Cyber Attacks: Protecting Our Vehicles

Robert Lambert, Head of Security Consulting, ETAS
Christopher Lupini, Senior Cybersecurity Consultant, ETAS
Zachariah Pelletier, Regional Solution Field Manager North America, ETAS

As cybersecurity professionals, we’re keenly aware of, and interested in, recent cyber attacks. Attacks occur when someone deliberately attempts to exploit weaknesses in computer systems, networks or devices to gain unauthorized access, steal data, disrupt operations or cause damage. Attacks occur in a variety of ways – malware, phishing, data breaches – and no one, individual or organization, connected to the Internet or using digital technologies is safe, as we’ve recently seen.

On May 8, 2024, Ascension Health System was a victim of ransomware, a type of malicious software (i.e., malware) designed to block access to a computer system or encrypt the data it contains until a sum of money (i.e., a ransom) is paid. The attack affected 140 hospitals across 19 states and Washington, D.C., freezing electronic health records, patient portals and phone systems used for ordering tests, procedures and medications. It took nearly one month for Ascension to get everything back online. 

And of course there was the ransomware attacks on CDK Global, a software company used by more than 15,000 car dealerships across the U.S. and Canada, in mid-June. The attack took down systems used for sales, inventory and customer relationships for three weeks and, according to this Detroit Free Press article, will cost the nation’s dealerships over $1 billion,  including revenue missed from over 56,000 lost new car sales.

Are vehicles at risk?

This “trend” is concerning on many levels and should be top of mind to those of us in vehicle cybersecurity. Because it’s not a situation of “if” it will happen, it’s “when” and “how big.” This is because advancing connectivity and digital technology, including back-end systems and external communication channels connected to the vehicle, increases the attack surface in vehicles. These include:

• Websites retrieved by the vehicle (e.g., via the on-board infotainment system)
• Messages retrieved/interpreted by the vehicle (e.g., emails, SMS, MMS)
• Personal devices
• OEM or supplier back-end systems (e.g., servers that contain software for over-the-air updates)
• Third-party back-end systems and/or devices (e.g., fleet-monitoring services)
• Traffic infrastructure (e.g., traffic management systems, toll systems)

But we can’t just look at the vehicle itself, our ever-evolving connected world means we need to consider attacks on external application program interfaces (API), which connect the vehicle to back-end infrastructure that vehicles are now using. This isn’t something that could happen, it has happened.

For example, traffic infrastructure, including traffic management systems and toll systems. An attack on those could easily infiltrate a vehicle. Then there’s EV charging systems, which are plugged into the grid infrastructure. Again, an attack on that infrastructure could impact vehicles.

And if we go back to the “if not when” mindset, we can point to attacks that have already happened. The most “famous” are Jeep and Tesla, but as outlined in this paper by Sam Curry, multiple automakers, including luxury brands, are at risk for an attack. An attack can range from locking critical in-vehicle components to taking or leaking critical in-vehicle data – all done remotely.

Protecting the vehicle

This isn’t to say it’s all doom and gloom when it comes to vehicle cybersecurity. There are several current approaches and solutions, with more being worked on each day.

For example, securing the complete vehicle system, from individual ECUs to connected services in the back-end. This provides multiple lines of defense, including securing the E/E architecture, integrating vehicle intrusion detection and prevention solutions (IDPS), and providing strong back-end access control for all vehicle-related assets, interfaces and functionalities.

But while this is good for now, it’s important to note that as we transition to the software-defined vehicle (SDV), the risk will increase – more software equals more attack surfaces. In addition to an increase in the use and availability of open-source software, larger systems, operating systems and communication that will be present in SDVs are similar to IT targets we see being hacked today. These larger, more concentrated and high-performance computers make the SDV a reality, but at the same time, provide a greater target for hackers.

It's safe to say that protecting the vehicle against attacks will not happen without industry collaboration, and thankfully, this is already happening. The Automotive Information Sharing and Analysis Center (Auto-ISAC), an industry-driven community working to enhance vehicle cybersecurity capabilities across the global automotive industry, has working groups tying in IT and its “cousin” OT (operational technology) to product security.

In addition, there is a lot of collaboration between the National Highway Traffic Safety Administration (NHTSA), National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) to help address today and future vehicle cybersecurity challenges. In fact, in March 2022, President Biden passed the Cyber Incident Reporting for Critical Infrastructure ACT (CIRCIA), requiring immediate reporting of all cyber incidents that occur in any industry.

A key point to remember in all this is that not all scenarios or malfunctions have a hacker behind them. It’s critical to properly and thoroughly analyze vehicle behavior to determine if something is caused by a bug in the software or a hack. This is where vehicle security operations centers (VSOC) play an integral role, providing continuous surveillance of a digital network to detect malicious activity and respond to threats.

ETAS solutions

With 30 years of software and cybersecurity experience, our ETAS team offers expertise and solutions to automakers and suppliers. 

• Penetration (pen) Testing: Applicable to vehicles and charging infrastructure, this testing involves a simulated attack of the target system and all its components and applications. The tester attempts to identify and overcome the system’s defense mechanisms, just like a hacker would, with results shedding light on weaknesses or potential errors in the implementation caused by faulty installation, components from a third party, faulty interaction of system components, or others.
• Back-end Systems Expertise: From individual mobile apps through enterprise software, ETAS has experience in developing, addressing and securing back-end applications. And from a testing standpoint, we have capabilities for operating systems, cloud infrastructure, server hardening weaknesses, web applications, mobile applications, corporate networks, APIs and more. This is especially critical for mobile and web vehicle management apps provided by the OEMs and over-the-air (OTA) software delivering updates to the vehicle.
• ESCRYPT IDPS: Provides a holistic solution of permanent monitoring to identify rising security threats, establish dedicated incident response and maintain a stable level of security through the vehicle’s lifecycle. Our IDPS includes:
  • CycurIDS: a network-based intrusion detection for the CAN bus. It can be calibrated to manufacturer-specific data with an optimized and validated configuration that runs simulations based on the recorded network traffic and through automated analysis of detection and error rates, providing a high detection rate with a low level of false alarms.
  • CycurGATE: an automotive firewall offering protection against denial-of-service attacks and supporting permitted Ethernet communication through the domain structure. Integrated directly into the Ethernet switch, it can be used on the switch as a library or as a stand-alone solution.
  • CycurGUARD: back-end product monitoring based on big data analysis technologies that collects and analyzes anomaly reports of operating vehicles. It identifies acute threats, referring to an extensive and continually updated database of known attack patterns.
  • VSOC: a managed security service adapted to the specific requirements of the manufacturer or fleet. Providing 24/7 worldwide coverage, it’s a holistic offering combining in-vehicle intrusion detection as well as vehicle back-end, threat detection and dedicated security operations center services.

Moving forward, working together

As the news continues to report on cyber attacks across all industries, many in the vehicle cybersecurity community sit on pins and needles wondering when it will be hit and how big the impact will be. But it doesn’t have to be that way, because while we have a large learning curve to stay ahead of hackers, we have the knowledge and expertise to develop better proactive measures – all we have to do is work together to make it happen. Let’s collaborate to avoid being the next attack victim.