Addressing the Cybersecurity Risks

With more vehicles connected to the cloud via telematic systems—and more to become connected to each other via vehicle-to-everything (V2X) mesh networks—the complexity of the network creates new nodes and potential entry points for cybersecurity breaches. Consequently, fleet owners and operators must consider the growing impact of cybersecurity, along with the financial and safety implications.

The industry and its stakeholders need to understand how to solve the growing exposure to cyberattacks. This article takes a look at the cybersecurity threats, the risks they create and the solutions the automotive industry is implementing—including the leadership role ZF’s new Commercial Vehicle Control Systems division is taking to address cybersecurity by leveraging its recent acquisition of WABCO, a leading global supplier of commercial vehicle technology.

The growing adoption of interconnected telematics systems and technologies such as IoT (Internet of Things) are changing the industry landscape.

"Fleets generate US $1 billion in inefficiencies every year, and interconnected technologies enable the transportation industry to optimize operations, cut costs and gain more accurate and granular tracking of vehicles and cargo," says Christian Urban-Seelmann, who leads the product risk assessment team in ZF’s Commercial Vehicle Control System division. "But at the same time, these technologies are introducing new financial and safety risks."

Safety: The commercial vehicle industry has a longstanding tradition of focusing on the functional safety of the trucks and their components. Based on years' worth of captured data related to vehicle dynamics controls, the industry has successfully mitigated safety hazards originating from the road. However, in the connected environment, functional safety also needs to mitigate risks that come from "off the road"—and that's what cybersecurity needs to take into consideration.

For example, cyber attackers could take advantage of the internet and cloud connectivity to send malicious commands to a vehicle and disable the brakes or manipulate steering. We saw a demonstration of this on the passenger vehicles side, when security researchers were able to slam the brakes and turn the steering wheel on a Jeep Cherokee by sending messages via the CAN. Doing the same in a commercial vehicle could have devastating results not just for the driver but also for other road occupants and the environment.

Addressing the off-the-road risks is a bigger challenge than on-the-road risk. Unlike road hazards, cyber attacks are more difficult to predict and modelize.

Financial: Industry stakeholders ranging from OEMs to fleet operators could be impacted financially due to cybersecurity shortcomings.

For OEMs, consider what happened to Fiat Chrysler. After researchers exposed the Jeep Cherokee security flaws, the company had to recall 1.4 million vehicles, including other models that shared the same vulnerability. The U.S. National Highway Traffic Safety Administration also opened an investigation, and the company's stock value dropped by 20% within two weeks of the hack disclosure.

For fleet operators, losses linked to cyber crimes can be very significant in multiple ways. From a financial standpoint, the direct repair cost to a damaged vehicle can be quite high. But, the indirect costs linked to stolen vehicles cargo value can also be substantial. The same is true for the value of lost contracts resulting from the damage to the reputation of attacked fleets. No type of cargo is currently spared by thefts because every transported good has a value.

Supply chain security is a major concern across all industries, but especially for the manufacturing and logistics sectors. Cargo theft has been growing in recent years, and the increasing amount of connected vehicles on our roads gives different stakeholders the opportunity to look for solutions.

According to the Transportation Asset Protection Association, the estimated average daily loss from supply chain was 378,058 EU in the EMEA region (Europe, Middle East and Africa) in 2019, and the combined loss of major crimes (100,000 EU or more) over 12 months was more than 96 million EU. In the US, the cost of cargo crime is estimated at 10-25 billion USD per year. Only a fraction of the thefts are actually reported, so the losses are much higher in reality.

Theft from road vehicles accounts for the majority of cargo thefts. In the past, the biggest problem was related to physical security. But supply chain security is evolving beyond the traditional environment to the digital realm.

Taking advantage of technology, cargo thieves could hack into an online tracking portal to access manifests, pick up information and other sensitive data; re-route cargo to a different destination by spoofing information; or pick up cargo using forged documents.

Up to now, automotive technologies have not taken a security-by-design approach. The industry is now recognizing the importance of cybersecurity; however, adoption of security measures has been slow.

A study commissioned by SAE International and Synopsis found that 84% of the nearly 16,000 IT professionals surveyed in the automotive industry were concerned that cybersecurity practices were not keeping up with the evolving technologies. Yet, 30% of the respondents said their organization didn't have a cybersecurity program or team, and 63% tested less than half of their technologies for vulnerabilities.

"Individual industries often come up with cybersecurity solutions that fit their unique needs," Urban-Seelmann says. "In the automotive sector, that's a challenge because off-the-shelf solutions cannot be applied to CVs due to the data processing limitations of embarked processors and their specific operational environment."

Since the potential solutions are very product specific, and mechanisms need to be embedded both in software and hardware, each solution is limited in fixing the flaws.

As a result of the emerging cybersecurity threats and the rising concerns about the associated risks, the industry has organized itself to work on the problem. Leaders from across the passenger and commercial vehicle sectors have been collaborating on defining solutions, and we're starting to see the results.

Regulatory bodies and industry groups are leading efforts to standardize cybersecurity requirements. In the long term, it is expected that providing a framework for the industry to follow will improve the cybersecurity environment.

Two current initiatives to standardize requirements are of note, spearheaded separately by UNECE and by ISO/SAE.

UNECE: The UN Task Force on Cybersecurity and Over-the-Air (OTA), established in 2016, has been working on an automotive cybersecurity regulation. The proposal includes requirements for vehicles (such as architecture design, risk assessments and security mitigations) and for the cybersecurity management systems (including governance and processes, cybersecurity culture and policies, and incident management and response).

The draft regulation included a test phrase in 2019, with more than 15 OEMs participating. Following the upcoming formal adoption of UN WP.29 of the UNECE regulation, new whole vehicle types will need to comply in 2022, and the rest in 2024.

Adopting these standards creates urgency for the industry. OEMs and suppliers do not have much time left to prepare for approval according to UNECE specifications without any additional effort in the future.

ISO/SAE: A joint project by ISO and SAE began in October 2016 to standardize automotive cybersecurity engineering. The main principles of ISO/SAE 21434 focus on a risk-oriented approach, as well as cybersecurity processes for all phases of vehicle lifecycle: design and engineering, production, operation, maintenance and service, and decommissioning.

The standard is in draft form, and a final draft is expected later in 2020 or in 2021.

Prior to being acquired by ZF in May 2020, WABCO has been part of the ISO/SAE and UNECE cybersecurity discussions, and started to implement the new ISO/SAE standards in 2017 when the first draft became available. Since then, we've implemented the majority of the requirements.

• ADOPT, or Autonomous Driving Open Platform Technology. Announced at IAA 2018, ADOPT is a cybersecurity-ready project in its early stages of innovation. It translates driving instructions from virtual driver applications (autonomous driving artificial intelligence) to real vehicle motion commands and enables the control of all the relevant vehicle actuation systems. The resulting vehicle motion control is executed under safety and efficiency principles, benefiting from ZF’s industry leading experience in vehicle dynamics and powertrain control.
• We have launched a new responsible-disclosure program for security researchers and others to submit security vulnerabilities directly to us. This program enables individuals to reach out to WABCO via an encrypted communication channel and contact one of our experts directly.

Over-the-air software updates, IoT (Internet of Things) and automated vehicles are among the other trends that will drive advances in the next generations of CVs. The industry will continue to transform and innovate, but progress is not possible without an emphasis in cybersecurity.

As the industry looks to the future, it's critical to understand the risks of these new technologies—and put mechanisms in place to address these risks. For our part, ZF will continue to advocate for and be an early adopter of cybersecurity, and accompany its fleets and OEM customers in their journey to implement the associated proven secure solutions. This starts by being certified in the new UNECE cybersecurity standards when the final document is published. And as new technology emerges, ZF will continue to be an active part of the conversation on how to ensure commercial vehicles are safe and secure.