Cars today consist of over 100 million lines of software code, and the number is growing. In a few years, it could be over 300 million lines, according to management consultants McKinsey. By comparison, a passenger aircraft has an estimated 15 million lines of code, and the operating system of a mass-market PC close to 40 million. This enormous amount of code in vehicles offers hackers numerous opportunities for cyberattacks.
see. think. act.
Technology
#AutonomousEverything
#Digitalization
Cybersecurity: How to Protect Vehicles
Min Reading Time
Mobility is becoming increasingly digital and connected, protection against hacker attacks is becoming ever more important. As early as 2022, compliance with cybersecurity standards will be mandatory for new vehicle registrations in many countries.
Whereby we probably have to revise our image of cyber criminals. "Many people think of the hacker in the black hoodie, crouching in his dark cellar. But when it comes to cyber attacks in the automotive sector, we're dealing also with organized crime, industrial espionage and the theft of know-how," says Manuel Götz, head of the ZF AI & Cybersecurity Center. Controlling a single car in order to steal it, is not worth the effort. Hacking a vehicle is too complex for that. "For the most part, it's about stealing data," says Michael Eisenbarth, responsible for cybersecurity at the ZF AI & Cybersecurity Center. In the case of commercial vehicles, theft of the goods is also conceivable as a motive, and in the future — with a higher degree of automation — the hijacking of entire fleets.
Manuel Götz, head of the ZF AI & Cybersecurity Center
100 control units, 100 potential points of attack
100 control units, 100 potential points of attack
But how do cyber criminals manage to get their hands on vehicle data in the first place? "Hardly anyone tries to tap the encrypted information in transit today. The encryption is too complex for that. Instead, hackers are targeting vulnerabilities at the ends — the vehicle itself, the backend or the networked infrastructure," says Eisenbarth. Cars now have around 100 different control units. Each of them contains its own software and they are all connected. Thus, every ECU is a potential gateway for cyber criminals and must be protected accordingly.
"On the ECUs, there is not enough computer capacity for the encryption that would otherwise be used. This is a potential vulnerability," explains Eisenbarth. To close this gateway, manufacturers and suppliers are increasingly using physical hardware security modules (HSM), physical modules on which the key is directly stored and which protect and manage it. "Such hardware security modules will soon be an integral part of every ECU," Eisenbarth added.
Michael Eisenbarth, head of cybersecurity at the ZF AI & Cybersecurity Center
Infrastructure: Entry points, traffic lights and charging stations
Infrastructure: Entry points, traffic lights and charging stations
Another potential gateway for hackers is the increasing connectivity of vehicles with their environment. Vehicles will be more and more connected to other vehicles, to the traffic infrastructure and to the cloud. V2X communication will grow considerably with increasing automation. Vehicles will communicate more frequently with traffic lights, traffic signs, with charging stations and with cell phones. And it is precisely these infrastructure parts that are mostly still very poorly secured. This makes it all the more important to protect the vehicle against cyber attacks from outside, for example, with a firewall.
Infrastructure parts like traffic lights or traffic signs are mostly still very poorly secured against cyber attacks.
Cybersecurity standards become mandatory
Cybersecurity standards become mandatory
The topic of automotive cybersecurity has become increasingly important in recent years and will continue to do so. The UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) has developed two new regulations that make cybersecurity mandatory for the approval of new vehicle types. The regulations will apply to passenger cars, vans, trucks and buses and includes specifications for four distinct disciplines:
- Managing vehicle cyber risks
- Securing vehicles by design to mitigate risks along the value chain
- Detecting and responding to security incidents across vehicle fleet
- Providing safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for over-the-air updates to on-board vehicle software.
In the European Union, the new cybersecurity regulation will be mandatory for all new vehicle types from July 2022 and for all new vehicles produced from July 2024. Other countries such as South Korea and Japan also want to adopt the regulation.
In parallel, the automotive industry is developing the ISO/SAE 21434, Road vehicles – Cybersecurity engineering standard within the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE). It is due to be published in 2021 and aims to address cybersecurity in the engineering of electrical and electronic (E/E) systems within road vehicles. Use of the standard is thus intended to help manufacturers keep up with changing technologies and cyber-attack methods.
"Hackers are targeting vulnerabilities at the ends — the vehicle itself, the backend or the networked infrastructure."
A holistic approach to cybersecurity
A holistic approach to cybersecurity
"We are already very far along in implementing the standards. We make them mandatory in the development of our products," says Götz. For the company, however, the topic of cybersecurity encompasses more than the implementation of standards. "We take a holistic approach to the topic. This ranges from threat assessment and software delivery to secure over-the-air updates," says Götz.
For this reason, the company has also established the ZF AI & Cybersecurity Center in the German city of Saarbrücken. The Center works closely with research institutions such as the renowned Helmholtz Center for Information Security (CISPA) and conducts research with them on future cybersecurity technologies. The ZF AI & Cybersecurity Center also develops basic principles for various ZF business units and provides support for customer projects. For the threat monitoring, ZF is working closely together with and is a member of the Automotive Information Sharing and Analysis Center (Auto-ISAC), an organization of OEMs and suppliers in the U.S. to strengthen the global automotive industry against cyber threats and to enhance cyber-attack resilience and response.
"We take a holistic approach to the topic. This ranges from threat assessment and software delivery to secure over-the-air updates."
