How to Reduce Risk in Connected Automotive Operations

The New 20s is the decade of automation and connectivity, and that is especially so in the automotive industry, where increasing numbers of motorists are driving “smarter” vehicles. Connected automotive operations and systems can help make the driving experience safer, better informed, and even more entertaining.

Vehicles connected to data sources and devices through the Internet of Things (IoT) can help drivers keep up to date on the latest traffic, maintenance checks, and potential safety hazards. And, these features are very popular – the IoT vehicle market in the US is set to grow by more than 8% CAGR by 2030.

However, automotive manufacturers and suppliers must become more aware of the potential dangers in advancing technology. Unfortunately, with the growth of IoT, automation, and AI in vehicle design and development, cyber threats have become more sophisticated, and so have opportunities for hacking and data loss.

Understanding Risk in Connected Automotive Systems

Thanks to connected cars that rely on an almost constant internet connection, drivers are at constant risk of being attacked by malicious actors who can exploit their connections.

The risks involved with automotive IoT run from data theft to genuine safety concerns. For example, researchers were once able to hack a connected Jeep and take over the dashboard (including the braking system) – leading to mass vehicle recalls for Chrysler. 

Ultimately, it falls to both the manufacturer and the driver to ensure vehicles have robust enough security to be considered safe to connect and drive. Potential risks facing connected automotive systems include:

• Theft of personal and financial information (cards stored for onboard payments, for example)
• Malicious overtaking of onboard controls
• False signaling and reporting (e.g., with sensor manipulation or shrouding)
• Diagnostics and settings manipulation
• Seizing control of steering, braking, and other safety functions

These frightening scenarios ultimately mean that automotive developers need to carefully sew cybersecurity into their general safety provisions. Otherwise, alongside potentially causing physical harm to customers, they could fall foul of fines and reputational damage by overlooking PCI compliance requirements when payment data is stored onboard. 

But, how can automotive designers and manufacturers spot potential cybersecurity threats before connected cars go to market?

Identifying Threats in Automotive Cybersecurity

Research confirms that because IoT connectivity has no standardized security frameworks, connected ecosystems often suffer from inconsistent cybersecurity protection. The answer, long term, is a generic, scalable framework that all ecosystems can use. In the meantime, however, automotive IoT developers and users need to simply stay vigilant.

Here are some potential risks that automotive experts should watch for:

• Vulnerabilities in software code (is it bug-free and error-free?)
• Vendor weaknesses (can you be sure your third-party software providers have robust cybersecurity practices?)
• Unnecessary data storage (is information stored excessively or with no designated purpose?)
• Physical access risks (can attackers easily manipulate in-vehicle systems after breaking in?)
• Unnecessary connections (are there some IoT features that pose more harm than benefit to the driver?)

One of the best ways to identify threats in automotive cybersecurity is to work closely with experts who can perform penetration testing and regular scanning of hardware and software deployed.

Once live, of course, any issues that developers may find can be remedied with bug fixes and system updates rolled out to customers.

Framework to Reduce Risk in Connected Operations

When it comes to protecting connected car users against cyberthreats, prevention is certainly better than a cure. However, as mentioned, there are no formal frameworks in place that IoT developers can use to reduce risk.

What automotive manufacturers and tech developers can do, however, is adopt strategies to safeguard connected cars against sophisticated threats.

Here are a few to keep in mind when building your own risk-averse framework:

• What are hackers’ motivations likely to be, and where can you tighten up security to protect against those vectors?
• Consider where human errors and oversights may lead to weakness and/or data loss. Would it be prudent to double-up on coding checks and testing before deployment?
• Make provisions for any data stored and used on connected vehicle systems to be encrypted to industry security standards. Employ strong password systems and biometric controls.
• Reduce the unnecessary storage of data wherever possible, both in-house and through the systems that connect via IoT vehicles.
• Install software and firmware that can be easily patched and updated by the consumer regularly (as a proactive, preventive measure, not just in response to threats).
• Meticulously test all connections between IoT devices and ruthlessly remove any that fail to pass checks. Simplify vehicles’ connectivity if it means keeping customers safe.
• Maintain airtight cybersecurity practices in-house to prevent malware from spreading and for hackers to gain access to code. The manufacturing industry is one of the most vulnerable to data breaches prioritize your internal security!
• Physical security is just as important. Can you be sure that your hardware and any code you use are physically locked down and only accessible to authorized personnel?
• Thoroughly vet any third-party vendors you work with to ensure they, too, take cybersecurity seriously
• Carefully integrate cybersecurity into your physical safety processes and planning – and take a zero-risk approach to testing to avoid all doubt.

Preparing for Future Automotive Risk Challenges

Unfortunately, connected automotives will always be prime targets for hackers and malware. Therefore, it pays to be vigilant about potential threats and to work with cybersecurity experts regularly to ensure your hardware is robust enough to roll out.

Above all, you should develop an internal threat response plan that applies to your own infrastructure and that of the systems you develop. By following the basics of PCI DSS to protect sensitive data, you can start building a strong foundation against sophisticated attacks.

Beyond this, a proactive response strategy will help you bounce back from any potential bugs or vulnerabilities that arise after rollout. It’s best practice, in any case, to give those threats zero room to emerge in the first place!