Up to 700 million connected cars will be part of the Internet of Vehicles (IoV) in the next 3-5 years, suggesting that the number of cybersecurity incidents will be ascending, according to Trend Micro.
The Taiwan-based cybersecurity solution supplier on April 19 released a report on global cyber risk index for 2021. Major automakers, including Tesla, BMW, Lexus, Mitsubishi, and Volkswagen, have all encountered more than one cyber attack each since 2015, highlighting the potential risks associated with the future IoV, according to the report.
A smart connected car relies on the effective integration of IT, OT, and CT systems, as well as cloud and data analysis services, said Wu Tzong-chen, advisor to Hon Hai Research Institute and distinguished professor at National Taiwan University of Science and Technology.
The past controller area network bus (CAN bus) of vehicles was limited to internal control without outward data flow, so the security risk was low. Once vehicles are connected to IoV, a single cyber threat can permeate a vehicle's IT, OT and CT systems, Wu said.
Many vehicle communications protocols follow the practices of Internet of Things, but there are already known loopholes, and the loopholes might give rise to new threats if they are incubated in new environments, said Fan Chun-i, chairman of Chinese Cryptology and Information Security Association and dean of National Sun Yat-sen University's College of Engineering.
Security is safety
As vehicles involve intricate integration of various systems, their operations bear on the safety of drivers and passengers, Fan said.
Cyber defense systems will be viewed as "must-have," instead of just "nice-to-have" as industry suppliers used to consider, he said.
Equipped with advanced driver assistance systems (ADASs) and related sensors, a vehicle will function as a mobile data center with distributed computers, so a cyberattack found in IoV can be very impactful, he added.
If a cyber threat to a vehicle is comparable to a life threat, a connected vehicle will need more solid defense plans than those used in consumer electronics and IoT devices. The electric vehicle (EV) supply chain must gear up to improve the cyber defense systems of vehicles and related law compliance, Fan advised.
Threats likely to permeate interconnected systems
A connected car consists of many complex subsystems, dozens of microcontroller units (MCUs), and hundreds of independent systems and applications. Once a hacker identifies a weak spot in any of a vehicle's OT, CT, or IT systems, they can navigate the systems and go straight to their target.
At its design state, CAN bus did not involve consideration about cybersecurity protection, said Simon Teng, senior director of Arm's automotive partnership in the APAC region. If any malicious actor finds access into a vehicle's systems, they can manipulate the car through the interconnected MCUs, he said.
Cybersecurity for connected cars is not just about the car itself, but pertinent to the entire supply chain behind the car, said Trend CIO Max Cheng.
Once vehicles become electric and connected, Taiwan's automakers will have to make sure a car's individual components and software are equipped with sufficient defense tools to keep hackers at bay, he said.
While cybersecurity for IoV is at its nascent stage, cyberattacks targeting IoV devices will proliferate in their types and channels in the future, he said.
Auto industry suppliers should follow the "security by design" approach, while monitoring any security loopholes that might emerge during system integration, he said.
Trend Micro CIO Max Cheng.
Photo: Michael Lee, DIGITIMES, April 2022
Since Arm started devoting efforts to developing automobile applications, it has acquired 85% market share in the sector of vehicle-related processors and in-vehicle infotainment (IVI) systems and 55% share in the sector of processors supporting ADAS and other sensors, Teng said.
If Arm can equip basic vehicle components with proper cybersecurity tools, the tools will lay solid foundations for the vechile's hardware, software, and applications, so in-vehicle devices can tackle complex cybersecurity problems through standardized mechanisms, which is just what "security by design" means, he said.
Arm is committed to promoting cybersecurity in vehicles because it knows the importance of foundational security, Teng said, adding that it is not enough to stop attacks at the levels of software and applications.
CyCraft co-founder and CSO Tsung Pei-kan also endorsed the security by design principle. The company is part of the Security & OTA division of the open EV platform Mobility in Harmony (MIH), led by Foxconn.
A developer of multimedia systems or dashboards should be able to incorporate cyber attack detection into their product design, but the most difficult part is how to establish the detection procedures, Tsung said.
Taiwanese manufacturers used to do their own work separately and move to system integration subsequently - an approach which cannot be applied to cybersecurity, he said.
Rather, all suppliers should join forces to set up specifications in every step, so they can adopt consensual standards for hardware, software, and application programming interfaces (APIs), he said.
Law compliance is just basic
The auto industry was most familiar with the ISO 26262 standards, which focus on functional safety of road vehicles. With the increasing popularity of EVs, the ISO and SAE have specified detailed standards for electrical and electronics systems in road vehicles, known as ISO/SAE 21434, effective from 2021.
In June 2020, the UN Economic Commission for Europe (UNECE) introduced two new regulations on vehicle cybersecurity and software update, known as R155 and R166. Since January 2021, all assembled cars or components selling to the EU have to comply with the two regulations.
The two regulations can almost directly push carmakers and their suppliers to boost investment in cybersecurity, as they require vehicle software and cloud operations to be equipped with features that can detect and respond to cyber risks, Tsung said.
Given there are concrete standards for vehicle cybersecurity, law compliance is just a basic requirement for automakers and their suppliers, he said.
Law compliance is one thing, while how to make products consistently meet the requirements is another, Cheng said.
There are ample opportunities for Taiwanese suppliers to cut into the automobile industry, whereas most are at the "testing the water" stage, he said.
To enter the industry, Taiwanese companies should focus on hardware and software integration, promoting package solutions rather than single components, and they ought to consider cybersecurity risks when developing products, he said.
Automakers will conduct safety tests for products made by Tier 1, Tier 2, and Tier 3 suppliers, in a bid to choose the ones with best cybersecurity solutions, he added.
Fundamentally, cybersecurity solutions are valuable not because of the actual values they generate, but because of the losses they can help prevent, Fan said.