automotive-cyber-security-standard

As modern vehicles grow increasingly connected, they are becoming a boon to cyber criminals in the process. According to the AV-TEST Institute, cyber attacks targeting vehicles increased to about 1.1 billion by the end of 2020, compared to roughly 65 million a decade ago. 

A number of new standards, regulations, and best practices aim to help curb these attacks. Among these include 29 regulations from the United Nations Economic Commission for Europe (UNECE), the National Highway Traffic Safety Administration (NHTSA) best practices report, the SAE J3101 standard (which outlines hardware-protected security requirements for applications in ground vehicles), and the ISO/SAE 21434 standard, which is designed to safeguard vehicles from security risks across their lifetime. According to Security Boulevard, the new ISO/SAE 21434 standard specifies “various engineering requirements and recommendations for risk management in the concept, product development, production, operation, maintenance, and decommissioning of electrical and electronic systems in vehicles, components and interfaces.” This automotive cyber security standard is significant as it will spur automakers, suppliers, and product developers to adopt a vigorous cyber security culture.

What Will This Cultural Shift Entail?

The auto industry’s cyber security cultural evolution will consist of transformations that are both human and technical, according to Automotive World

Human: Every employee will need a basic understanding of cyber security and techniques for reducing risks. This means that employees involved in vehicle design will have to undergo regular training. Select experts will need to oversee cyber security in various organizational divisions, special budgets for security will need to be developed, and new functions and features will need to undergo testing.

“Security has to be part of the thought process, but this is going to be quite a difficult transition for many organisations as it is a fairly new topic for the auto industry,” Dr. Dennis Kengo Oka, Principal Automotive Security Strategist at global software company Synopsys, told Automotive World. “This will require a cultural change to promote cyber security from the top down.”

Technical: New technical solutions will help safeguard vehicles from cyber criminals, along with services that help original equipment manufacturers and suppliers make more secure products. However, there will still be security challenges. For example, open-source software has saved time and money for the auto industry, but it also increases the chances of errors that create doorways for hackers. For this reason, it is essential to bring in services that specialize in automating open-source software management that can help identify potential issues.

“Large automotive organisations cannot develop everything on their own, and in many cases those open-source software components are very beneficial,” said Oka. “The challenge in using open-source software is managing it; you need to know which components and versions are being used in your products and systems, and if there are any vulnerabilities associated with those versions.”

As hackers grow more sophisticated, so will the challenge of securing modern vehicles. By creating a sound cyber security culture across the automotive industry from the ground-up, automakers and suppliers can ensure their vehicles and products are trustworthy and safe.

Understanding Automotive Cyber Security

Prepare your organization to better comprehend the security aspects of the automotive industry. An online five-course program, Automotive Cyber Security: Protecting the Vehicular Network aims to foster the discussion on automotive cyber security solutions and requirements for both intelligent vehicles and the infrastructure of intelligent transportation systems.

Contact an IEEE Content Specialist today to learn more about getting access to these courses for your organization.

Interested in the course for yourself? Visit the IEEE Learning Network.

Resources

Neustadter, Dana. (5 August 2021). Protecting Automotive Socs Starts With Secure Ip. Semiconductor Engineering. 

Oka, Dennis Kengo. (19 July 2021). Practical solutions for a secure automotive software development process following ISO/SAE 21434. Security Boulevard. 

Holmes, Freddie. (14 July 2021). Automakers must champion cyber security. Automotive World. 

software-defined-vehicles-cyber-attacks

Modern vehicles come strapped with a variety of computerized and connected components. These features can make vehicles more appealing to drivers. However, they are also risky, because they can serve as hidden doorways for cyber criminals. Currently, there simply are not enough security features in modern vehicles to keep them invulnerable. Furthermore, as vehicles become more autonomous, the threats grow.

What are the Current Threats?

A few common techniques cyber criminals use to compromise modern vehicles include:

Hacking mobile apps: Car manufacturers and app makers are transforming mobile phone apps into remote controls. While this feature provides convenience, it also inadvertently gives hackers potential entryways into drivers’ personal data. 

Malware: Cyber criminals can access unsecured Bluetooth devices and MP3 players. From there, they can use malware to hijack a vehicle. For example, a hacker could mask a virus as a music track, which lets them slip into the system as soon as the driver presses “play.”

Server break-ins: If a hacker manages to successfully penetrate a server, they could access all connected mobile apps, sales data, and controls. With this access, they can manipulate secondary vehicles connected to the server. Additionally, they may be able to access a car’s on-board diagnostic port, which they could then use to access its management system. 

Over-the-air software (OTA) updates: Hackers can tap into weaknesses in these updates to access vehicle systems, allowing them to take control of vehicles from anywhere in the world.

What are the Future Threats?

Cyber security threats don’t end with today’s connected vehicles. There is growing evidence that future autonomous vehicles, which will come equipped with a broad range of artificial intelligence (AI) features, will pose additional dangers to drivers and pedestrians.

“The increased uptake of AI technologies has further amplified this issue with the addition of complex and opaque ML [machine learning] algorithms, dedicated AI modules, and third-party pre-trained models that now become part of the supply chain,” states a recent report on the cyber security challenges in autonomous vehicles from the EU Agency for Cybersecurity (ENISA) and Joint Research Centre (JRC).

Software-defined vehicles, whose components are enabled primarily through software, pose one of the biggest cyber security challenges in the near future. These vehicles come equipped with a number of software components that require regular over-the-air (OTA) updates throughout a vehicle’s lifetime. These software components often come from a number of different suppliers, and they must be reviewed for vulnerabilities.

As such, manufacturers will need to take on complex security strategies to ensure vehicles with these components are trustworthy.

Such strategies can include:

  • Developing systems that require each OTA communication be formatted specifically within an applicable communications protocol, whether or not the source has been confirmed.
  • Establishing a protocol in which a system shuts off specific subsystems if a vehicle does not establish an OTA connection over a certain period of time, which could protect it against a potential attack. 
  • Analyzing software for threats through composition analysis, penetration testing, and periodic risk assessments. (This depends on “defense-in-depth strategies,” such as secure updates, identity access management, secure boots, and isolation-through-virtualization methods.)
  • Securing microchips in a vehicle’s electronic control units. Some methods include secure storage, tamper detection, and hardware acceleration for crypto-algorithms.

Cyber security will continue to represent a growing challenge for the automotive sector. As it does, vehicle makers will be wise to ensure their vehicles come equipped with the best security features possible. They also need to prepare for a future in which cyber security will be considered fundamental from the beginning to the end of a vehicle’s life cycle.

Focusing on Security and Safety

Prepare your organization to better comprehend the security aspects of the automotive industry. An online five-course program, Automotive Cyber Security: Protecting the Vehicular Network aims to foster the discussion on automotive cyber security solutions and requirements for both intelligent vehicles and the infrastructure of intelligent transportation systems.

Contact an IEEE Content Specialist today to learn more about getting access to these courses for your organization.

Interested in the course for yourself? Visit the IEEE Learning Network.

Resources

Smith, Jada. 25 June 2021. Protecting the Software-Defined Vehicle. CPO Magazine. 

Stevens, Gary. (6 June 2021). Securing Computerized Vehicles from Potential Cybersecurity Threats. Trip Wire.

Hope, Alicia. (8 March 2021). EU Agency for Cybersecurity Says Autonomous Vehicles Highly Vulnerable to Various Cybersecurity Challenges. CPO Magazine.

ransomware-surges

Cyber crime is on the rise. In the U.S. alone, McDonalds, Colonial Pipeline, SolarWinds, and JBS Foods were all recently forced to pay millions due to ransomware attacks that compromised their data. Former Cisco Systems CEO John Chambers predicts an onslaught of up to 100,000 ransomware attacks this year alone, which could cost organizations an average of $170,000 USD each. 

The absence of cyber security standards contributes to the problem. Almost all organizations invest in security procedures to protect their physical property from intruders. However, the threats to digital property are just as real, with fewer organizations developing adequate protocols to safeguard these assets. It’s not hard to understand why. Cyber security technology is complex and ever-evolving, and so are the threats. Keeping up with these changes is not easy or cheap. 

Voluntary Standards Are Not Enough

Despite the growing wave of cyber attacks, the U.S. requires very few of the sixteen most vital industry sectors to meet minimum cyber security requirements. With threats increasing, 86% of the Cybersecurity 202 Network—a panel of more than 100 cybersecurity experts—said that the government should require organizations in “critical industry sectors” to meet minimum cyber security standards, according to a recent survey from the Washington Post

While officials in the past considered voluntary standards good enough, that attitude is quickly changing. The U.S. government may soon require organizations considered critical to the nation’s interest to follow a defined set of cyber security standards. According to CNBC, a recent memo from the White House warned businesses that “the threats are serious and they are increasing.” The memo highlighted a number of best practices organizations can take to protect themselves from ransomware, including backing up data, systems images, and configurations, as well as regular testing and network segmentation. 

“If a company has done proper segmentation, every time the bad guys try to cross a segment you get the opportunity to detect them before they can trigger the malware,” Michael Daniel, president and CEO of the Cyber Threat Alliance, told CNBC. “By employing this practice you make yourself more resilient against having a successful ransomware attack launched against you, and if you do have one you’re usually able to mitigate the damage and recover much more quickly. This is what gives companies a lot more options than believing they have to pay the ransomware.”

A Problem Organizations Must Manage

Because a lack of universal cyber security standards is precisely what criminals are taking advantage of, it’s vital that governments and organizations develop them soon. In the meantime, organizations must grapple with cyber crime on their own. Those with mature cyber security strategies look at it as a threat they must manage rather than a problem to solve after it happens.

“For some risk you employ technology, for some you buy insurance,” Daniel told CNBC. “The point is that a company is actively managing the risk, not just hoping that something bad doesn’t happen to them.”

Among the steps organizations can take to manage cyber security risks are developing a strategy and ensuring employees are properly trained on how to deal with potential threats. 

Cyber Security Considerations for an Effective Cyber Strategy Within Your Workforce

Ideal for technical professionals across all industries who support their company’s IT departments and require up-to-date information on how to protect enterprise networks from potential threats, Cyber Security Tools for Today’s Environment is an 11-course program designed to help businesses improve their security techniques.

Contact an IEEE Account Specialist today to get access to the course program for your organization.

Interested in learning about getting access to the course program for yourself? Visit the IEEE Learning Network to learn more.

Resources

Hum, Thomas. (14 June 2021). Over 65,000 ransomware attacks expected in 2021: former Cisco CEO. Yahoo!finance

Caminiti, Susan. (11 June 2021). Cyber standards are key in battling ransomware attacks. CNBC.

Marks, Joseph. (11 June 2021). The Cybersecurity 202: Our expert network says it’s time for more cybersecurity regulations. Washington Post.

The Centre for Strategic and International Studies recently conducted a survey of IT managers and discovered that 82% of employers believe they lack cyber security skills in their organization. Out of those surveyed, 71% feel that this under preparedness causes harm to their organizations. Leveraging the latest technology might help reduce this damage. However, making sure employees understand how to protect sensitive information is key to closing the cyber security skills gap. After all, cyber security breaches can affect the company as a whole–from the company’s supply chain to the customer.

Cyber Security Shifts

As the world becomes more digital, the risk of cyber attacks increases. Organizations need to remain alert in order to avoid data breaches, distributed denial-of-service (DDoS) attacks, and ransomware. Many companies also view cyber security as a competitive advantage as consumers grow more aware of the threats their private information is facing. People want to protect their personal data, so it is crucial for organizations to make their customers feel secure when giving their information.

According to Gartner, spending on security products and services will increase to $124 billion in 2019, which is 8.7% higher than spending in the year prior. The more a company invests in cyber security, the more trustworthy they generally become in the eyes of consumers. As cyber attacks become more frequent, the demand for companies to be able to resist these attacks increases–as does the need for employees properly versed in cyber security best practices.

Cyber Security Talent Shortage

What can a company do if they currently do not have strong cyber security mechanisms in place?

  • Grow internally. Companies can improve cyber security by hiring experts or buying software to improve the company’s system. While this approach may be more difficult because of budgeting, it is often an easy way for a company to make progress more quickly toward closing their cyber security skills gap.
  • Educate. Cyber security is a team effort. All employees should be involved and educated on reducing infiltration and data breaches. The education of employees must be comprehensive and refreshed as new cyber threats are created. It is vital that companies make sure their employees are knowledgeable in how to protect the data.

A cyber attack can cost an organization up to $13 million USD. Training and education is a smart investment that requires company-wide engagement.

Improving Cyber Security at Your Organization

Having the right tools and systems in place can prevent data breaches and cyber crimes. As the world becomes more automated, it’s crucial for your organization to understand the available cyber security measures to protect its data and devices. Cyber Security Tools for Today’s Environment, an online 11-course program from IEEE, helps businesses improve their security techniques.

Contact a specialist today to get access to the course program for your organization.

Interested in learning about getting access to the course for yourself? Visit the IEEE Learning Network to learn more.

 

Resources

Smerdon, Sandra. (21 January 2020). How business leaders can close their cyber security skills gap. World Economic Forum.

cloud-security-storage-risks-cyber-attacks

Cloud security threats come in many different forms including data breaches, hijacked accounts, data loss, denial of service, and system vulnerabilities. As organizations and individuals continue to adopt the cloud, securing all of the stored information is a top priority. Companies must be aware of the risks and solutions in order to prevent serious damage.

Security Risks to Cloud Data

Data Breaches

Any data stored in the cloud is at risk for cyber-attack. From phishing to security scams, hackers are constantly developing new ways of gaining access to sensitive information. This type of attack can damage a company’s reputation and affect its market position. Furthermore, it can also lead to legal issues if customers’ personal information was released.

Access Management

Without multi-factor authentication and strong passwords, cyber criminals can easily gain access to accounts. Once they’ve hacked into one account, unauthorized users can access private information. Depending on the hacked account’s permissions, bad actors could cause a sizable data breach.

Insecure interfaces

Because your company’s API and UI are exposed to the public, having strict authentication can help ensure that cyber criminals cannot gain access. However, inadequate security leaves your interfaces vulnerable to attack. Possible consequences include jeopardized confidentiality, accountability, integrity, and availability.

Data Loss

Although many cloud providers heavily focus on security, not all attacks can be prevented. Should hackers gain access to your system, it’s possible that they could erase all of your data with the intention of ransoming it. If no backup storage is in place, your organization could face a permanent loss of data.

Hijacking

Account hijacking is a form of identity theft that involves cyber criminals using stolen information in their attacks. When this occurs, your organization can lose control of its account, data, functions, business logic, and any other dependable applications on the account. A breach of this form should be taken very seriously. It can lead to large data leaks and damage to the company’s reputation.

Insiders

While outside hackers may be the first party that comes to mind, they are not the only threat to your cloud’s security. Current or former employees also pose a risk. Because they already have access to the company’s sensitive information, a malicious insider could expose or sell proprietary information. To minimize the risk of an internal attack, it’s vital to ensure user permissions are kept up to date based on employment status.

Best Practices for Cloud Security

As more people store their information in the cloud, the risk of cyber attacks increases. With a larger pool of potential targets, bad actors are furthered incentivized to develop new schemes. Despite this, the cloud is still a worthwhile storage option.

Steps you should take to secure your information include:

  • Encrypting data
  • Using two-factor authentication
  • Understanding open API frameworks
  • Making sure everyone uses hard-to-crack passwords
  • Restricting accessibility to sensitive information

Protect your business

Having the right tools and systems in place can prevent data breaches and cyber crimes. As the world becomes more automated, it’s crucial for your organization to understand the available cyber security measures to protect its data and devices. Cyber Security Tools for Today’s Environment, an online 11-course program from IEEE, helps businesses improve their security techniques.

Contact a specialist today to get access to the course program for your organization.

Interested in learning about getting access to the course for yourself? Visit the IEEE Learning Network to learn more.

 

Resources

Nailwal, Mukesh. (14 October 2019). CLOUD SECURITY BASICS: HOW TO ENSURE THAT YOUR DATA IS SAFE. Techgenix.

Soni, Rakesh. (11 October 2019). The Rise of Cloud Computing Threats: How to protect your cloud customers from security risks. Customer Think.