The following op-ed first appeared in Newsweek on October 9, 2023.
As our society transforms into a more connected world, an essential component of this shift is the need for safe and secure driving experiences on our roads. The recent hacking of a Tesla in under two minutes by France security firm Synacktiv demonstrates how serious a concern this is—attackers were able to breach the cyber controls of the vehicle to carry out a number of malicious acts, including opening the trunk of the vehicle while in motion and accessing the infotainment system.
As more connected and autonomous vehicles (CAVs) and electric vehicles (EVs) hit the market, it is clear that manufacturing speed is outpacing security measures. The cybersecurity of vehicles is often overlooked in the auto rollout, even though the connected nature of modern vehicles makes them susceptible to hacking and other cyber challenges.
The cybersecurity of a vehicle is vital—without it, serious injuries or even fatalities can occur. Imagine the above Tesla scenario but worse—a hacker takes control over the car and locks the doors while speeding up the vehicle on a highway. The driver or passenger of the car then gets a notification on his mobile phone asking for a ransomware in bitcoins—otherwise the hacker will crash the vehicle into the side of the road.
This is an extreme scenario, but such a Ransomware 2.0 incident is possible today. The big question is—Are we ready to enable incident management for such auto cyber challenges?
Another complicated part of this challenge is that the cyber risk is carried by the owner or operator of either individual vehicles or perhaps an entire EV fleet. The fleet could be made up of cars, buses, or trucks, and the necessary cybersecurity controls must be in place to enable greater cyber hygiene of these vehicles.
As EVs are computers on wheels, the potential for a distributed denial of service (DDoS) attack on multiple vehicles could disable an entire fleet of vehicles on our roads. Imagine hundreds of delivery or critical service vehicles out of service and those potential repercussions.
Fleets also depend on other critical systems to work. An Idaho hospital cyberattack earlier this year, where ambulances were diverted to other hospitals, demonstrates just how important it is to secure the entire vehicle ecosystem and not just the vehicle itself. This attack also allows us to imagine how serious it would be if the reverse scenario was true—What if the ambulance fleet itself was rendered inoperable?
If that’s not enough, think about the fragile state of our current supply chain and all the issues it has faced since the pandemic. Now imagine if a cyberattack was responsible for an entire delivery fleet to stall. The supply chain and transportation infrastructure would be totally crippled, leading to major economic disruptions.
It is important to highlight that these cyber challenges multiply manifold as trucking fleets move to autonomous trucks and lead to questions around legal liability in case of any cyber incident.
Data collection cannot be overlooked either. CAV and EV data is rich in personally identifiable information (PII) and might also contain other sensitive information such as payment card information or commercial data (such as fleet tracking and performance). Data governance regulations need to be implemented to secure the transmission and storage of this data to ensure privacy and compliance to legal and contractual obligations.
Although there are generic cybersecurity mandates in many countries, jurisdictions must legislate automotive cybersecurity specific legislations for cars operating on our roads. Countries are actively exploring the best ways to move forward with vehicle regulation—there has been emphasis on ensuring automotive manufacturers enable cybersecurity in all future models, however, with regard to operations of EVs, policies and best practices are still, slowly, being developed and legislated.
One area where more focus is needed is from an owner/operator perspective, both for individual users and for fleet owners. As consumers, we are concerned about the safety features of our new vehicle, but we do not ask any questions about the cybersecurity level of the car. There is a need for user awareness of the ordinary consumer on the criticality of cybersecurity for the smooth operations of the modern vehicle.
Fleet owners need to ensure they have effective cyber controls in place. They should have an asset inventory of all the software on their vehicles and ensure that they are aware of vulnerabilities and breaches for these software applications. Furthermore, they should carry out active cyber risk assessments for any third parties that develop vehicle software.
Finally, they must carry out real-time cyber monitoring of the vehicles and ensure that incident management processes are in place to mitigate against any adverse cyber events. Only by proactively enabling this holistic cyber governance can these fleet owners survive in this brave new connected world.
AJ Khan is the founder and CEO of Vehiqilla Inc and a Catalyst Industry Fellow at Rogers Cybersecure Catalyst, Toronto Metropolitan University’s center for research, training, and innovation in cybersecurity.