Data from connected cars offer ample opportunity to develop new business models. But, to be successful, the auto industry needs to make sure those data are safe and secure. The industry needs to rethink security.
Data-driven business models are among the most promising developments that future mobility holds for the auto industry. But car-sharing, mobility on demand, proactive maintenance and traffic-flow optimization have something in common. They all rely on data from networked vehicles, and that makes their information, communication channels and storage devices part and parcel of business IT.
It goes without saying that they should be protected against cyberattacks in the same way or at least with defenses of equivalent value. But the industry hasn’t reached that point, probably because broad-based cyberattacks on vehicles have not yet been seen.
So far, most of the headlines have been made by more or less scientific feasibility studies. But that may change. According to the cybersecurity firm Cyoss, there have never been as many opportunities to attack cars as there are now: Today’s “always on” networking turns powered vehicles into rolling IT terminals.
The data produced in and by cars will likely become a highly desirable commodity for both cyber criminals and legitimate users who want the information for their business models. But the number of potential weak points and gateways is growing with the quantity of communication interfaces.
The adoption of established IT standards and vehicle electronics is suddenly revealing its dark side, even though it is usually celebrated as the victory of economics over the solitary technical paths taken by electronics developers.
As it adopts these standards, the vehicle industry is simultaneously importing cyber-threat scenarios. “Hackers today have to be familiar with the CAN bus and its codes,” said Oliver Hanka, business field manager for cybersecurity at Cyoss. “In the future, they will be able to attack cars with a normal knowledge of IT.”
“In the future, hackers will be able to attack cars with a normal knowledge of IT”
Cyoss cyber security expert Oliver Hanka
The problem is that the knowledge of the weak points in business IT is much more widespread than the knowledge of the most intimate details of the CAN. “Take Ethernet as an example,” Hanka said. “Naturally, a manufacturer that introduces Ethernet into its cars as a data backbone can draw its talent from a much larger pool. Unfortunately, so can hackers.”
Cars are different
Another aspect weighs heavily on cars defined by their software, and it goes beyond their importance as an element in the IT architecture of future business models: Once they are hacked, they can become a danger to the life and limbs of their users and other individuals, in contrast to a run-of-the-mill server in a data center.
This wouldn’t be via a circuitous route due to some malfunction of an important logical function. The danger would be from the vehicle’s very existence as a propelled object, said Ulrich Heun of the IT security consulting firm Carmao. He said this especially applies to vehicles with automated driving functions. “And it isn’t just a question of liability. There’s also the issue of damage to your reputation.”
Heun disagrees with the auto industry’s standard narrative that potential wrong-doers would see no pay-off from cyberattacks on vehicles. It would not be far-fetched at all for cyber attackers working for organized crime to manipulate the control of the truck operating at autonomy level 3 to 5, direct it to a remote site and seize its valuable cargo.
The same applies to executives or celebrities. “There’s a good reason for them to have personal protection today,” Heun said. It can safely be assumed that certain circles could have an interest in hijacking a car electronically.
To keep the criminals out, it’s not enough to secure the vehicle itself and its interfaces. Due to the vital electronic nerve fibers linking connected cars to the backend, the corresponding IT infrastructure there or in the cloud has to be hardened against attacks. “This protection has to be the motivation to take cybersecurity very seriously,” he said.
It is a scenario that automakers must address, even at the highest levels, said Gundbert Scherf, a cybersecurity expert at the McKinsey management consulting firm. The issue of responsibility is a particular challenge, he said.
Security is becoming a product-quality issue
“Security has always been a corporate IT issue, falling under the responsibility of the CIO or CISO,” Scherf said. “Now it is becoming an important aspect of the vehicle, meaning the product. This is making security a product-quality issue. It affects the product in its entirety along the entire value chain.”
So far, there hasn’t been a clear business case for cybersecurity to cover new business models that integrate the car and its communication channels into corporate IT. There is a lack of key parameters on how much a company has to invest to reach the required level of security. After all, nobody wants to spend more than necessary.
The range of empirical values is still too small. Still, Scherf notes that appropriate standards and specifications are being worked out, The World Forum for Harmonization of Vehicle Regulations is defining minimum standards. Even if the results are not yet certain, something is on the way that will mean more work for the auto industry as it deals with these challenges. Said Scherf: “Companies will need a holistic security management system that includes software updates for vehicles.”