The popularity of electric vehicles is partly a response to the desire of achieving sustainability and carbon footprint reduction. Automobile manufacturers are making substantial investments to tackle emissions issues, create environment-friendly vehicles, and align with Environmental, Social, and Governance (ESG) requirements. To achieve brand edge and investment appeal, automakers market ESG as a business strategy.
Compliance with ESG requirements is not limited to sustainability alone. Cybersecurity, an important ESG component under social and governance pillars, is taking the center stage. This is for obvious reasons - the future of the auto industry is being transformed by Connected, Autonomous, Shared, and Electric (CASE) vehicles. This future is also threatened by cybersecurity flaws and incidents.
According to one source, cyberattacks targeting CASE vehicles increased by 225% from 2018 through 2021, while vulnerabilities rose by 321%. Emerging attacks observed in the first half of 2022 already pointed to a tumultuous future for automakers. It is projected that the industry would lose more than $500 billion to cyberattacks by 2024.
CASE Vehicles to Dominate the Future of Auto Market
Several factors influence the growth of CASE vehicles. The European Union (EU) is promoting clean mobility through regulations and investment. To realize its ambitious goal of having 30 million electric vehicles (EVs) on the road by 2030, the EU is investing 20 billion euros to stimulate the production of clean vehicles and the installation of 1 million electric and hydrogen charging stations by 2025. The EU regulations are not limited to clean vehicles and charging stations, as there are also directives governing the production of sustainable and ethical batteries.
The United States government is also pushing a lofty goal for electric vehicles to account for 50% of all vehicles sold in the country by 2030. The Biden Administration has prioritized the manufacturing of EVs, EV chargers, and batteries. Recently, the administration committed to investing $5 billion to implement a national EV charging network. Through partnership with the private sector, companies have invested $85 billion, tripled EV manufacturing, and increased investment in batteries 28 times within the last 2 years.
In Asia, governments play a significant role in making the auto industry smarter. China is posed to be the biggest market for electric vehicles with an estimate of nearly 10 million units sold by 2030. The Government of Japan has set a target to transform the third largest auto producing country to sell 100% electric vehicles by 2035. India, the fourth largest auto market, is also experiencing a growing interest in electric vehicles. To encourage the adoption of electric vehicles and reduce air pollution, the government has promulgated various policies to incentivize investment and patronage. The ASEAN electric market is expected to generate a 32.7% compound annual growth rate by 2027 as governments provide incentives to encourage vehicle electrification and connectivity.
While governments are more focused on EVs, other smart vehicle markets are growing. According to the World Economic Forum, the connected vehicle market is projected to be $215 billion by 2027. Connected vehicles are forecast to double by 2030, accounting for 96% of all shipped vehicles. The global sales of autonomous vehicles are projected to reach 58 million units by 2030. The estimated market volume of shared vehicles is $16.24 billion by 2026, an annual growth rate of 8.13% from 2022.
Consumer mobility behavior is also driving the growth of CASE vehicles. Shared mobility, data-connectivity services, technological advancements, infotainment capabilities, and the possibility of customizing vehicles to serve consumers’ purposes are a few of the reasons why smart vehicles are becoming more accepted. According to McKinsey’s findings, 40% of auto consumers would change vehicle brands to gain more connectivity, while a significant percentage of consumers would grant access to navigation and mobility applications (82%) compared with social media (58%), fitness and health (50%), and media streaming (46%).
A recent report showed that the top features new car buyers and lessees consider include advanced driver-assist controls (parking sensors, lane-departure warning, blind-spot monitoring), automatic emergency braking, digital keys and mobile apps, video rearview mirrors, wireless charging docks, stolen vehicle tracking software and Apple CarPlay and Android Auto compatibility.
Growing Cybersecurity Concerns Threaten the Future of the Auto Industry
Globally, automakers are projected to deliver 76 million smart vehicles by 2023. While this growth is a welcome development, it presents an opportunity for threat actors to unleash unprecedented cyberattacks. Just within the last two years, more than 50% of all reported automotive incidents involved cyberattacks. There are reports of successful compromises of smart vehicles such as Tesla, Bosch Drivelog, and Jeep Cherokee. In its report, Consumer Watchdog listed the top ten models most open to compromise. Electric vehicle (EV) charging stations are also prone to cyberattacks. In the first half of 2022, EV charging cyber incidents increased significantly.
Remote access plays a leading role in automotive cyber incidents, as traditional defense controls are easily bypassed. About 85% of attacks targeting smart vehicles involved remote execution. 50% of all vehicle thefts involved keyless entry and key fob attacks. Cyberattacks involved back-end servers (40%), data exfiltration (38%), control systems (20%), electronic and telematics control units (12.2%), mobile apps (7.3%), infotainment systems (5.7%), sensors (3.3%), wi-fi connectivity (2.9%), and Bluetooth connectivity (2.7%).
CASE vehicles are not just driving machines, they are a hub of multiple computer chips and systems, forming a complex network. They contain more than 100 million lines of code, surpassing the F-35 Joint Strike Fighter or NASA space shuttle. However, most of these lines of code are open source, making it difficult to ascertain if security measures are implemented as part of the design.
A successful attack against CASE vehicles is not limited to just one vehicle. The potential for widespread exploitation and escalation is very plausible given the growing adoption of vehicle-to-everything (V2X) and cellular vehicle-to-everything (CV2X) networks. These networks include vehicle-to-pedestrian (V2P), vehicle-to-network, (V2N), vehicle-to-vehicle (V2V), vehicle-to-cloud (V2C), vehicle-to-grid (V2G), and vehicle-to-infrastructure (V2I). Any unpatched vulnerabilities in these networks can be used to compromise communication channels, vehicle data/code, vehicle connectivity and connections, and backend servers’ connectivity.
As Internet of Things (IoTs) devices, smart vehicles are susceptible to many vulnerabilities, including Log4Shell, Bluetooth pairing flaw, and an in-vehicle infotainment operating system weakness, all included in recent CVE announcements. These vulnerabilities can be exploited to compromise vehicle-to-grid (V2G) infrastructure, firmware over-the-air (FOTA) updates, in-vehicle infotainment (IVI) systems, and leveraged for distributed denial of service (DDoS) and ransomware attacks.
Investing in Secure CASE Vehicle Ecosystem
Already, there is an uptick in cyberattacks, such as ransomware, intellectual property theft, data exfiltration, and supply chain disruption, targeting automakers, original equipment manufacturers (OEMs), and Tier-1 and Tier-2 suppliers. Auto consumers are also directly impacted by cyber incidents such as personal data breaches, impersonation, and property loss. The possibility of remotely controlling a smart vehicle or interfering with the navigation system could also lead to potential safety issues for consumers.
Protecting against automotive cyber threats is challenging and complex. The challenge lies in the distributed nature of the industry where there is total dependence on the supply chain. While an automaker may implement adequate cybersecurity controls, a supplier of infotainment system whose software is vulnerable could be a weak link that leads to a successful cyber incident. There is also the possibility of malicious mobile apps being used to compromise connected vehicles. The complexity lies in the level of efforts required to ensure that the more than 100 million lines of code are trustworthy.
Nonetheless, for the industry to survive and keep up with growth, CASE vehicles manufacturers must invest in cybersecurity controls to address vulnerabilities and emerging threats. Third-party suppliers must also adhere to implementing appropriate controls. Controls include vehicle cybersecurity risk assessment, secure design and development best practices, code analysis and testing, patch management, secure software updates, data loss protection, encrypted communication channels, access controls, hardened operating systems, appropriate cloud protection, and automotive security operation centers (ASOC).
Governments should not only incentivize the production of smart vehicles, they should create regulations to require appropriate minimum-security requirements. A good starting point is the adoption of the United Nations Economic Commission for Europe’s (UNECE) WP.29 R155 & R156 regulations and the ISO/SAE 21434 standard.
Between Innovation and Cybersecurity, Why Not Both?
It is common knowledge that in the battle between innovation and cybersecurity, innovation will always win. Though this reality is costly, as shown by the number of successful cyber incidents, market demands still favor innovation. Auto consumers prefer innovative features and are willing to share personal data to take advantage of them.
Cybersecurity should not impede innovation. The focus should be on the integration of innovation and cybersecurity to shape the future of the auto industry. There is enough evidence to show that automakers would benefit more when Connected, Autonomous, Shared, and Electric vehicles are secure and safe. Just as ESG is marketed to achieve competitive advantage, we should strive to make sure that cybersecurity becomes equally influential to consumers in determining which brand to buy.
About the Author:
Funso Richard is an Information Security Officer at a healthcare company and a GRC Thought Leader. He writes on business risk, cybersecurity strategy, and governance.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.