high-end car contains as many as 100 million lines of code – five times more than in fighter planes. We see these trends reflected in commercial vehicles as well, and all of this IT complexity creates potential new attack vectors for cybercriminals.”
A FLAW FROM WITHIN
In its blog Addressing the Cybersecurity Risks, ZF highlights another weak point in these systems: “Take the Controller Area Network (CAN) as an example. The CAN communication protocol is a standard describing how information is exchanged between different components and sensors inside a vehicle. Like other automotive technologies (including ECUs), the CAN was not designed to be connected to the internet.
“Developed in the early 1980s, this onboard network operates on the premise of ‘trust’. In a connected environment, this principle leaves the door open for malicious attackers to gain control over the vehicles and manipulate them remotely. By speaking in the name of an ECU, an attacker can easily trigger arbitrary vehicle functions.”
The ZF piece adds that a common protocol for the CAN in commercial vehicles is SAE J1939. “This standard, which plays a key role in network ECUs, has been around for many years, and continues to grow in popularity due to its usage in telematics while ensuring interoperability of different systems,” it notes.
“As an open standard, SAE J1939 has vulnerabilities. Academic researchers have shown how easy it would be to launch attacks on a CAN bus using this protocol, if they could get access to the vehicle network. Once they gained that access, the researchers could control critical systems, including the ability to accelerate a vehicle in motion and disable the brakes.”
NOT JUST REMOTE CONTROL
Vehicles aren’t the only business components at risk, however, as supply chains can be exploited as well. ZF writes: “According to the Transported Asset Protection Association***, the estimated average daily loss from supply chains was €378 058 in the Europe, Middle East and Africa region in 2019, and the combined loss of major crimes (€100 000 or more) over 12 months was more than €96 million. In the US, the cost of cargo crime is estimated at US$10 to 25 billion per year. Only a fraction of the thefts are actually reported, so the losses are much higher in reality.”
Theft from road vehicles accounts for the majority of cargo thefts. In the past, the biggest problem was related to physical security, but supply chain security is evolving beyond the traditional environment to the digital realm: “Taking advantage of technology, cargo thieves could hack into an online tracking portal to access manifests, pick up information and other sensitive data; re-route cargo to a different destination by spoofing information; or pick up cargo using forged documents,” notes ZF.
The global technology supplier adds that, up to now, automotive technologies have not taken a security-by-design approach. The industry is now recognising the importance of cybersecurity, although adoption of security measures has been slow.
“A study commissioned by SAE International and Synopsis**** found that 84% of the nearly 16 000 IT professionals surveyed in the automotive industry were concerned that cybersecurity practices were not keeping up with the evolving technologies. Yet, 30% of the respondents said their organisation didn’t have a cybersecurity programme or team, and 63% tested less than half of their technologies for vulnerabilities.”
ZF’s CVCS strategy is best summarised by Christian Brenneke, senior vice president of product engineering at ZF’s CVCS division: “Today’s digital technology is the foundation of our knowledge-based society and enables mind boggling opportunities, but as systems become more connected and integrated, we see the number of vulnerabilities growing. This is why the implementation of dedicated cybersecurity standards has to be a top priority in the commercial vehicle industry as well as ensuring a security-by-design approach for every step of our development projects’ life cycles – starting from their specifications all the way to their validation.”
Rehm adds: “We have tested the early versions of our products to understand their resistance to cyberattacks, and we also monitor hacker forums to stay on top of how our products are misused. We have also started to evaluate all of our suppliers regarding cybersecurity, and have integrated that into the development process.”
According to the ZF blog, over-the-air software updates, Internet of Things (IoT) and automated vehicles are among the other trends that will drive advances in the next generations of commercial vehicles. “The industry will continue to transform and innovate, but progress is not possible without an emphasis on cybersecurity. As the industry looks to the future, it’s critical to understand the risks of these new technologies – and put mechanisms in place to address them,” it concludes. You have been warned!
* Garrett Motion – headquartered in Rolle, Switzerland – has been serving customers worldwide for more than 65 years with petrol, diesel, and hybrid turbo technologies; hydrogen fuel cell applications; and software solutions used in passenger vehicles, as well as on and off-highway commercial vehicles.
** ZF is a global technology company supplying systems for passenger cars, commercial vehicles, and industrial technology.
*** The Transported Asset Protection Association promotes global supply chain resilience standards.
**** SAE is a global association for engineers and related technical experts in the aerospace, automotive, and commercial vehicle industries. Synopsys is a US-based electronic design automation company.