What a perfect time for the Indian automotive market. Unbelievably the new growth charts logged by the automotive market is getting more promising for the future determining automotive technology. The automotive market was on an upward trajectory throughout 2021 despite the second wave of the pandemic. Between March and May 2021, global automotive sales contracted by around 18.6 percent globally. Following the outbreak, automobile sales at post-pandemic levels throughout the months has been well recovering. It is projected that trends such as electric vehicles, autonomous driving, and mobility services will continue to fuel the market, leading to an overall recovery in the coming quarters. It is projected that the global automotive industry will grow to just under nine trillion U.S. dollars by 2030. It is anticipated that new vehicle sales will account for about 38 percent of this value. Globally, Volkswagen Group and Toyota Motor are the leading carmakers in terms of revenue. The Japanese auto giant generated almost 250 billion U.S. dollars in revenue in 2020, while Volkswagen raked in a little more than 245 billion U.S. dollars.
According to Invest India, India’s annual production in FY 2020 was 26.36 Mn vehicles. In the Automobile market in India,
- Two-wheelers and passenger cars accounted for 80.8% and 12.9% market share, respectively, accounting for a combined sale of over 20.1 mn vehicles in FY20. Passenger car sales are dominated by small and midsized cars.
- Overall, Indian automobile export reached 4.77 million vehicles in FY20, implying a CAGR of 6.94% between FY16-FY20. Two-wheelers constituted 73.9% of the total vehicles exported, followed by passenger vehicles at 14.2%, three-wheelers at 10.5%, and commercial vehicles at 1.3%.
Why Are Automotive Cyber Security Standards Important?
Every point of connection is a potential ‘in’ for hackers. At the most extreme end automotive cyber security risks can be terrifying – namely, hackers taking remote control of a vehicle. This is not just theory.
In November 2020, university researchers critical hacked into and stole a Tesla Model X in about two minutes. All they needed was a key fob, a Raspberry Pi and a replacement engine control unit. This kit cost around $200.
But the more likely threat is that bad actors will intercept car data for financial reasons. For example, installing malware into a vehicle’s operating system, and then demanding payment for removing it.
Regrettably, these attacks are already happening. Upstream Security reported a 605 percent rise in incidents since 2016. It says six in ten were carried out by criminals intending to disrupt businesses, steal property and demand ransoms. Clearly, the automotive industry does take automotive cyber security standards seriously. Manufacturers are working hard to defend against threats, and bodies such as the Car Connectivity Consortium (CCC) provide a forum for sharing standards and insights.
However, what is really needed is a shared framework for measurable action by all participants in the value chain. Experts have been saying this for years. In 2014, digital security specialist Craig Smith published The Car Hacker’s Handbook.
Cyber-Attacks in Advanced Automotive
Auto industry is growing to be sweet-spot for cyber attackers, but why? Indeed, the list of automakers who suffered major disruptions to cyberattacks is alarming. But it’s just the tip of the iceberg, according to experts. We have to remember that the auto industry is handled by about 60 automakers or OEMs, which is owned by 14 massive global companies. These are the brands we all know and love (like Kia).
Hundreds of suppliers support the OEMs. The largest ones are the Tier 1 suppliers – some of them manufacture up to 99% of the complete vehicle. The suppliers must also be prepared. They know that automotive manufacturers can’t afford any operational disruption. They also understand that the automotive industry is one of the leading sectors in digitization and automation, making it more vulnerable to cyber-attacks.
In a blog post published June 2020, one of the booming companies KIA MOTORS faced the cyber-attack. But we do need to worry and be prepared for the option that it reached Hyundai through its supply chain. If the attack reached Hyundai through its supply chain, like in the successful SolarWinds attack that compromised up to 18,000 SolarWinds customers, it can affect the entire automotive industry states Otoria.com.
Real-time Sensor Anomaly Detection in Automated Vehicles
Anomalous sensor values caused by either malicious cyber-attacks or faulty vehicle sensors can result in disruptive consequences, and possibly lead to fatal crashes. The increase in connectivity and automation has led to the scrutiny of in-vehicle network architectures used by automotive manufacturers and evaluation of vulnerabilities in their resiliency against such anomalous behavior. For instance, the dedicated short-range communication (DSRC) technology is currently used to facilitate communication within connected networks.
Various internal and external cyber-attack surfaces exist in CAV systems, i.e., the entry point of the attack, which may enable hackers to access and compromise the safety and integrity of CAVs. Typical internal attack surfaces include in-vehicle devices, GPS system, onboard diagnostics (OBD) system, vehicle sensors including the controller area network (CAN) bus, and other sensors required for CAV operation.
Cyber Risks to the Enterprise
Car safety has to be supported by an enterprise-wide program that coordinates cyber defenses across all production platforms, internal operations, and supply chains. A weakness in one area can infect the rest of the enterprise and result in, for example, car failure, factory slowdowns, the hacking of customer data, or the theft of intellectual property. There are several obvious entry points for intruders, including factory machines, 3D printing, auto finance arms, and supply chains.
Understanding Ransomware Signals
At least one possible high-severity vulnerability due to out-of-date systems: 91% of automotive
companies have more than 1,000 leaked credentials on the deep web, which opens the door for phishing campaigns. Exploiting the vulnerabilities that allow remote code execution is trending in the ransomware community. Even though it is not as easy as using RDP ports, it is not as tiresome as (spear) phishing.
Susceptibility to phishing: Although the number of phishing incidents associated with ransomware attacks is declining, it is still a major attack vector for ransomware variants, such as conit v2. It is essential to take necessary actions to prevent phishing/spoofing within cybersecurity departments across the board, no matter the attack vector.
Publicly visible critical ports: A publicly visible critical port is a critical resource ransomware groups exploit. Although the use of ports is declining each year, it remains the easiest way to upload a ransomware kit. Cybercriminals can easily scan open ports with autonomous tools.
At least one credential found in lists shared on deep web in the last 90 days: Phishing attacks, which commonly use leaked credentials, have historically been the #1 attack vector in ransomware attacks. Gaining access through credential-stuffing attacks has been one of the top methods for hackers in recent years. The combo lists shared on the dark web day after day and tools that automate the attacking process help increase credential-stuffing attacks. Accessing networks using leaked credentials bypasses many cybersecurity countermeasures and poses a significant risk for ransomware attacks.
Experienced a data breach in the past: History tends to repeat itself. Cybercriminals target organizations that do not consistently deploy due diligence and make cybersecurity a priority within the business. Cybercriminals anticipate security issues and vulnerabilities to remain present for exploitation if the cybersecurity investment is not adequate.
Cybersecurity standards become mandatory
The topic of automotive cybersecurity has become increasingly important in recent years and will continue to do so. The UNECE World Forum for Harmonization of Vehicle Regulations (WP.29) has developed two new regulations that make cybersecurity mandatory for the approval of new vehicle types. The regulations will apply to passenger cars, vans, trucks and buses and includes specifications for four distinct disciplines:
- Managing vehicle cyber risks
- Securing vehicles by design to mitigate risks along the value chain
- Detecting and responding to security incidents across vehicle fleet
- Providing safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for over-the-air updates to on-board vehicle software.
In the European Union, the new cybersecurity regulation will be mandatory for all new vehicle types from July 2022 and for all new vehicles produced from July 2024. Other countries such as South Korea and Japan also want to adopt the regulation.
The Future of Automotive Cybersecurity
Due to increasing cyberattacks on vehicles and more risk, the industry needs standard procedures and international regulations for automotive cybersecurity.
Ultimately, automakers in the affected countries will need to become compliant with the new UNECE standards and change the way they work. The ISO 21434 standard is intended to make the process of becoming compliant more transparent and sets the foundation to achieve overall standardization. Technological changes within the automotive industry are complex. Many automakers will need to align their connected car data security practices with international regulations and standards. The earlier they start preparing, the better chance they will have to implement the necessary changes to comply with the new regulations and standards.
