Importance of Product Cybersecurity in the automotive industry

-Jaidev Venkataraman, Head of Engineering - Sensorics, Advanced Driver Assistance Systems (ADAS) business unit, Continental Automotive Components India (Pvt) Ltd.


Technological advancements are being integrated into all aspects of daily life. With increasing high-speed internet penetration in India, the connected devices in Indian households are also growing consistently. As per a report published by Statista in 2021, there was approximately 250 million Internet of Things (IoT) connected devices in India in 2019. We can expect this number to reach over two billion by 2021.

Connectivity has also entered the vehicle of today, and with the introduction of 5G in India, the number of connected vehicles is bound to increase. The Indian connected vehicle market is now growing at an exponential rate, driven primarily by consumer demand. As per Markets and Markets, the Indian connected car market will reach $32.5 billion by 2025.

While connected mobility has opened doors for further innovation and is crucial for the transformation towards autonomous vehicles, it has also opened doors for threats and vulnerabilities.

Cybercriminals continue to target businesses, essential infrastructure, and governments in practically every sector and industry throughout the world. Nearly 1.16 million cases of cyberattacks were reported in 2020 in India, which is more than 20 times compared to 2016, according to government data presented in the Parliament earlier this year.

Dealing with the fallout of a cyberattack can be extremely expensive for companies. According to the Ninth Annual Cost of Cybercrime Study from Accenture and the Ponemon Institute, the average cost of cybercrime for an organization has increased by $1.4 million over the last year to $13.0 million.

With the increasing amount of connectivity elements in a vehicle, the various components within the vehicle become vulnerable to cyberattacks. The well-being of the driver, passengers, other vehicles’ passengers, and pedestrians on the road can be at risk.

Automotive Cybersecurity: The Need

Present-day automobiles include more than 100 electronic control units (ECUs) and over 100 million lines of software code. The figure is expected to further increase in the coming years. With these modern-day vehicles dependent on computer systems to monitor and control the multiple systems present within them, the loophole in even one of the components within a vehicle could enable hackers to steal data.

The connectivity elements in a vehicle, such as infotainment systems and more, also collate substantial amounts of personal information, which hackers can access.

Hackers can even issue commands to a vehicle, making it obey the hacker by overshadowing the driver’s commands. Hackers are capable of deploying commands to control the functioning of the vehicle’s systems. For instance, they can gain access to various connected devices, vehicle sensors, etc., and cause them to malfunction. They also have the potential to manipulate the working of steering, brakes, and engine.

In consideration of the above challenges, the primary step would be securing individual components / systems.

Product cybersecurity is a critical component in today’s automotive industry.

Earlier, the industry conducted safety engineering to protect the environment from malfunctions of the vehicular systems. But today, the tables have turned. The systems need protection from the environment.

The protection of a system is achieved by securing its memory, booting applications, communication interfaces, supporting infrastructure, and online trust centers for crypto-keys storage. Along with this, a penetration test lab that continuously monitors for vulnerabilities is also made available.

To tackle cybersecurity challenges, engineers and designers can use the following approach:

  1. First is securing the individual electronic components that act like mini computers that control all of the vehicle’s activities.
  2. Second, securing the communication between these various components that together make up the vehicle’s complete system.
  3. Third, securing multiple interfaces present between the car and the external environment.
  4. Fourth, secure data processing and transfer outside of the vehicle, including the cloud and back end.

It is critical to secure components connected to the external and in-vehicle networks. If compromised, they can transfer harmful code to ECUs and nodes. Attackers can acquire control of vehicle systems by exploiting weak spots in the Telematic Control Unit (TCU), In-vehicle Infotainment (IVI), etc.

However, thanks to the advancements in Machine Learning, a Controller Area Network (CAN) Bus Anomaly Detection can function as a sensor that monitors, senses, and reports anomalies in real-time.

The communication between devices in the car and communication between the car and the original creator/owner needs to be encrypted. Authenticating devices so that the vehicle’s systems only take commands from authorized devices and authenticating software updates using code signing certificates so that the manufacturer is the only one who can push updates to the vehicle are further security steps to consider.

As mentioned, the increased reliance on software in automotive development, combined with the increasing complexity of architecture and software, places greater strain on software development processes than ever before. Thus, security processes need to be implemented in the software development processes and the product and system design. DevSecOps practices ensure that developers are using coding practices that are less vulnerable to attacks.

Instead of taking a reactive approach, a more proactive approach must be taken, i.e., security experts need to ‘shift left’. The shift-left approach shifts security responsibilities to those creating software, and it moves it to the beginning of the process. 

Additionally, continuous inspection of all lines of codes for risk identification and resolution in real-time is a crucial requirement. The industry also needs a method to interact with their static code analysis tool so that coding standard violations can be handled as code changes.

However, this does not replace system monitoring and patch management. To ensure the components are continually updated with the latest security updates, Over-the-air updates are required. This solution ensures that millions of cars can be instantly upgraded to the latest security level without visiting the auto repair shop. This is also an essential requirement for the industry’s shared “Vision Zero” – a future with Zero Fatalities. Zero Injuries. Zero Crashes.

The way forward

The challenge today we face, as an industry, is a lack of standardization. Standardization is crucial in shaping cybersecurity practices of the future. As an industry, we also need to move towards an information-sharing ecosystem – share information and best practices with peers. As they say, one person’s detection can become another person’s prevention. Another step that could be transformative would be the introduction of AI and predictive modeling. It is accelerating instant detection and response, better communication of risks to the business, and gaining a better understanding of cybersecurity’s situational awareness.