Automotive hacks are on the rise while innovative technology such as electric, autonomous and/or ... [+] software-defined vehicles have exponentially increased the potential threats. So the cybersecurity community meets to learn, share and react. (Photo by Sean Gallup/Getty Images)
“Putin is a d***head. Glory to Ukraine.”
That’s what hacked electric vehicle chargers read amongst other things at disabled charging stations near Moscow recently. And as much as it brings a smile to the faces of many around the world, it highlights a point made by several researchers and developers who assembled last week at escar 2022 (a conference that focuses on deep, technical developments in automotive cybersecurity each year): automotive hacks are on the rise. In fact, per Upstream Automotive's report, the frequency of cyberattacks have increased a whopping 225% from 2018 to 2021 with 85% conducted remotely and 54.1% of the 2021 hacks being "Black Hat" (a.k.a. malicious) attackers.
In the midst of listening to various, real-world reports at this conference, a few things became evident: there is both good news and bad news based upon the ever-required focus in this critical area.
In its very simplest terms, the bad news is that technological advances are only making the likelihood of Zero Day events more likely. "Modern electric vehicles incorporate more technology than older models, which means they have a greater attack surface," states Jay Johnson, a Distinguished Research from Sandia National Laboratories. "There are already 46,500 public chargers available as of 2021, and by 2030 the market demand suggests there'll be approximately 600,000." Johnson went on to delineate the four primary charger interfaces of interest and a preliminary subset of identified vulnerabilities along with recommendations, but the message was clear: there needs to be an ongoing "call to arms." That, he suggests, is the only way to avoid such things as the Denial of Charging attacks in Moscow. "Researchers continue to identify new vulnerabilities," states Johnson, "and we really need a comprehensive approach of sharing information about anomalies, vulnerabilities and response strategies to avoid coordinated, widespread attacks on charging infrastructure."
Electric cars and their associated charging stations are not the only new technologies and threats. The "software-defined vehicle" is a semi-new architectural platform (*arguably employed 15+ years ago by General Motors GM and OnStar) that some manufacturers are headed to combat the billions of dollars being wasted on continually redeveloping each vehicle. The basic structure involves hosting much of the vehicle's brains offboard, which allows for reuse and flexibility within the software but also presents new threats. Per the same Upstream report, 40% of the attacks over the last few years targeted back-end servers. "Let's not fool ourselves," warns Juan Webb, a Managing Director from Kugler Maag Cie, "there are many places throughout the automotive chain where attacks may happen ranging from manufacturing to dealerships to offboard servers. Wherever the weakest link exists that's the cheapest to penetrate with the greatest financial implications, that's where the hackers will attack."
Therein, part of what was discussed at escar was the bad-news-good-news (depending upon your perspective) of the UNECE regulation going into effect this week for all new vehicle types: manufacturers must show a robust Cybersecurity Management System (CSMS) and Software Update Management System (SUMS) for vehicles to be certified for sale in Europe, Japan and eventually Korea. "Preparing for these certifications is no small effort," states Thomas Liedtke, a cybersecurity specialist also from Kugler Maag Cie.
First and foremost, the best news is that companies have heard the rallying cry and have minimally begun to instill the necessary rigor to combat the aforementioned Black Hat foes. "In 2020-2022, we have seen an increase in corporations wanting to conduct a Threat Analysis and Risk Assessment or TAR AR A," states Liedtke. "As part of those analyses, the recommendation has been to focus on remotely-controlled attack types since these lead to higher risk values."
And all of this analysis and rigor initially appears to be having an effect. Per a report provided by Samantha ("Sam") Isabelle Beaumont of IOActive, only 12% of the vulnerabilities found in their 2022 penetration testing were deemed "Critical Impact" versus 25% in 2016, and only 1% were "Critical Likelihood" versus 7% in 2016. "We are seeing present risk remediation strategies starting to pay off," states Beaumont. "The industry is getting better at building better."
Does that mean the industry is done? Certainly not. "All of this is a continuous process of hardening the designs against evolving cyberattacks," Johnson suggests.
Meanwhile, I'll celebrate the last piece of good news I gleaned: the hackers abroad are busy hacking Russian assets rather than my social media feed.