Cybersecurity, a growing threat for the automotive industry

In recent news Honda was found to have a vulnerability that allows cybersecurity hackers to remote start vehicle engines and unlock them from a nearby distance. The process involves taking control of the remote keyless entry system and capturing the signals sent from the owner’s key fob to it.

This particular issue affects nine Honda models including the Honda Civic LX and Honda Civic Hatchback. Experts have advised owners to protect key fobs with pouches and even reset them at a local dealership if they think they have been impacted.

With this issue in mind we spoke to Bernard Montel, technical director for Tenable EMEA to discuss the issue of automotive cybersecurity and what more could be done to address this issue.

Just Auto (JA): Could you provide some background on your role?

I’m the technical director for Tenable EMEA, which means that I’m in charge of the voice of Tenable at industry events, marketing events, but also customers and press. Internally I’m working to support the field and also connect with the product managers – the people who are developing the solutions.

I’ve been in working in cybersecurity for more than 20 years. I was working for another American security vendor before and selling into two different spaces. One is what we call identity and access management, all the protections around identities.

The other one is another domain called threat detection or response, which is identifying threat detection, detecting attacks, and trying to answer to those attacks when the customers are detecting them with tools and technologies.

Why is cybersecurity becoming so important to the safety of the automotive industry recently?

I think it’s happening now because we are in a transformation process in the automotive industry. I worked for Renault as an insurance as a consultant, but it was a long time ago in around 1999. At that period of time, we were talking about the platform transformation; at that time the cars were using the same platform, but today we are in a transformation period, the car is really connected.

We are in a global business transformation for the car makers. We see exactly the same kind of transformation we’ve see in any kind of industry and globally. The IT transformation is providing a lot of opportunities, but with that also comes risk.

What are the biggest hacking risks for car owners today?

I think everyone is focusing on the car itself, but if we step back a minute, the connected cars are not just connected to nowhere, they are connected to an infrastructure, which the majority of the time is the Cloud.

One of the major risks is really the infrastructure around the cars because the more you have a big infrastructure to connect the cars, the ‘attack surface’ is growing. It’s not just the number of cars which are connected, it’s number of services and the infrastructure around it, which is very big.

One of the main targets would be the infrastructure to get the data, because it’s very sensitive data. Because it is sensitive data, attackers want to monetize the data.

The second area is what kind of service connected cars can offer. I’ve got an app here and I’ve got myself a connected car; I can open the car, I can open the windows, I can run the fan, I can do a lot of things. By doing that I know that potentially there is a risk so this risk level needs to be managed and to be decreased as much as possible – but we know in our business that the risk zero doesn’t exist.

Are newer cars and electric vehicles (EVs) more at risk?

The risk for EVs is higher because the infrastructure is bigger because of the charging infrastructure. Keeping in mind that the attackers number one goal is to get money, there are many ways to do it. You can steal data and try to monetize the data that you have just got, you can shut down infrastructure and any minute that this infrastructure is down, there is cost for the enterprise.

Classic cars, they don’t need so much infrastructure – they just need fuel. The EV needs a huge network to be recharged. If that network is targeted, and shut down, then immediately all the EV cars are impacted, even without having to penetrate or hack the individual car itself directly.

Now the second part on EV cars is that they are by their nature more connected; EV cars have a new business model. The more you have connected devices or connected services, the attack surface is growing.

What does the industry need to do to prevent cybersecurity threats?

The number one attacks that we’ve seen so far are mainly related to third party software supply chains. For now, those are the majority of the attacks.

When you are using third party software, you have to really monitor those technologies. The second point is there is no system without any vulnerability. Imagine you have a map of your system, and that map is growing – because you have more and more upgrades. You have to know exactly the assets you are in charge of to be sure that if there is any vulnerability, which is raised by security, researchers immediately patch it because otherwise you leave the door open to some malicious activities.

There are two elements on my answers to this. Number one is really the third party software. Number two is really to manage and understand the complete picture of your infrastructure and immediately patch if there is any vulnerability.

Do you see hardware and software vendors collaborating on automotive cybersecurity in the future?

I think the automotive industry will follow other industries so far; it’s a very highly competitive landscape. For the past 25 years nothing really happened, now the industry is undergoing transformation and a lot of stuff has happened, not just because of EV vehicles but because of the new business model and connected cars that are coming.

Many do not collaborate, but very quickly they will realise, at least in the cybersecurity space, there is no industry today which is not sharing what we call ‘threat intel’.

The banking industry have been sharing that for decades. They used to have a quarterly meeting where they shared what they were suffering with, what are the new threats, topics like that. If they really want to beat such threats they need to sit down together and discuss them.

What do you see the future holding for this issue?

The car industry will continue to grow and propose more services for sure, so the attack surface will continue to grow; that means that this issue will continue so the hackers can continue to monetise, that is their main goal.

From data we have, we can see that the number of cyber-attacks on cars increased to 125% from 2018 to 2021, this is a huge increase. Carmakers have to change their model and they have to do that quickly because the competition is very high.

The more we have an attack surface growing, the risk is higher. We have to manage those vulnerabilities as much as we can in advance to be able to reduce that risk.

Also, as all technologies are using Cloud-based systems, developers are now typically coding applications privately in a company’s proprietary Cloud (not the public Cloud), the one private to the company. Most of the time these vulnerabilities I’m talking about are mistakes done by people in the proprietary Cloud. So, if we can detect faulty codes, as much as we can in advance, developers are more prepared.