Cyberattacks are an increasingly common occurrence for a spectrum of industries. Rising cybercrime affects everyone, but certain sectors are more at risk than others. In 2023, the auto industry could face particularly significant dangers.
Attacks in the automotive space can impact automakers, automotive fleets, and consumers alike. Reducing these risks will be crucial as more cybercriminals seek to capitalize on the sector’s vulnerabilities.
A Growing Problem
The need for automotive cybersecurity first came into the spotlight in 2015, when 1.4 million vehicles were recalled in the first and so far only security-related car recall. This came after researchers demonstrated how an attacker could remotely control a connected car. Since then, internet-connected vehicles and attacks targeting the industry have only become more common.
In June 2020, a car manufacturer halted production across most of its North American plants after a ransomware attack. Manufacturing has become a popular target for cybercriminals, with ransomware leading the charge. As a particularly high-value manufacturing sector, auto production stands as a tempting target.
This trend will likely grow as cybercrime and automotive vulnerabilities rise. The auto industry could see a wave of cyberattacks in 2023, causing significant damage if it doesn’t adapt to new security needs.
Why the Auto Industry Is at Risk
Connected cars are one of the most significant factors driving these risks. These vehicles feature connectivity and include autonomous features, so attackers have more potential entry points and can do additional damage once inside. Self-driving vehicle sales could reach 1 million units by 2025 and skyrocket after, so these risks will grow quickly.
Automakers also face risks from connected manufacturing processes. This trend has emerged in other sectors that have embraced IT/OT convergence. One-quarter of energy companies reported weekly DDoS attacks after implementing Industry 4.0 technologies. Their attack surfaces will increase as car manufacturers likewise implement these systems.
The auto industry is also largely unprepared to deal with sophisticated cyberattacks. Automakers aren’t used to dealing with advanced IT systems, so they may lack an understanding of security risks and best practices. Knowing this, attackers may target them more frequently in hopes of an easier payday.
How to Prevent Auto Cyberattacks
These risks are concerning, but successful attacks aren’t inevitable. The industry can take several steps to prevent and mitigate their impact.
1. Securing Manufacturing Processes
First, automakers must secure Industry 4.0 systems in their manufacturing plants. Designating a dedicated security coordinator is the first step in transportation security, after which automakers can address site-specific risks.
One of the most important changes to make is segmenting networks. All IoT devices should run on separate systems from more sensitive endpoints and data to prevent lateral movement. Encrypting IoT communications and changing default passwords is also crucial.
Manufacturers should update these systems regularly, including using updated anti-malware software. Restricting user access and training all employees on best security practices is also important, as insider risks could pose a significant threat. Since threat landscapes are constantly evolving, automakers should conduct regular penetration tests, too.
2. Securing Connected Cars
Automotive security also means remediating vulnerabilities in the vehicles themselves. The National Highway Traffic Safety Administration (NHTSA) outlines several protection methods for connected cars, including:
- A risk-based identification and protection process for vehicle systems critical to passenger safety.
- Rapid detection and response systems.
- Architecture to mitigate potential breaches, ensuring an attack doesn’t turn dangerous.
Connected cars’ internal systems should resemble other business networks. Intrusion detection systems should scan for anomalies and isolate any potentially affected systems. Critical systems must be able to function apart from connected features for this to work in a vehicle context. Data encryption and verification for firmware updates are also important.
Security controls shouldn’t depend on users because of how dangerous vehicle breaches can be. For example, drivers should not be able to use weak passwords or refuse to install updates.
3. Securing Fleets
Securing corporate vehicle fleets is another crucial part of automotive cybersecurity. Businesses and their security partners should secure their vehicle telematics systems.
Telematics security begins with being more selective about devices and services. Businesses should research potential telematics providers to ensure they meet high security standards before partnering with them. Next, they should restrict access to these systems as much as possible, following the principle of least privilege.
As with the IoT systems in manufacturing processes, businesses should segment telematics networks and update these devices regularly. The automotive industry must also hold device manufacturers to a higher standard, requiring more security features like advanced encryption to come built in.
Automotive Cybersecurity Must Improve
Many people, including automakers, don’t realize the dire need for automotive cybersecurity. Cybercriminals are targeting the industry with increasing frequency and intensity, and security standards within it must change.
Manufacturing processes, connected cars, and telematics systems must embrace better security practices. It could cost millions in damage and even endanger human lives if they don’t.
About the Author: Dylan Berger has several years of experience writing about cybercrime, cybersecurity, and similar topics. He’s passionate about fraud prevention and cybersecurity’s relationship with the supply chain. He’s a prolific blogger and regularly contributes to other tech, cybersecurity, and supply chain blogs across the web.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.