Securing vehicles as they become platforms for code and data
In this Help Net Security interview, Robert Knoblauch, CISO at Element Fleet Management, discusses how the rise of connected vehicles and digital operations is reshaping fleet management cybersecurity. He points to growing risks like API breaches, tampering with onboard diagnostics, and over-the-air update attacks, and explains how a layered zero-trust model and practical use of AI help tackle them.
Knoblauch also shares how predictive analytics and real-time data are driving proactive security and safety across both digital and physical fleet assets.
How has your security strategy evolved as more vehicles, devices, and operations become connected and digitized?
Our security strategy closely aligns to what we are seeing in the automotive and transportation industry. It’s a very exciting time for the world when we look at macro trends such as fleet electrification and automobile autonomy/automation. There are foundational aspects which still hold true (such as the example of security being like brakes in the car, it allows the car to travel faster) but we are in the dawn of hyperconnected cars – think of the car as a mobile data bank.
Telematics, maintenance information, real-time alerting and prompts to help the driver increase safety and security. Securing our fleet is a cyber-physical safety mission. Our strategy hinges on layered zero-trust, continuous visibility, and integrated response, reinforced by AI at both the edge and in the cloud.
The threat landscape has accelerated. ICE (internal combustion engine) and limited technical capabilities have been around since the early 1900s, but now the consumer has much more personalized options and digital capabilities within the car’s ecosystem. Therefore, it is a priority for fleet management companies to anticipate, withstand and recover from attacks on wheels and wires alike.
With telematics, GPS, and onboard diagnostics increasingly connected, what emerging threats concern you the most?
There are four key threats which are the most pressing in 2025:
Compromised web/telematics APIs
There are numerous, real-world examples of OEM security controls being exploited and bypassed to allow thieves to enter and, in some cases, drive cars without the “key” that we have been accustomed too.
OBD/diagnostics injection and component hacks
Recently security researchers have demonstrated real-world attacks against connected cars, such as wireless brake manipulation on heavy trucks by spoofing J-bus diagnostic packets. Another very recent example is successful attacks against autonomous car LIDAR systems (tricking cars into believing there is an obstacle on the road or not).
While the distribution of EV and advanced cars becomes more pervasive across our society, we expect these types of attacks and methods to continue to grow in complexity. Which makes a continuous, real-time approach to securing the entire ecosystem (from charger, to car, to driver) even more so important.
Backend & OTA infrastructure attacks
According to Statista and Goldman Sachs research, the average new vehicle in 2025 embodies up to 650 million lines of code. The major attack vectors traditionally fall into wireless backdoors—being able to unlock cars, disable safety systems, and intercept or alter telematics information.
Over-the-air (OTA) update hijacking is very real and often enabled by poor security design, such as lack of encryption, improper authentication between the car and backend, and lack of integrity or checksum validation.
Attack vectors that the traditional computer industry has dealt with for years are now becoming a harsh reality in the automotive sector. Luckily, many of the same approaches used to mitigate these risks in IT can also apply here, and I believe we’ll see original equipment manufacturers (OEMs) continue to innovate and evolve “native” security into the automobile.
Supply-chain abuse & API abuse threat landscape
When we look at just the automobile, we have a variety of connected systems (the Infotainment system, diagnostics, etc.) which typically all come from different manufacturers (Android Automotive, or QNX as examples) which increases the potential for supply chain abuse. We also have devices which the driver introduces (such as the phone) which interacts with the car’s APIs (like Spotify or weather services or Google Maps) creating new entry points for attackers.
Recently we have seen attacks coming from EV chargers (which collect data from the connected car) which can be exploited for various purposes. I think third party application integration right now is the weakest link, as we have seen plenty of attacks since 2010’s exploiting CAN bus commands to allow hackers to remotely start/stop vehicles, bypass security defenses and even remotely activate windshield wipers.
What visibility do you aim to have into your mobile or field assets from a security perspective?
Our goal is to achieve continuous, risk-based observability in a few different approaches:
Asset and configuration inventory – Vehicle Identification Number (VIN)-level bill of materials (also known as a software bill of materials, or SBOM), firmware versions, security patch status, and electronic control unit (ECU) health are all drivers in providing real-time asset management. Our objective is to achieve the same level of depth and insight for a vehicle on the road as we have for a server in our data center or a workstation used by one of our team members.
Behavioral telemetry – Real-time Controller Area Network (CAN bus) and Unified Diagnostic Services (UDS) event baselines, GPS path deviations, sensor anomalies, and driver-assist overrides all contribute to increased safety for both the vehicle and the driver. A significant recent shift involves not just collecting real-time data on the car itself but also monitoring the state of the driver, and then intelligently matching vehicles to drivers to provide the most optimal, safe, and secure solution for our clients.
Threat signal correlation – On-edge AI correlates multi-ECU events with alert prioritization, allowing the driver to react to what matters most while reducing the noise from less critical events. The hyperconnected car generates an immense volume of real-time data, and making sense of that information is something we continually strive to do so our clients can focus on what matters most.
Can you share how your team approaches incident response when the event impacts both digital infrastructure and physical fleet operations?
Our crisis response capabilities report into the CISO. Our incident response playbooks treat a car, the EV charger it may be connected to, the telematics gateway, and the cloud platforms/backend infrastructure as one integrated, end-to-end platform. This coordinated approach reduces our total cost of ownership for managing this threat and increases the effectiveness of our security and monitoring processes.
Our cyber and fleet operations work together but have different areas of focus. Our SOC analysts respond to attacks which are constant and always evolving. Traditional methods such as threat intelligence, SIEM/log correlation and prioritized response are still very valuable, foundational capabilities which keep our company and clients safe.
Fleet managers benefit from our technology by being able to respond to conditions affecting the car and/or driver in very similar manners. Examples such as warning drivers of adverse road conditions, or maintenance issues which can not only impact the route of the day but prevent more serious issues which could occur due to lack of visibility and proactive risk management abilities. One great example in this regard is brakes (continuing the example from the first question).
We used to wait “for the squeak” to indicate that breaks need changing. Now we can provide maintenance alerts that this task is upcoming, so our clients can schedule service proactively before it becomes a serious problem.
How do newer technologies like AI, predictive analytics, or over-the-air updates factor into your security planning?
It is only very recent (considering the history of automobiles) that we have these capabilities of over-the-air patching and software updates being provided right for the car. I believe the computer industry has learned a lot over the years in how patches should be managed and deployed to a fleet of computers. The examples of what has worked (and what hasn’t) have extended nicely into the automotive industry. Very similar approaches such as hardening the OTA pipeline (TLS encryption, signed binaries, atomic rollback) allows fleet managers to update vehicles on a constant basis – ensuring we have the “best foot forward” with the best security capabilities delivered by our OEMs and through our own products and services.
Predictive analytics is also a significant game changer, enabling detection of electronic control unit misbehavior, driver fatigue patterns, and anomalous sensor fusion, while reducing false positives and vehicle downtime.