The average electric vehicle (EV) has upwards of 3,000 chips, more than double that of a non-electric vehicle, and the rising number of chips not only adds to the complexity of the vehicle but the associated cyber risk, according to cybersecurity firm Cycuity.
Cycuity Vice President of Engineering Mitchell Mlinar told Repairer Driven News the solution is to add more security to broader attack surfaces, that being the points in a software environment in which an unauthorized user can try to enter data to or extract data from an environment. Attack surfaces have broadened as wireless and Bluetooth technologies become more commonplace.
“You now have another exposure surface here that wasn’t even there whereby someone can actually access your system while it’s actually on the road even because that system doesn’t care whether it’s sitting at home or on the road,” Mlinar said. “You have much more opportunity to exploit any vulnerabilities that exist in the software or hardware that exists to the vehicle.”
The vast number of chips and sensors added to cars and related infrastructure today has led to a Ford Mustang that can’t be tuned by a third party, hackable EV charging stations, a higher risk of theft, and a higher likelihood for recalls, according to Cycuity.
New security standards, such as ISO21434, are used to extend safety and security of new high-tech vehicles on top of the previous ISO26262, Mlinar said. ISO26262 “addresses possible hazards caused by malfunctioning behaviour of [electrical and/or electronic] E/E safety-related systems, including interaction of these systems,” according to ISO, and “does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behaviour of E/E safety-related systems.”
ISO/SAE 21434 “addresses the cybersecurity perspective in engineering of electrical and electronic (E/E) systems within road vehicles,” according to ISO, and “will help manufacturers keep abreast of changing technologies and cyber-attack methods, and defines the vocabulary, objectives, requirements, and guidelines related to cybersecurity engineering for a common understanding throughout the supply chain.”
“This is where you’re going to see the evolution and because there’ll be regulations on this stuff but also companies want to have things that are more secure they’ll be following. What it means for repair is that cost could go up,” Mlinar said.
For example, if a module in a vehicle’s system that interacts with the entertainment system needs to be replaced if a software update doesn’t fix a defect.
“Dealers or even private consumers need to get them and install them and that takes time. That’s where the cybersecurity and the future could increase the cost potentially of a repair of your car,” Mlinar said. “Because if there’s these issues, these vulnerabilities that exist, an exploit that happens that needs to get fixed, you’re going to be scrambling trying to do that.”
OEMs, he added, are paying attention to ISO standards and are making the effort with tools, such as those offered by Cycuity, when they’re designing and creating chips to ensure, as much as possible, that they don’t have vulnerabilities.
Cybersecurity rose out of necessity to protect these systems and the information contained within them, according to the National Highway Traffic Safety Administration (NHTSA), and when applied to vehicles, “takes on an even more important role: systems and components that govern safety must be protected from harmful attacks, unauthorized access, damage, or anything else that might interfere with safety functions.”
“Increasingly, today’s vehicles feature driver assistance technologies, such as forward collision warning, automatic emergency braking, and vehicle safety communications,” NHTSA states on its website. “In the future, the deployment of driver assistance technologies may result in avoiding crashes altogether, particularly crashes attributed to human drivers’ choices. Given the potential safety benefits these innovations enable, NHTSA is exploring the full spectrum of its tools and resources to ensure these technologies are deployed safely, expeditiously, and effectively, taking steps to address the challenges they pose, including cybersecurity.”
NHTSA has adopted a “multi-faceted research approach” that leverages the National Institute of Standards and Technology Cybersecurity Framework and encourages the automotive industry “to adopt practices that improve the cybersecurity posture of their vehicles in the United States.”
In a September release titled “Cybersecurity Best Practices for the Safety of Modern Vehicles,” NHTSA says best practices start with a layered approach to vehicle cybersecurity in which “some vehicle systems could be compromised, reduces the probability of an attack’s success, and mitigates the ramifications of unauthorized vehicle system access.”
Best practices include:
- “Risk-based prioritized identification and protection of safety-critical vehicle control systems;
- “Elimination of sources of risks to safety-critical vehicle control systems where possible and feasible;
- “Provision for timely detection and rapid response to potential vehicle cybersecurity incidents in the field;
- “Design-in methods and processes to facilitate rapid recovery from incidents when they occur; and
- “Institutionalize methods for accelerated adoption of lessons learned, such as vulnerability sharing, across the industry through effective information sharing.”
Automotive industry professionals have talked about ensuring customers’ information isn’t stolen from shop computers and networks, but what about making sure vehicles leave shops after collision repairs with the same cybersecurity they had pre-collision? First and foremost, when VIN decoding, Collision Advice CEO Mike Anderson and Database Enhancement Gateway (DEG) Administrator Danny Gredinberg say repairers need to use scan tools to see build data to know what computers and other options are on each vehicle.
And Tal Ben-David, R&D vice president and co-founder of Karamba Security, previously told RDN what’s important for collision repairers to know is that most damaged software-based controllers, which can include cameras and sensors, that are managing functions in the vehicle likely have to be replaced rather than repaired, according to OEM procedures.
Featured image credit: kaptnali/iStock