The transportation sector needs a standards-driven, industry-wide approach to cybersecurity
Despite the uncertainties of the last year, the transformation of the transportation sector forged ahead, dominated by the prevailing trend of CASE (Connected, Autonomous, Shared, Electrified) technologies.
Despite small setbacks caused by COVID-19 that impacted the automotive industry at large, analysts predict electric vehicle (EV) demand will continue on its upward trajectory in 2021, driven by new models, improved batteries, more readily available charging infrastructure, new markets, and price parity with traditional gas-powered vehicles.
As more countries adopt aggressive climate goals and announce plans to phase out gas-powered vehicles, demand for EVs will only continue to rise, jumping from 10% of vehicle sales to 58% by 2040. In the US, the Biden administration’s proposed climate change policies are expected to be a significant driver in the short term as well.
Further, autonomous driving draws closer to becoming an everyday reality as popular ride-share companies like Lyft invest heavily in this technology and new autonomous only ventures like Zoox, acquired by Amazon, aim to enter the market. Wireless 5G technology will underpin the future success of CASE vehicles by providing more opportunities for seamless integration and rapid connectivity speeds. A key element that should remain at the forefront of these trends is a standardized approach to automotive cyber security that’s prioritized as a safety issue.
Implications for the EV market
Less air pollution, reduced carbon emissions, and a future of improved energy security are exciting benefits of EVs, but they are not without risks. When you consider that the charging infrastructure, commercial EV fleets, and power grids/utilities are all part of the EV ecosystem, cybersecurity must become as critical for mainstream EV adoption as battery performance and other commonly touted aspects.
We have already witnessed attacks on electronic charging stations via the Near-Field Communication (NFC) card, which handles billing for EV charging. The ID cards have inherent vulnerabilities due to third-party providers not securing customer data. Research has shown malicious individuals can copy these cards and use them to charge other vehicles.
Another concern is related to traditional lithium-ion batteries, which are used in EVs and have the potential to explode. While this issue is being addressed by battery suppliers with investment in R&D, this safety effort must also consider the risk of cyber attacks. If it’s known that a battery in an EV can explode, this may increase the likelihood that a bad actor may target this type of car with the intent to cause harm.
As EV battery technology advances, it’s imperative that comprehensive cybersecurity measures evolve and improve in parallel so automakers and technology providers can prevent this type of hacking from occurring.
Transportation cybersecurity: Risks to autonomous vehicles
As the AV industry advances, so will the incentives for hackers. There is an increased potential for financial crimes committed via ransomware attacks. Further, these attacks could cause vehicles to behave abnormally, potentially endangering human lives.
Robo taxis will most likely be the first AVs to hit the roads, and they are coming sooner than most consumers think. Unlike the current mobility landscape, in which there is a lack of clarity around who is responsible for what in the supply chain, the relationship between consumer and taxi provider is very well defined for robo taxis. The risk to the industry is much higher here, because if this emerging industry is deemed unsafe from the onset due to cybersecurity risks or early issues, it could be doomed to fail before it even has a chance to flourish.
Implications of rolling out 5G
Although 5G networks are still a work in progress for mobile operators, we’re well on our way to deployment across the automotive industry. Within the next three years, it’s projected that 5G-connected cars will grow from 15% in 2020 to 75% in 2023, reaching 94% in 2028.
While the expansion of 5G will be a boon for both in-vehicle systems and the manufacturing process, it also opens the doors for new cybersecurity risks that will require every link in the supply chain to protect itself.
By 2028, vehicle-to-everything (V2X) communication, which is based on 5G, will be prominently used in all vehicles. This technology enables the exchange of messages both within and between vehicles, as well as infrastructure, pedestrians, cyclists and other elements, in order to improve road safety.
Considering that communications will start to go through cell towers, as opposed to traditional original equipment manufacturer (OEM) servers, it’s important that security measures are integrated from the beginning. Since 5G technology also allows vehicles to connect with even more applications through the vehicle, each one will all need its own centralized cybersecurity measures.
What can we do?
To address these risks adequately, it’s important that we understand a hacker’s goals and motives, as well as how they plan to attack their targets – in our case, vehicles.
As technology advances to include more applications between the vehicle and the “outside,” the avenues for attack (surfaces) multiply. Today, a large-scale attack will probably rely on exploiting the communication channel between the OEM and the vehicle itself (e.g., over-the-air). However, the aforementioned technologies are providing new communication channels that can be exploited. What was once a playground has become a Disneyland for attackers with several software-driven systems that can be hacked.
With more opportunities for attack, the chances of finding a successful one increases, bringing down the cost to hackers. The result? Higher ROI for bad actors and an industry that must be ready for new cyber malicious entrants to the automotive ecosystem.
We must adopt a standards-driven, centralized and industry-wide approach to cybersecurity for all vehicles and their supply chains in order to ensure that the automotive sector can adapt to shifting demands and benefit from promising new technologies.
With the much-needed changes in the regulatory environment for automotive cybersecurity finally here in the new ISO 21434 standard and UNECE WP.29, the clock is ticking for the entire automotive ecosystem to act. In 2021, OEMs will need to identify practical ways to rapidly translate current and future policies into practical cybersecurity measures for the connected cars of today and the all-electric, level 5 autonomous vehicles of tomorrow.