The rise of data breaches in the automotive industry is driving original equipment manufacturers (OEMs) and suppliers of every tier and type to search for new and more comprehensive strategies for security.
Technology has transformed the modern vehicle into a complex data hub that is constantly generating, sending, receiving and consuming mass volumes of diverse data streams. While automotive data presents many new opportunities for the automotive industry—from innovation of differentiating vehicle functions to potential new revenue streams—it also introduces daunting security concerns. Indeed, the rising influence of data in the automotive world is making the space a more and more attractive target for cybercriminals.
As the automotive industry continues to become more data-driven, a delicate balance must be struck between ongoing rollout of new or enhanced services and comprehensive security for data across the automobile, its operators and the interdependent layers of companies who work closely together to build today’s and tomorrow’s vehicles. Automakers cannot afford merely to respond to regulatory pressures; they must proactively develop and pursue comprehensive strategies that drive robust and dynamic data security across and through the industry.
Scoping the New Automotive Data Ecosystem
Connected vehicles, automotive manufacturers, suppliers, data brokers and data consumers are today interlinked by diverse data flows, forming an immense automotive data ecosystem.
The multiple channels through which data collection occurs represents a particularly critical component of the network of entities. The telematics control unit (TCU) communicates with the OEM or supplier cloud infrastructure typically via a cellular network. That is the primary channel, but data also can be collected through mobile applications linked to the vehicle, expanding both the volume and scope of data that is collected.
Of course, the data itself is a tremendously valuable asset, holding rich insights into potentially sensitive information such as vehicle performance, driver behavior and usage patterns. Certainly OEMs and their suppliers are well aware of the value of this data, as they rely on it heavily in their activities to refine products, enhance functionality, discover and roll out new services and generally improve their users’ experience. Predictive maintenance, route optimization and personalized recommendations are example applications in this area.
The value of the automotive data extends far beyond the automotive industry itself. Automotive companies can sell the data to third-party data brokers (or consumers themselves) if they can properly sanitize it to ensure privacy. The potential revenue stream here is huge; plus, the impact could be terrific on fueling introduction of new services, apps and products. Entertainment based on individual preferences, insurance products based on driving behavior and even smart-city solutions all can be informed and enabled by automotive data.
Understanding the Contemporary Threat Landscape
The new data-centric ecosystem brings with it a unique set of challenges, too. Most notably, drivers typically lack awareness and control over data generation, transmission and sharing. This creates unknowns in their daily digital footprints, raising serious concerns about data privacy and misuse or abuse, and it creates trust questions (and possible branding issues) with the vehicle OEMs. Vehicle data is accessible via multiple points like application programming interfaces (APIs) and apps, and vehicle data is unlikely to ever be fully anonymized because it would lose its value if the ability to profile individual users or groups is constrained.
Because the risks and stakes are so evident, there’s a likelihood that the first large- scale attacks against connected cars will target data. And, in fact, cyberattacks on the automotive industry are clearly climbing. The VicOne Automotive Cyberthreat Landscape Report 2023 showed losses from cyberattacks exceeding US$11 billion in the in the first half of 2023, a huge gain compared to the previous two years.
The report documented the top sources of industry vulnerabilities to be chipsets or systems-on-chip (SoCs), third-party management applications and in-vehicle infotainment (IVI) systems. Out-of-bounds write (OOBW), out-of-bounds read (OOBR), buffer overflow, use after free and improper input validation rated as the most frequent common weakness enumeration (CWE) vulnerabilities. And logistics providers, service providers, producers of components and accessories and other third-party suppliers were demonstrated to have emerged as primary targets for attacks; 90 percent of the attacks recorded in the 2023 report were aimed at the automotive supply chain.
The good news is that the rising number of reported vulnerabilities indicates a growing understanding of the emerging threat landscape among the global automotive industry. Automakers are becoming more proactive in their approach to data security.
Securing the Complete Ecosystem
As vehicle data becomes an increasing factor in automotive cybersecurity, significant knowledge gaps persist around the types of data and information flowing through this ecosystem, the challenges that they impose and the risks they invite. It is crucial to assess the impact of the automotive data ecosystem for the security of connected cars. Drivers especially lack awareness that such an intricate data ecosystem exists, and this hampers their ability to control their data and take proper precautions against attacks which threaten their privacy.
Protecting connected cars from remote attacks goes beyond securing the vehicle itself. Securing the end-to-end data supply chain used by connected cars while on the road is critical. Cybersecurity strategy must be scoped end to end across vehicle, network, back end and VSOC. Here are six places to start:
- Implement robust data protection—The advancement of vehicle connectivity and data exchange necessitates encryption of data at rest and in transit, secure APIs, secure cloud storage, regular security audits and penetration testing.
- Keep users in the loop—OEMs and other stakeholders should inform users about data collection practices, potential risks and protective measures. Users need clear, easy-to-understand instructions on how to control data collection settings, even including how to fully opt out of services that they feel threaten their privacy.
- Secure vehicle APIs—Cybercriminals frequently target APIs, so these must be secured through strong authentication, rate limiting and regular monitoring and logging of API activity for suspicious activities.
- Regulate data collection and usage—Clear regulations governing the collection, storage and use of vehicle data are a must. Who has access? How long is data stored? How can it be used?
- Develop secure middleware APIs—Middleware APIs can provide access to the vehicles’ electrical/electronic (E/E) architectures and electronic control units (ECUs), so these must be designed with security in mind. APIs should include strong authentication and encryption to prevent unauthorized access.
- Get a handle on risks introduced by artificial intelligence (AI)—Though smart, AI-powered vehicle cockpits are transforming driver experience and enhancing safety, the most advanced capabilities such as generative AI and large language models (LLMs) portend strategic, operational and financial security risks. AI risk is emerging as its own new threat vector for the automotive industry.
Conclusion
The introduction of new business models which reward drivers for sharing their data is emblematic of the balance to be achieved between protecting privacy and fueling technological progress. This is a good model for the industry to follow broadly in other areas.
The blending of the automotive and data worlds heralds tremendous opportunities for companies across the expanding industry, and OEMs, Tier 1 and Tier 2 suppliers and data brokers alike all will play key roles. Furthermore, the safety, privacy and overall experience of drivers will be profoundly impacted by their actions and decisions. All of the stakeholders need the industry to proactively pursue comprehensive and forward-looking strategies for security across and beyond the developing automotive data ecosystem.
