Cyber security experts tasked with securing large corporate fleets of connected vehicles face a daunting challenge. While it’s relatively easy to secure small fleets, the technology does not scale well to larger ones. For example, facial and vehicle recognition software work well in smaller fleets, but are much more expensive in fleets with a large number of vehicles.
Additionally, connected vehicle manufacturers often rely on third-party contractors for their hardware and software, and hackers can easily use these as backdoors. While there can be multiple entry points for such attacks, the most common type comes from smartphone apps. Drivers use these apps to communicate with their vehicles. However, most are not secure, and hackers can easily break into them.
In addition to more common types of hacking, cyber security experts who oversee large connected vehicle fleets have to worry about the diversity and scale of such attacks. Not only has there been a massive rise in cyber security attacks (a 605% rise in 2019 when compared to 2016), the motives behind them have also grown. This includes theft (31%), manipulating vehicle systems (27%), and data and security attacks (23%). The number of connected vehicle fleets is also growing. According to Upstream Auto’s 2020 CES presentation, 55% of North American trucks and 43% of European trucks will be connected in the next four years. In 2020, three of the best-selling U.S. vehicle manufacturers sold connected vehicles only, and by 2023, 775 million vehicles are expected to be connected. As a result, a majority of corporate fleets will consist of connected vehicles in just a few years.
Cyber security experts charged with overseeing large fleets may have little control over the hardware used, but there are steps they can take to reduce potential attacks. For example, they can analyze which aspects of their infrastructure they can control, and determine how to integrate those aspects with their fleets. Also, they can ensure they are responsibly retaining data within all their vehicles, including the suit of cloud-native application management, as well as the system that stores employees’ authentication details.
Massachusetts Voters Pass “Right-to-Repair” Referendum
As vehicles become more connected, governments have taken steps to regulate them. As discussed in previous posts, these efforts mainly include the United Nations Economic Commission for Europe (UNECE) automotive cyber security requirements, which will affect vehicles manufacturers in Europe, Japan, and South Korea. While the U.S. has not imposed specific regulations, the SELF DRIVE ACT does require manufacturers to create a policy around how they would respond to cyber attacks for vehicles that are highly automated.
Recently, voters in the U.S. state of Massachusetts passed a “right-to-repair” referendum that affects data in connected vehicles. Currently, the state’s automotive “right-to-repair” law, passed in 2013, grants independent mechanics the same access as dealers to vehicle data that’s used to diagnose and fix problems. The referendum, which is being challenged by a coalition of vehicle makers in federal court, would update the 2013 law to include over-the-air telematics data (real-time updates from a vehicle’s sensors to a vehicle manufacturer’s private servers) to other kinds of data that original equipment manufacturer’s must share with mechanics.
If the referendum becomes law, automakers who want to sell cars in Massachusetts will need to allow the telematics data to be available through a smartphone app for owners and independent mechanics starting in 2022. This means automakers would need to ensure their cyber security systems comply with the new mandates in a short timeframe. It also adds complexity to the issue of cyber security. For instance, if a repair shop makes an error that results in a security breach, who is responsible—the shop or the manufacturer?
“We’re talking about highly complicated mechanical and software systems that can’t be separated from fundamental vehicle safety anymore,” Bryan Reimer, a research scientist in the MIT Center for Transportation and Logistics, told Next City.
The 2013 right-to-repair law forced car makers to institute a nationwide right-to-repair standard. Whether the referendum will result in a similar national standard for connected vehicles remains a question.
Securing Autonomous Vehicles
As the automotive industry continues to work on intelligent and autonomous vehicles, there is a need to better comprehend the safety and security of this connected technology. Automotive Cyber Security: Protecting the Vehicular Network is a five course program that aims to foster the discussion on automotive cyber security solutions and requirements for not only intelligent vehicles, but also the infrastructure of intelligent transportation systems.
Contact an IEEE Content Specialist today to learn more about getting access to these courses for your organization.
Interested in the course for yourself? Visit the IEEE Learning Network.
Janzer, Cinnamon. (15 December 2020). What Massachusetts’ New Right-to-Repair Law Means for Small Auto Repair Shops. Next City.
Stumpf, Rob. (1 December 2020). The Car Companies Are Already Gearing Up to Fight Massachusetts’ Right to Repair Law. The Drive.
Bocetta, Sam. (16 November 2020). How to protect connected vehicle fleets. SecurityInfoWatch.com.
Stumpf, Rob. (4 November 2020). Massachusetts Votes to Expand Major Right-to-Repair Law, Force OEMs to Open Up Vehicle Data. The Drive.