Corporate Compliance Insights (CCI) is warning of cybersecurity risks associated with vehicles and medical devices — both of which it says can be easily hacked.

CCI’s article highlights four cases:

• • Bluetooth vulnerabilities that exposed millions of vehicle users to cyberattacks;
  • A 19-year-old’s remote infiltration of 25 Tesla vehicles in 13 countries;
  • Hacked Medtronic insulin pumps by researchers to prove their security vulnerabilities; and
  • A security vulnerability in Abbot pacemakers that could have been used to drain their batteries and led to an FDA recall.

CCI contends that automotive and medical device OEMs haven’t done enough to “proactively harden their products and improve their security posture against cyber risks.”

The result? Regulators have taken action worldwide including in the U.S., China, United Nations Economic Commission for Europe, International Organization for Standardization (ISO), and SAE International.

In automotive, that includes ISO/SAE 21434 in order to adhere to the UN’s R155 regulation. R155 contains agreed-upon regulations by the UN for wheeled vehicles, equipment and parts that can be fitted and/or used on wheeled vehicles.

ISO/SAE 21434 was added last year on top of ISO 26262 to address the “cybersecurity perspective in engineering of electrical and electronic (E/E) systems within road vehicles,” according to ISO, and “will help manufacturers keep abreast of changing technologies and cyber-attack methods, and defines the vocabulary, objectives, requirements, and guidelines related to cybersecurity engineering for a common understanding throughout the supply chain.”

ISO 26262 Functional Safety Standard applies to electrical and electronic systems in production vehicles. It requires the development of systems according to all technical and scientific aspects of functional safety.

Overall similarities of regulations from all the organizations listed above is proof that cyber attack prevention mechanisms are in place, including security patches, CCI wrote.

Probably the biggest debate right now in the automotive and collision repair industries over cybersecurity is access to telematics data and how it’s used.

Last year, a security engineer uncovered security vulnerabilities in Honda, Acura, Nissan, and Infiniti vehicles through hacking the website of one company that manages telematics functionality for those OEMs and seven others.

The findings seemingly support concerns raised by the Alliance for Automotive Innovation (Auto Innovators) over efforts by the aftermarket to pass “right to repair (R2R)” initiatives that would force OEMs to standardize access to sensitive vehicle data.

Repairers should also keep in mind that replacement software-based controllers, such as cameras and sensors, need to be properly installed and calibrated to mitigate cyber risks in vehicles.

In its 2022 “Cybersecurity Best Practices for the Safety of Modern Vehicles” document, the National Highway Traffic Safety Administration (NHTSA) said automakers should, “provide strong vehicle cybersecurity protections that do not unduly restrict access by alternative third-party repair services authorized by the vehicle owner.”

“NHTSA recognizes the balance between third party serviceability and cybersecurity is not necessarily easy to achieve. However, cybersecurity should not become a reason to justify limiting serviceability. Similarly, serviceability should not limit strong cybersecurity controls.”

Of course, with vehicle cyber risks come repair shop risks as well.

In a webinar hosted earlier this month by PropertyCasualty360, Moody’s RMS Global Head of Analytical Services Alok Kumar and Model and Product Specialist Bethany Vohlers covered the increasing need for cyber insurance and recommended best practices for underwriters in covering losses.

It’s a business risk that Shaughn Kennedy, SPARK Underwriters co-founder and vehicle specialty market underwriter, previously told Repairer Driven News is often overlooked. In the collision shop space, most cyber activities deal with bad players trying to hold systems hostage for ransom, he said.

Images

Featured image credit: Urupong/iStock

More information

In-vehicle subscriptions: Consumer interest remains low & skeptical of data security

CIC Committee Presentation: 86% of all quoted collision repair data could be available for sale

CIECA, Datatouch provide tips on PII protection, encourage shops move away from EMS exports