Automotive security is essential to ensure the safety, privacy, and functionality of vehicles in today's connected and digitalized automotive landscape. By addressing security threats and vulnerabilities, automotive security measures aim to provide a reliable and secure environment for vehicles and their occupants, enhancing overall trust in the automotive industry.
Automotive security is an ongoing challenge as new technologies emerge, attack vectors evolve, and hackers become more sophisticated. Manufacturers, researchers, and the automotive industry as a whole continually work to identify vulnerabilities, develop secure solutions, and raise awareness to stay ahead of potential threats and protect the increasingly connected vehicles of today and the future.
Need for automotive security
Back in the day, there was no software on wheels, and everything was hardware. In the ’80s and ’90s, there was only 20% software and not much connectivity. But from 2020 onwards, almost 40% to 60% of vehicles are software-based connected vehicles. ECU, components, protocols, systems, and backend servers are all considered software. The statistics around automotive security are revealing:
• Cyberattacks on cars rose 225% from 2018 to 2021.
• 85% of attacks were remote.
• 40% were targeted on backend servers in 2021, it was 51%, and in 2020, it was 49.3%.
• Top attack categories were data privacy at 38%, car theft and break-ins at 27%, and control systems at 20%.
• Keyless entry and key fob attacks account for 50% of cyberattacks. Hackers just need to be close to the key fob to pick up the signal, reproduce it and hack the car.
Key components in automotive security
Cybersecurity: With the growing connectivity of vehicles, cybersecurity plays a crucial role in protecting them from malicious attacks. It involves securing the vehicle's communication networks, such as CAN, LIN, Ethernet, and wireless interfaces, from unauthorized access, manipulation, or exploitation. This includes protecting against attacks that can compromise the vehicle's functionality, steal sensitive data, or endanger the occupants.
Secure communication: Ensuring secure communication between various electronic control units (ECUs) within the vehicle is essential. This involves implementing protocols, encryption, and authentication mechanisms to prevent unauthorized access, eavesdropping, message manipulation, and other attacks on the vehicle's internal communication networks.
Secure software and firmware: Ensuring the security of software and firmware in vehicle systems is crucial. Manufacturers must employ secure development practices, perform rigorous testing and code reviews, and promptly address vulnerabilities and software updates. Protecting against unauthorized tampering and malware injection and ensuring the integrity and authenticity of software/firmware updates are important aspects of automotive security.
Physical security: Physical security measures protect vehicles from unauthorized physical access or tampering. It involves implementing robust anti-theft systems, secure key management, vehicle immobilization, and ensuring the physical integrity of critical components to prevent unauthorized modifications or tampering.
Privacy and data protection: Safeguarding the privacy of vehicle occupants and protecting sensitive data collected and transmitted by the vehicle's systems are a must. Measures such as data encryption, data anonymization, and secure data storage are implemented to protect personal information and prevent unauthorized access or misuse of data.
Threat detection and response: Implementing intrusion detection systems, security monitoring, and real-time threat analysis help identify and respond to potential security breaches promptly. Timely detection of anomalies or suspicious activities can help mitigate the impact of attacks and prevent further damage.
Standards and regulations: Automotive security is supported by industry standards and regulations that outline security requirements, best practices, and guidelines for manufacturers and service providers. Compliance with these standards helps ensure a baseline level of security across the industry.
CAN and LIN attacks
CAN refers to controller area network. It is a communication protocol widely used in the automotive industry to enable communication between various ECUs within a vehicle. CAN has become the de facto standard for in-vehicle communication due to its robustness, reliability, and cost-effectiveness. It allows different ECUs, such as those controlling the engine, transmission, brakes, and infotainment system, to exchange information and coordinate their actions.
Even so, CAN has introduced security challenges such as bus-off attacks, message spoofing, denial of service (DoS), and ECU reprogramming. CAN (CANsecure) and CAN with Flexible Data-Rate (CAN-FD), which provide enhanced security features, were developed to mitigate these security risks.
LIN refers to local interconnect network. It is a communication protocol used in automotive applications for connecting various electronic components within a vehicle. LIN is typically used for low-speed communication and complements the higher-speed CAN bus. LIN has some inherent limitations compared to CAN. It does not provide advanced security features and has a simpler structure.
Like CAN, LIN too is vulnerable to security threats like eavesdropping, message manipulation, and replay attacks. Securing LIN communications needs additional measures such as secure LIN implementations, physical security measures, and secure network architecture.
Industry regulations and standards
Standards act as a support or a benchmark for OEMs to ensure security has been implemented on the complete life cycle. Certain certification bodies or standards, such as the ones listed below, ensure the implementation of security for automotive organizations:
• ISO 21434
• UN R 155
• UN R 156
Automotive cybersecurity standard: ISO 21434
ISO 21434 provides a guideline for ensuring the cybersecurity of road vehicle electronic systems. It was developed to ensure OEMs and suppliers take cybersecurity into account at every step of the product life cycle, from the concept phase all the way to retirement. ISO 21434 provides terminologies, objectives, requirements, and guidelines that an organization needs in order to:
• Define cybersecurity policies and procedures
• Analyze, identify, and manage cybersecurity risks
• Champion a security-by-design or cybersecurity culture within the organization
United Nations Regulation 155: UN R 155
Covers uniform provisions concerning the approval of vehicles with regard to cybersecurity and cybersecurity management systems. Its scope extends to vehicles for passenger transport and vehicles for the transport of goods and trailers.
UN R 155 Focus
CSMS: Cybersecurity management system requirements. Parts A, B, and C are the primary consideration for risk assessment and mitigation to be implemented by vehicle manufacturers.
Part A:
Vulnerability or attack method related to threats.
Example: Servers, communication channels, etc.
Part B:
Mitigations to threats intended for the vehicles.
Example: CAN and LIN attacks.
Part C:
Mitigations to threats outside of vehicles.
Example: Cloud, backend servers.
Better safe than sorry
To sum it up, automotive security is important for several reasons, such as maintaining the safety of vehicle occupants, protection against cyberattacks, safeguarding personal data, preventing theft and unauthorized access, protecting against malware and software vulnerabilities, compliance with regulations and standards, and preserving consumer confidence. By strictly following best practices, periodic security assessments, and standards and procedures, we can minimize threats and risks to safety in the automotive world.
About the author
Rachin Katti is Head of Cybersecurity at Cyient. He has 17 years of experience securing networks, infrastructure, and information for customers across multiple industries. In his current role, he provides secured, customized, tailored security solutions across all verticals.
Let Us Know What You Thought about this Post.
Put your Comment Below.