We see almost daily headlines highlighting cybersecurity threats facing our society. Once perceived as a futuristic scenario is only too real today. Global conflicts have made us aware of an ever-present threat led by hackers (probably backed by questionable organizations).
Then we have criminals who see ransomware as an instrument for economical gain. As society becomes increasingly connected, cybersecurity threats increase. The vehicle industry is not immune to these threats and needs to act before the battle is lost.
From previously being a hardware centered platform, vehicles are now more and more software driven. Almost everything in a vehicle is controlled in one way or another by software. This creates unprecedented cybersecurity challenges that must be handled during the complete life cycle of the vehicle -- throughout the whole development process.
From concept to development phase; from production to maintenance and software upgrades. However, this is a huge task, especially when you are not the manufacturer of all the hardware and software components.
Vehicle manufacturers rely on many subsuppliers of units and software, so the complete distribution chain needs a forensic approach to cybersecurity to protect itself against the relentless threats it faces today. Add to this that functional safety goals sometimes contradict cybersecurity goals, and the complexity surrounding the issue increases even more.
When cybersecurity is working, nobody will probably notice. But when it is not, everybody will know. The cybersecurity department or security team within companies cannot solve this task by themselves. Everybody in the company must work and contribute to cybersecurity to be successful, from board members and senior management to developers and service providers.
Cybersecurity threats are not static and evolve over time. Like armed forces, they need to continuously train to be able to be effective when the real battle occurs.
So, to be able to respond to threats in an effective manner, both hardware/software of the vehicles and the organizations need to "train" how to detect and mitigate these threats.
The training of hardware/software can be done in a cyber test lab, allowing attack simulations and penetration testing during all stages of development which can feed into post-deployment over-the-air (OTA) updates. But it is also important to train the organization.
The efficiency of the chain of command, from engineers to security officers and executives, has a big influence on the severity a cybersecurity incident can cause. Today mobility services are often not run by the vehicle manufacturers themselves but also others like cloud service providers, app providers, etc.
How do you handle the chain of command between different stakeholders during a cybersecurity incident? That can be trained in a so-called cyber range.
Don’t stand alone
To be able to stay at the forefront of vehicle cybersecurity it is important that industry, research institutes and academia collaborate. There is a huge need of competence in this area since it is not just security people that need to handle cybersecurity. Working together in research, testing and training that makes full use of collective resources is the way forward.
The ability to address a new and increasingly complex threat is something the industry needs. With data becoming digital gold, can society afford not to tackle this challenge it today? Only the future will tell. Let the battle commence.