With the ongoing rapid evolution in the automotive arena, are cyberattack threats also increasing? Moreover, are software defined vehicles (SDVs) equipped to counter these threats? Naresh Neelakantan, Head of Cyber Security at Global Nexus, chats with EFY’s Mukul Yudhveer Singh.
Q. Where does cybersecurity stand in the changing automotive ecosystem?
A. Vehicles are becoming more personalised, accommodating user preferences from music to style, thus enhancing hyper-personalisation. However, this shift to a software-centric design increases complexity and potential exposure to personal data and privacy risks. As vehicles integrate more with personal devices such as smartphones and laptops, they become more vulnerable to external threats. Previously, vehicle components were isolated, but now, even battery powertrains are connected to the internet. Since the 2015 Jeep Cherokee hack, manufacturers have been proactive in implementing cybersecurity measures, especially as Indian manufacturers aim to export these vehicles globally, ensuring compliance with international cybersecurity standards.
Q. Could you elaborate on the potential scale of breaches and their consequences? Why would someone target a vehicle?
A. Earlier, vehicles were primarily personal transportation means, but now they are closely tied to their manufacturers’ reputations. An attack on a vehicle can tarnish a brand significantly, affecting its value—a key motive for hackers. For example, in the Jeep Cherokee incident, attackers exploited the telematics system. This was not just about stealing personal information; it was about demonstrating the vehicle’s vulnerabilities, affecting both personal safety and brand integrity.
Vehicles are increasingly software-driven, making them targets similar to other technology devices. Hackers might aim to prove a point about security lapses, or in some cases, inflict damage on a company’s market reputation.
Q. Considering the potential threats to brand image, is there also a direct threat to end consumers, particularly in terms of personal safety?
A. Absolutely, the threat to end consumers is significant. For high-profile individuals, like government officials or key figures in large organisations, the risks are not just about data privacy but also personal safety. A hacked vehicle could compromise physical security, making this a real concern. This is about more than just potential financial or reputation damage; it is about safeguarding human lives in an increasingly connected world.
Q. Recently, there was news about certain car brands in the US becoming favourites for thieves. Is this related to their cybersecurity and digital vulnerabilities?
A. Yes, the case you are referring to involves Hyundai and Kia. This situation underscores the broader cybersecurity challenges within the automotive industry. Even though modern vehicles are equipped with advanced security systems such as firewalls, intrusion detection, and IoT access management, vulnerabilities still exist, particularly in areas like key fobs and vehicle immobilisers. These components can be manipulated through various attacks, including Bluetooth, NFC, or man-in-the-middle attacks, allowing unauthorised access to the vehicle. This kind of vulnerability points to the need for manufacturers to strengthen both the digital and physical security features of vehicles.
Q. Does this suggest we revert to traditional physical locks?
A. Enhancing the security of electronic systems is crucial. Vehicles today communicate through complex protocols between devices such as smartphones or key fobs and the vehicle’s electronic systems. These communications are potential targets for hackers, especially through man-in-the-middle attacks. The key is to implement multiple layers of security, similar to strategies used in internet security. We are not necessarily looking to make systems unhackable—which is nearly impossible with advancing technologies like AI and quantum computing—but rather to make them less economically viable to hack. The cost of breaching the vehicle’s security should outweigh the potential gains from such an attack.
Q. Considering the threats you have outlined, could the logistics industry be particularly vulnerable?
A. Absolutely, the logistics industry faces significant cybersecurity risks, particularly as supply chains extend globally. Modern logistics rely heavily on technology, from GPS tracking to fleet management systems, all interconnected and potentially vulnerable to cyberattacks. For example, knowing a vehicle’s location, status, or even the driver’s actions could expose the fleet to hijacking or theft, especially when transporting high-value goods. As the industry evolves, so do cybersecurity measures. In essence, while the potential threats are substantial, the advancements in cybersecurity are turning these challenges into opportunities for better security protocols and system resilience.
Q. Given the reliance on Tier 1 suppliers for security systems and software, is this dependency a strength or a potential weak point for OEMs?
A. It is a bit of both. These suppliers are integral to the automotive supply chain, acting almost as ‘Tier 0.5’ due to their close collaboration with OEMs in developing vehicle components, except for assembling the cars themselves. This collaboration is generally a strength as it allows for specialised expertise in each component, including security systems. However, it also introduces potential vulnerabilities, especially if communication or security standards between these entities are not uniformly strict. For robust cybersecurity, it’s critical that vulnerabilities and exposures are shared not only within the network of an individual OEM and its suppliers but across the industry through mechanisms like the common vulnerabilities and exposures (CVE) databases. This practice is mandated in the EU and parts of North America, enhancing transparency and collaborative defence strategies.
Q. Given the complex supply chain from Tier 1 to Tier 3 suppliers, is there a systemic risk or potential for a ‘blockchain’ of security where the integrity depends on every link?
A. It is neither a straightforward ‘blockchain’ of security nor necessarily a systemic loophole. In the automotive industry, from OEMs to Tier 1 and Tier 3 suppliers, there’s a complex interdependence. Each level of the supply chain contributes to the final product’s security, and they all operate under strict confidentiality agreements and shared security standards. However, this does not make the system foolproof. The integration of components and software from various suppliers does create a scenario where the overall security is as strong as the weakest link. This necessitates a uniform approach to cybersecurity across all tiers, which is challenging given the diverse sources of components and varying levels of security expertise. OEMs and Tier 1 suppliers often ensure that there is a common language or protocol, like AUTOSAR for automotive software architecture, which helps maintain a baseline of security standards. But even with these protocols, individual companies may differ in how they implement and manage security, which can introduce variability in the system’s overall robustness.
Q. As we look ahead, what are the emerging solutions in vehicle cybersecurity, particularly regarding the role of hardware and electronics?
A. The integration of hardware and software is critical in defining the security landscape of modern vehicles. Over the past several years, there has been a notable shift, especially in Europe and the US, towards recognising the importance of hardware in securing automotive systems. This includes the deployment of hardware security modules (HSMs) and trusted execution environments (TEEs), which are essential for safeguarding cryptographic keys and executing sensitive operations securely. Moreover, OEMs and their suppliers are increasingly focused on making this sophisticated hardware more accessible worldwide, recognising that security must be a global standard, not confined to specific regions. Ultimately, the collaboration between OEMs, Tier 1, and Tier 2 suppliers in developing and implementing these security measures is key to advancing vehicle cybersecurity. This collaborative approach ensures that security is a core aspect of the automotive design and supply chain, rather than a peripheral concern.
Q. Could standardisation across regions help address these discrepancies?
A. Standardisation can indeed streamline processes and ensure a uniform level of security across different regions, which is beneficial for managing the global supply chain more effectively. However, broad exposure of these standards can also pose risks by potentially making the systems more predictable and vulnerable to attacks. To balance these concerns, there is a movement towards developing specific standards for the automotive supply chain, such as TISAX (Trusted Information Security Assessment Exchange), which addresses security within automotive development and validation processes. The idea is to create highly secure operational environments, similar to those in the banking sector, where sensitive operations are isolated and protected.
Q. With the discussion that it is nearly impossible to manufacture an EV without including some elements sourced from China, does this integration pose a security risk for EVs and their users? Can this risk be mitigated?
A. The presence of Chinese components in EVs doesn’t necessarily pose an intrinsic security threat, mainly because these components are often basic materials with a monopoly dominated by China due to cost advantages. The key security concern is not just about where the components come from but how they are integrated and managed within the vehicle’s broader system.
If the concern is around the direct integration of complete component kits (CKD kits) that include more than just raw materials—perhaps including electronics and software elements—the risk could indeed be higher. However, if manufacturers focus on sourcing raw materials only and then build the rest of the components elsewhere, they can maintain greater control over the assembly and software integration, thereby mitigating potential security risks.
The challenge lies in the cost. Chinese suppliers typically offer a price advantage that is hard to match elsewhere. As manufacturing scales up globally and other regions improve their capacity and cost efficiency, there may be more opportunities to diversify sourcing without relying heavily on Chinese components.
While there is a perceived risk from integrating Chinese components into EVs, this can be managed by careful design and manufacturing choices. Manufacturers need to ensure that any critical software and hardware integration is done under strict security guidelines, regardless of the origin of the materials. This strategic approach can help mitigate potential security vulnerabilities while addressing economic realities.
