Key Automotive Standards Required to Address Mounting Cybersecurity Challenges

The increased penetration rate of digitized automotive systems and connected vehicles over the past decade has given rise to an entirely new array of cyberattacks and threat vectors. This emerging threat horizon has caught even major car manufacturers, service enablers, and connectivity providers off guard, and they are now being called to deal with these new attack vectors that target not only secondary automotive applications (e.g., infotainment and navigation) but also primary critical functions related to vehicle performance, system, data and network security, and, most importantly of all, driver and passenger safety.

ABI Research posits that while major car manufacturers, service enablers, and software developers are making strides toward developing truly impressive applications, cybersecurity operations are being left behind and addressed reactively, usually following a security incident. This is due to three primary reasons:

1. The focus that other non-security related technologies continue to amass
2. The nascent and fragmented nature of cybersecurity offerings in the automtoive market
3. The lack of proper standardization and regulatory oversight in connected car systems

Naturally, the spotlight falls on more Artificial Intelligence (AI) and user-centric solutions, which is to be expected. After all, it was way more eye-catching for the public to read about new developments in AI technologies in the connected car than the discussion of compliance requirements for Over-the-Air (OTA) security updates. However, this fact alone should not put related organizations off track regarding cybersecurity advancements. Even non-automotive firms have also entered the fray with truly innovative solutions focusing on AI, Machine Learning (ML), and autonomous driving, such as Nvidia’s partnerships with major car Original Equipment Manufacturers (OEMs) like Mercedes Benz and Toyota.

While most car-focused companies could pinpoint some key future trends in the automotive market dealing with machine vision, virtual assistants, and AI, not many are aware of cybersecurity threats. Many of these threats are not limited to simple nuisances and cannot simply be fixed with a new patch like many in the automotive industry erroneously assume. After examining a wide spectrum of regulatory standards, compliance requirements, and recommendations from industry and regulatory entities including the National Institute of Standards and Technology (NIST), the European Union Agency for Cybersecurity (ENISA), the European Telecommunications Standards Institute (ETSI), and the International Organization for Standardization (ISO), ABI Research has examined extensive lists of prevalent threat vectors that still manage to elude the attention of automotive players. Some of these threats include the following:

• System Shutdown: Distributed Denial of Service (DDoS) attacks to flood the system with unnecessary requests or forcing it to download the same patch over and over again, causing a memory failure.
• OTA Disruption: Taking control of or disrupting security Over-the-Air (OTA) updates, or even forcing different parts of the system to continuously update different sections with incompatible versions of software.
• Communication Hijacking: Making use of Man-in-the-Middle (MiTM) attacks to eavesdrop or even hijacking communications and reverse engineering security information in order to develop better hacking tools to target specific systems, applications, automotive Electronic Control Units (ECUs), or Operating Systems (OSs)— which can be highly versatile when used against some automotive versions of Linux and Windows—etc.
• Assume Control of ECUs: Bypassing encryption and security elements (which are sometimes virtually non-existent) in order to control automotive ECUs and assume control of the critical functions of the vehicle.
• Erroneous User Behavior: Oftentimes users may cause inoperable damage to car systems by using pirated software versions; attempts to tamper with Digital Rights Management (DRM) components in order to gain access behind paid services and sometimes even system maintenance by software engineers in garages making use of unlicensed software can infect car systems with malware (unbeknownst to users).

ABI Research highly recommends that organizations in the automotive market better familiarize themselves with cybersecurity regulations and compliance requirements depending on their target applications, communication protocols, technology restrictions, and threat vectors. Below follows a small but important fraction of cybersecurity standards, guides, and protocols based on the threats listed in the previous section.

ABI Research suggests further examination of the following documents:

• Regarding securing OTA updates, both the 2018 draft recommendation and 2019 overview of the “Recommendation on Software Update Processes” (an initiative of the United Nations Economic Commission for Europe) can prove quite relevant to organizations.
• The “ENISA Cyber Security and Resilience of Smart Cars” provides a well-rounded cybersecurity approach covering both hardware and software components while also addressing MitM, user-prone attacks, and Advanced Persistent Threats (APTs) in automotive.
• Since the crushing majority of the Internet of Things (IoT)-connected world (including connected vehicles) continues to ignore proper encryption and encryption key lifecycle management procedures, ABI Research suggests at the very least to revisit the X.509 and its related standards (many sources have additional description on more X.509 features but the Network Working group offers an extensive description).
• For organizations wishing to address cyber-threats at a deeper level with architectural-focused implementations, the ETSI EN 303 613 standard for Intelligent Transport Systems (ITS) with its introduction of the LTE-Vehicle-to-Everything (V2X) access layer specification can prove very useful, as can be read in this 2019 draft.
• Finally, for players wishing to further their understanding of LTE-focused cybersecurity operations, ABI Research suggests NIST’s “SP 800-187 Guide to LTE Security” (2017) as well as the GSMA’s Embedded Subscriber Identity Module (eSIM).