Cybersecurity Firm Enlists AI in Battle as Threats Increase

Upstream Security says its analysts can now access a generative AI partner to remediate security threats as hackers use AI to create new attacks.

Shira Sarid-Hausirer, Upstream’s VP of Marketing, stressed that the mobility cybersecurity industry is at an inflection point due to the increasing frequency and impact of cyber attacks. (Upstream)

Following its annual report detailing the growing cybersecurity threats to vehicles, fleets, and the networks they rely on, Upstream Security announced the launch of a generative AI tool to enhance its ability to reduce the risk posted by global threats.

Upstream founder Yoav Levy says the company’s new AI tool was a natural response to hackers leveraging AI to produce more creative attacks, more frequently. (Upstream)

Israel-based Upstream, which has a vehicle security operations center (VSOC) in Ann Arbor, Mich., monitors millions of connected vehicles and Internet of Things (IoT) devices and billions of API transactions monthly. Ocean AI is built into the company’s detection and response platform, called M-XDR, enabling its analysts, as well as those from OEMs and IoT vendors, to efficiently detect threat patterns and automate investigations before prioritizing a response.

Hackers are launching attacks faster than even a few years ago. (Upstream)

The AI allows users to ask natural-language questions about the vast data sets generated by connected vehicles, various onboard security and infotainment systems, charging networks, individual terminals, and more.

Upstream founder and CEO Yoav Levy said at a media event in Ann Arbor that AI is a response to hackers’ increasing use of generative AI. These hackers can identify and exploit vulnerabilities faster than ever and against entire fleets of vehicles. “This calls for a new mindset for the entire automotive and smart mobility ecosystem,” he said.

In 2023, attacks against large numbers of targets proliferated. (Upstream)

Orit Gross, Upstream’s senior director of product, said that its VSOC teams analyze up to thousands of alerts daily across large fleets and from the entire ecosystem, which includes vehicle data, telematics, API traffic, IoT data and more. “Ocean AI helps dramatically reduce the complexity of investigations and time-to-remediation.”

The M-XDR’s primary responsibilities are:

  • Risk analysis: Using live and historical data to identify patterns and anomalies.

  • Alert filtering and prioritization: This tracks the severity of alerts, including detecting sudden surges in high-security alerts. That’s key for prioritizing responses, such as dealing with an unauthorized over-the-air software update with more urgency than an item affecting a single vehicle, such as an unlock-door request from an unusual IP address.

  • Investigation and automation: As more is learned about particular threats, the AI can help build and trigger automated responses, decreasing the time between event detection and reaching secure status.

Responses to detected threats and attacks can come directly from Upstream or be handled by the OEMs or network operators, depending on the contract. “Our work is largely collaborative,” Levy said during a previously held tour of the Ann Arbor VSOC. He said that includes sharing intelligence with the security community at large when warranted.

A bracing state-of-cybersecurity report

The announcement follows the release of Upstream’s sobering assessment of the state of vehicle cybersecurity, from which the two biggest takeaways were:

  • Organized hackers are generally moving from attacking individual vehicles or IoT points (like chargers) to attempting large-scale attacks on fleets and networks.

  • The potential cost of cyberattacks to the automotive and smart-mobility ecosystem now reaches hundreds of millions of dollars a year, and it’s growing.

The hackers are moving to attacks at scale and going for impact: The report asserts that in 2023, 65% of deep- and dark-web cyber activities “had the potential to impact thousands of millions of mobility assets.” The targets of these black-hat hackers and fraud operators can be broken down as follows:

  • 49% were vulnerability exploits.

  • 19.3% targeted diagnostic software.

  • 12.5% took control of vehicle manipulation tools.

  • 6.7% spent their time creating instructional guides to hacking vehicles.

As for potential cost, the report mentioned the attack on Taiwan Semiconductor Manufacturing Co., which disclosed that one of its suppliers was hit with a $70 million ransomware attack, the largest such ransom demand in history. TSMC officials said business operations were not affected, but they stopped exchanging data with the supplier.

During a briefing previewing the report, Shira Sarid-Hausirer, Upstream’s VP of marketing, laid out the changing threat by focusing not on attack volume but on impact. “It’s time to fasten your seatbelt,” she said. “This year, the numbers have completely changed. Nearly 50 percent of incidents have the potential to inflict damage on thousands to millions of assets. If you just look at the really dramatic incidents, we more than doubled from 2% to 5%. What we consider high impact has doubled from 20-ish to almost 45%.”

As an example of impact, she cited a 2023 ransomware attack on a long-haul trucking fleet with more than 1,000 vehicles. The attack struck at the company’s business software and shut down everything from driver time-logging — really important for regulatory compliance — to software that managed logistics and employee management. “It took the company three weeks to fully recover once the event was over,” she said.

The report also foreshadowed the development of Ocean AI a bit, when it discussed hackers’ use of generative AI. “By using GenAI to simulate attack environments, cybersecurity faces an additional challenge, as it leads to more unpredictable and sophisticated attacks, increasing the difficulty of detection,” the report said.

Targets aren’t only cars

The industry does know and generally understands the looming threats. During a February SAE webinar discussing “Cybersecurity in the Air and on the Ground,” the founder of another cybersecurity firm ominously said it’s not just wheeled vehicles that are under attack.

Aharon David, cofounder and chief white-hat officer of Afuzion, an Israeli security firm, serves on the SAE G-32 Cyber Physical Systems Committee. He said that when including both ground and aviation vehicles, the target of cyber threats has moved well beyond data and information.

“This is not like the popular perception — the one that you see in movies — that have cyber attacks going for information, and the worst thing you can have is lost information or have your information exposed,” David said. “With cyber-physical systems, the odds are much steeper. You may lose your life, you may lose your system, you may lose some critical equipment like an airplane or a power station, like, not just one car in the in the case of ground vehicles, but a whole lot of cars.”

A larger portion of attacks in 2023 were categorized as potentially having high or massive impact. (Upstream)

Upstream VP for Market Development Giuseppe Serio said heavy trucks and agricultural machinery could also be a target. “If we look at, for instance, agriculture or heavy truck machines, there is (and will be) a lot more automation. So there’s probably not so many risks related to safety, but more to business continuity and operation.”

David also said the complexity of the problems is growing daily and cited airports as an example. “It’s in the complexity of it,” he said. “And it’s a huge miracle that we have not been hit harder yet. And I hope it’s not going to happen anytime soon. And I hope we advance fast enough with our regulations and methodologies.”

Vectors of cyber attacks, against large networks and large fleets, also showed the shift away from attacks involving only one or just a few vehicles. (Upstream)

What’s one big thing getting in the way of solutions? David said it’s the way many executives perceive risk. “There is a lot of gray, and our cyber adversaries thrive in the shadows.” He said executives need to understand that security planning is about planning for the next attack, not necessarily the previous one. "The worst issue is the one that hasn’t happened yet,” he said. “[The term] ‘likelihood’ is for executive games. Human factors cannot be reduced to probabilities and statistics,“ he said. “Where there is a will, there’s a way.”

The Upstream cybersecurity report is available online: Upstream’s 2024 Global Automotive Cybersecurity Report