Cyber Threat Expansion

The automobile used to be essentially an isolated mechanical device that could be tampered with or stolen only with direct physical contact. Even then, only one vehicle at a time could be targeted. We are now entering an era where technology enables attackers to target millions of vehicles simultaneously and remotely.

The cyber attack surface of the connected vehicle has expanded greatly. In seconds, a malware infection or ransomware attack can disable or gain control over entire fleets of cars and trucks, releasing them only upon payment of a ransom to the attackers. But the threat now extends far beyond theft and damage. A malicious cyber attack could interrupt the vehicle’s operation causing loss of control, collisions and war-like levels of injury and loss of life.

Across the entire vehicular ecosystem, manufacturers, suppliers, insurance companies, fleet operators, telematic providers, mobile network operators, etc. must pay unrelenting attention to automotive cyber security as if our lives depend on it. People using and managing connected vehicles must be able to trust that our highly connected and automated means of transportation are sufficiently protected from cyber attacks.

A Layered Approach

The connected vehicle has become a complex local area network on wheels with enormous processing power, vast data storage and numerous communication channels. Virtually all of the vehicle’s functional subsystems participate in the network.

The connected vehicle ecosystem can be decomposed into five interlinked types of systems:

Connected vehicles consume and store vast volumes of data. At the bottom of the diagram, incidents such as false positives and methodologies such as post-attack investigation are acceptable just as they are in the open-system IT world. In such open systems, possible behaviors (legitimate ones) are too complex and numerous to model, so we have to depend on heuristics, machine learning and other reactive methods to identify and deal with attacks. But as we move to the right, toward Safety-Critical operations, connected cars must be maintained as closed system with a deterministic capability that prevents rather than reacts to attacks.

Deterministic security demands that the universe of all potential operating permutations must be modeled comprehensively and that any communication or process execution is unable to take the subsystem out of the realm of acceptable behavior. The security mechanism’s threat-agnosticism means that attacks of any type (foreseen or new) and from any source cannot compromise any safety-critical ECU or communication.

This explains what automotive cyber security is and why it must differ from other forms of data protection.

A Layered Approach

Risk and Mitigation

There is no silver bullet for Automotive Cyber Security. Solutions must be determined and implemented in a continuous process that takes into account the changes in the automotive market, technologies and the nature of cyber threats.

OEMs must develop a comprehensive assessment of cybersecurity risk that may affect any system’s normal operation. The RISK ASSESSMENT AND MITIGATION PLAN must include:

  • Risk Severity based on its impact upon system operation
  • Probability that the risk will materialize in the target system
  • For each risk, a full description of the actions required for the minimization of the probability of the event and the reduction of the severity
  • A proactive process that carefully analyses the cyber ecosystem, the system architecture and the implementation of its components so as to discover weak points and exploits that can evolve into potential risks in the future

Pictorially, the RISK ASSESSMENT should map the Risk Severity (RS) in the range of 1 – 5 (1=lowest severity, 5= highest) against the Probability of Materialization (PM) in the range of 1 – 3 (1=low, 2= medium, 3= high probability).

Then, for each risk, determine:

Risk
Factor
= Risk
SEVERITY
X MATERIALIZATION
PROBABILITY

yielding a Risk Factor between 0 – 15.

Next, determine MITIGATION MEASURES for each risk. Assign mitigation of the risk to a person or team along with a target for a measurable risk reduction by a certain date.

Both the RISK ASSESSMENT and MITIGATION PLAN should be an ongoing practice; they must be reviewed and updated regularly.

How automotive OEMs can track their RISK ASSESSMENT and MITIGATION PLAN

Risk
Description Risk Status Migration
Measures
Milestones Start Time Target Resolution Budget
($)
Team
Leader
Team Members
Date Severity Probability RF=Risk Factor
Maleware
Gaining
Control Over
the Safety
Critical ECU
01.20.17 5 3 15 Action #1 01.2017 04.2017 x
02.20.17 5 2 10 Action #2 RF=10
03.20.17 4 1 4 Action #3 RF=4
04.20.17 4 0 0 Action #4 RF=0

Reducing the Risk to All of Us

The security of the automotive ecosystem is an ongoing process that is intended to ensure the safety and security of drivers and passengers, the vehicles themselves and the other participants in the road traffic as well as to ensure the security and privacy of the data generated by the vehicles and the other components of the automotive ecosystem.

The ecosystem includes many components and stakeholders. Its size and complexity exposes an enormous attack surface that has to be fully protected against cyber attacks.