Protecting vehicles from hackers via a 'digital twin'

Modern connected vehicles have transformed from mere modes of transportation into complex machines with hundreds of digital components, containing personal data and connecting to the Internet.

With about 67 percent of all new vehicles sold in 2020 being connected in some way, this trend is not expected to slow down, but to rise to 100 percent by 2026.

In many ways this new reality puts the modern car at as much risk as laptops or mobile phones for being targeted by hackers.

Protecting all this technology from malicious access, proactively managing the risk and minimizing software vulnerabilities has never been more important to ensure the safety of all road users.

However, the issue we face is that cybersecurity solutions are often an afterthought rather than being proactively managed through the entire supply chain.

The challenge with the security of vehicles lies within their digital- and software-based elements. Unlike mechanical parts that can be tested before the vehicle hits the road and thereafter tested yearly, the connected components need to be continuously monitored for risk.

New software vulnerabilities are being discovered on a daily basis and therefore the vehicle's software needs to be continuously evaluated, monitored and fixed through remote updates (like a mobile phone).

The fact that a certain code has been tested today, doesn't mean it is secured tomorrow. Once the In-Vehicle Infotainment (IVI) system is connected to the internet, it puts at risk all other vehicle software components as they are all connected on the vehicle internal network.

This means that as vehicles are more connected and technologically advanced, vehicle cybersecurity must take a much more prominent place in its design and development cycle.

In the UK for example, we have already seen a 99 percent increase in automotive cyber crime in the last year.

Automotive  engineers have raised the alarming threat that the processing power of cars could be hacked for other activities such as mining bitcoins.

All these issues will continue unabated with the growing consumer demand for the convenience of connectivity in their vehicle and through their driving experience.

Cybersecurity is a layered approach, there is no one model that answers all the questions of security.

While automakers have stepped up their game to meet consumer demand for connected vehicles, what is needed is a collective effort between cyber experts, automakers and their suppliers to redesign the supply chain so that compatibility between components and security is thought of from the design stage all the way through to the production stage and then after, while the vehicle is on the road.

Adopting this mindset will allow manufacturers to keep their competitive position while controlling their cost and long development cycles.

After all, they cannot allow themselves to release an unsecured product and given their complex supply chain, mitigating cyber risks closer to start-of-production or at any stage afterward, becomes a complex task of identifying the source of the risk, tracing the specific supplier that is responsible for its introduction and fixing it in time not to hinder the release date.

While it is clear from the introduction of WP 29 regulation and ISO/SAE 21434 standard that regulators are challenging automotive manufacturers to consider the cybersecurity elements of their future vehicles, automakers and suppliers are tasked with finding their own way around this challenge, to make sure they secure the cars of our future.  

On our end, we at Cybellum have created the very first automotive Cyber Digital Twins (CDT) platform to combat the rising cyber risk to connected vehicles.

This risk assessment platform allows manufacturers to map and trace any potential cyber vulnerability that lies within the hundreds of thousands of lines of code that run a vehicle, and present the software "fix,", to maintain security throughout its life cycle. CDT captures all the information that is required for the ongoing risk management, and therefore allows for a detailed, accurate cyber analysis of the code that runs the car.