The Home of the Security Bloggers Network
Home » Security Bloggers Network »
Automakers are large, complex organizations with valuable assets under management. They have significant cash flow, unique intellectual properties, and some of the world’s largest and most complex manufacturing facilities. On top of that, the products themselves are exactly the kind of high-ticket items criminals prefer to target.
It should come as no surprise cybercriminals continuously target every link in the automotive supply chain. The UK auto dealer Pendragon recently made headlines for one of the largest ransom demands ever made – £54 million (around $60 million USD).
Pendragon has confirmed that it continues to operate despite the attack. However, not all automotive industry enterprises are as well prepared.
The automotive industry has a unique cybersecurity risk profile. Unlike other major manufacturers, automakers must simultaneously secure their products alongside their operational technology and supply chain. This presents unique risks that simply don’t translate to other large-scale manufacturing enterprises.
For example, Honda announced a cybersecurity vulnerability in nine of its most popular models in May 2022. The vulnerability allows hackers to remote start vehicle engines by taking control of the car’s remote keyless entry system.
Most people focus on the security capabilities of the car itself, but this is only a small part of the picture. Cars are more connected than ever before, which means that cloud infrastructure security must also be part of the automakers security posture.
As the infrastructure to connect cars grows, the attack surface also grows. The more services and infrastructure automakers connect to vehicles, the more sensitive data becomes available to opportunistic cyberattackers who can monetize that data.
That infrastructure is now expanding to include electric vehicle charging stations. Internal combustion engines do not need to share any data with gas stations to get fuel. Electric vehicles have to share data with EV charging stations, which further expands the security landscape.
The final link in this chain is the manufacturing facility itself. Modern facilities are highly connected, sometimes with the same cloud-based services that individual vehicles connect to. That’s how manufacturers push firmware updates and new software to their cars directly. The supply chain isn’t limited to certified mechanics and dealerships anymore.
The convergence between information technology and operational technology is responsible for dramatic improvements in operational efficiency at automaker facilities. The ability to directly manage operational technology through cloud-enabled systems reduces costs, improves production, and simplifies management across the organization.
However, this convergence comes with risks. The energy industry was one of the pioneers of IT/OT convergence, and provides a wealth of data about its associated security risks. According to one study, 25% of energy companies reported weekly cyberattacks after implementing industry 4.0 technologies.
There is a simple reason behind this surge in cybercriminal activity. Greater connectivity means presenting a larger attack surface. If that surface is not secured adequately, attackers will find ways to exploit its vulnerabilities.
The auto industry is at the very beginning of its convergence initiative. Automakers are currently investing in sophisticated IT systems capable of managing OT workflows. However, if they do not secure these systems appropriately, they will expose themselves to preventable attacks.
The global auto industry is currently undergoing a period of digital transformation. There is a broad parallel between the changes happening today and ones that have already occurred in other industries.
For example, the mass-scale digitalization of finance happened decades ago. The cybersecurity strategy of the finance industry has been largely successful at adapting to new technologies and protecting users from widespread fraud and data exfiltration. This happened primarily because competing banks and financial institutions took the initiative to share threat intelligence and adopt a unified position against cybersecurity threats.
The automotive industry does not collaborate or share intelligence in this way. This isolates individual automakers and forces them to conduct their own intelligence. It’s likely this will have to change before the industry can earn consumers’ trust.
Automakers and their partners in the automotive supply chain must invest in securing new technological investments as they are made. The risks surrounding the auto industry are significant, but they are not insurmountable. There are several steps auto industry organizations can take right now to reduce cybersecurity risks moving forward.
Automakers must secure operational technology systems in their facilities. This requires significant hands-on experience with the unique systems they run. In most cases, the organization’s chief information security officer doesn’t have this experience, and must rely on management-level expertise on the factory floor.
The OT security coordinator will work with facility leaders to mitigate site-specific risks. They may report directly to the technology or security chief, or to a director-level security professional managing multiple facilities. This will help implement secure best practices for addressing operational technology risks across the entire organization.
Automakers do not typically build everything in-house. Most vehicles are the result of a complex supply chain involving a large number of vendors, service providers, and contractors. Each of these represent another link in the automotive supply chain, and must be secured accordingly.
Cybersecurity must become a high-priority topic when managing third-party relationships. A PwC study reports that only 40% of organizations fully understand their third-party cybersecurity and data privacy risks. Enterprises that report successful cybersecurity outcomes are 11 times more likely to say they fully understand third-party security risks.
The cybersecurity industry traditionally distinguishes between detection-based technologies and prevention-based technologies. The former can be very effective at catching malicious activity before it leads to catastrophic consequences, but is notoriously difficult to scale. The latter can impact usability and productivity, but is inherently scalable and cost-effective.
Not all technologies fit neatly into these categories, however. Prevention-based technologies like anti-data exfiltration (ADX) allow large enterprises to block the transfer of data outside their organization. This causes far fewer disruptions to daily production than other prevention-based approaches, yet dramatically improves organizational security against a wide range of threats. Importantly, it does this in a way that is practical for large auto enterprises to scale.
BlackFog is a security vendor that provides ADX capabilities to automotive manufacturers and their partners. Find out how we can prevent cybercriminals from stealing data from your organization.
*** This is a Security Bloggers Network syndicated blog from BlackFog authored by Darren Williams. Read the original post at: https://www.blackfog.com/automotive-cybersecurity-how-to-secure/