It is hard to miss the frightening headlines about car hacking scenarios. But in reality, there’s more to automotive cyber security. Hackers may be individuals seeking financial gain, or groups that have an issue with a particular brand, and even state actors who see vehicles as gateways to massive personally identifiable information (PII) hauls. The threat scenarios will vary, but stealing data is the most likely motivation.
The real stories we’ll see will look like this: a hacker lurks in back-end systems and vehicle networks to extract data and sell it or holds it for ransom. A nation state’s cyber offense team manipulates indicators, like a gas gauge, to sow confusion and distrust among drivers, undermining a particular company’s brand. Unlike the attention-grabbing research done by white hat hackers—like the 2015 Jeep hack or Zubie vulnerability identified in 2014 – future hackers won’t simply focus on headline-grabbing vehicle takeovers. They’ll seek to take advantage of this irresistible mix of personal, payment, and behavioral data that our connected cars increasingly collect.
Hackers have been after data for decades, and connected vehicles are an untapped bounty. So automakers are learning to ask: what vehicle data could be valuable to criminals? To hacktivists? To nation-states? Locations, VIN numbers, personal driver information, status of vehicle features, third-party app accounts, vehicle performance data— the amount and variety of data is growing exponentially as capabilities increase.
The reality is clear: vehicle data is the target. This leaves automakers two options. Either turn it off and minimize the data flowing through the vehicle to reduce the value of the target, or figure it out and invest in protecting vehicle data systems to make an attack more cost-prohibitive.
Turning it off is a non-starter. With connectivity comes the potential for increased safety, enhanced quality, improved brand experience, and new revenue streams. Connectivity fundamentally transforms how we interact with the vehicle, the road, and the automaker. Connectivity is a can't-miss opportunity, and, as a result, automakers are doubling down on connectivity and proactively taking on vehicle cyber risk. They've stood up an Automotive Information Sharing and Analysis Center to pool threat intelligence resources and share vehicle vulnerabilities. Many have hired cyber experts and are starting to build vehicle cyber security teams.
As automakers try to build on these initial wins, however, they are quickly finding that there is no proven “playbook” for vehicle cyber security. The good news is they don't need to start from scratch. The automotive industry faces a threat landscape familiar to the myriad of industries that have been managing cyber risk for decades.
To fast-track their success, automakers are learning from the successes and failures of counterparts across these other industries. Three key points have emerged:
- A lesson from Government: Define the mission and identify a leader. Shortly after declaring cyber the fifth domain of war, the Defense Department stood up the U.S. Cyber Command to protect its systems, manage risk, and coordinate with external partners. This action emphasized that cyber security isn’t about engineering a solution to a static problem; it means fighting an adaptive enemy. That requires a new mindset for automakers that are more accustomed to worrying about the competition than an enemy. Standing up and empowering a leader and dedicated team, similar to what GM has done, is a critical first step to enable this transformation. A clear mandate, a dedicated pool of resources, articulated lines of authority, and consistent decision-making structures help calibrate and execute the mission.
- A lesson from Retail: Don’t just focus on enterprise IT. Recent large-scale retail hacks emphasize that an attack can start outside of more traditional entry points. Translating this insight to automotive means engineers can’t work the challenge alone: they need close partnerships with internal partners, suppliers, third party app developers, telecoms, payment processors, dealerships, consumer technology companies, and many more. Cyber won’t work in isolation. For some organizations, it’s best to place cyber in IT or operations; others find greater success when cyber sits in its corporate core. No matter the organizational and interaction model, close coordination across the organization and external partners is key.
- A lesson from the Banks: Use data to your advantage. Financial institutions are using data to streamline and prioritize their efforts. Advances in data science means situational awareness can now be more complete, near real time, and actionable, enabling more informed decision making. Data science helps leaders identify potential incidents sooner to minimize the damage, and better understand the adversary. It helps with prioritization to make and justify smarter investment decisions. And when organizations face a similar threat landscape, sharing information with partners and the competition can drive decision-making that outsmarts the enemy.
Automakers recognize cyber security is the foundation to enable the future for vehicle connectivity and autonomy, which are tremendous opportunities for the industry. They know its value: vehicle cyber security will keep customers safe, keep their data private, and protect the brand experience. Taking action on vehicle cyber security now empowers automakers to get ahead of—and potentially shape—industry standards around cyber threat levels, supply chain, and liability. It can also decrease the attractiveness of each company and the industry as an “easy” target.
With recent headlines of vehicle hacking, customers now demand cyber protections. The companies that earn customer trust through vehicle cyber security will save lives, safeguard consumer data, and protect market share. Looking beyond the industry to learn best practices will help automakers get ahead.