Automotive Cybersecurity Needs Serious Work

Annual report from security software and services company BlackBerry indicates the auto industry faces cyber challenges.

BlackBerry’s Network Operations Center in Waterloo, Ontario, Canada. (BlackBerry)

According to the BlackBerry 2021 Threat Report , which looks at cybersecurity threats of all types on a global basis, “modern automobiles are effectively insecure networks.” The authors point out that because there are as many as 100 compute components from various vendors on a vehicle, achieving common cybersecurity criteria is exceedingly difficult.

What’s more, they say an estimated 280 million vehicles globally are connected to the internet, and consequently, “Securing vehicles from cyber threats becomes increasingly difficult with every additional network connection, electronic component, and software-driven system.”

Among the issues identified in the 2021 report are:

  • Electronic control unit (ECU) takeovers that affect vehicle systems (brakes, steering, powertrain)
  • Vehicle compromise through paired smartphones (current or previous owners’)
  • Vehicle-to-everything (V2X) and vehicle-to-vehicle (V2V) communications vulnerabilities
  • Reliance on network connectivity for vehicle functionality

One effort that the authors note is working to address these issues, is the cybersecurity regulation put into place on June 25, 2020, by the United Nations Economic Commission for Europe (UNECE), WP.29. While the regulation doesn’t tell automakers how to secure their vehicles, it does outline actions that must be done.

The recommendations include making efforts to manage risks, detecting and responding to cybersecurity threats across feels, designing secure systems across the supply chain, and providing secure software updates for on-board systems for the life of the vehicle. UNECE WP.29 is supported by several European Union countries, China, Japan and Korea. WP.29-compliance is not required until July 2024.

The report’s authors say that ISO SAE 21434 provides implementation information for engineering the electrical and electronic (E/E) systems from the cybersecurity perspective for vehicles, including the participants in the supply chain. But because of the timing of UNECE WP.29, the authors aren’t optimistic about the situation between now and then. “This delay leaves threat actors years to operate in the largely unregulated and insecure space of connected vehicles,” the authors warn.