Tue | Feb 23, 2021 | 7:54 AM PST

The day autonomous cars replace the cars we have today is not here yet, but it is approaching.

A few major automotive companies have already made tremendous progress in the area of autonomous driving, but there are still many more steps to climb before reaching the mountain top.

One MIT study suggests that it will take at least a decade before that technology is readily available.

But imagine what it will be like when that day finally comes.

There will be no more slugging through hour 12 of a long road trip where the driver is half asleep at the wheel. Senior citizens who perhaps shouldn't be driving in the first place will be able to safely arrive at their destination. Had too much to drink at the bar but don't want to call a cab? Your autonomous vehicle will get you home safely.

This is what the future holds for us. However, emerging technology will also provide a new target for cyber bad actors. It is a problem being examined in new research.

Connected cars at risk of cyber attack

A major concern in the development of autonomous vehicles is their exposure to a cyberattack. Many of our vehicles are already essentially rolling computer networks, and bad actors will certainly work on ways to compromise these connected car technologies.

Research from Trend Micro looked into the challenges in the space. The report describes multiple scenarios in which drivers could encounter attacks that threaten both their technology and their safety.

Researchers studied 29 real-world scenarios based on the DREAD threat model for qualitative risk analysis. They concluded that these attacks could be launched remotely and/or from the victim's vehicle. Here are three things the report highlights:

  • "DDoS attacks on Intelligent Transportation Systems (ITS) could overwhelm connected car communications and represent a high risk.
  • Exposed and vulnerable connected car systems are easily discovered, making them at higher risk of abuse.
  • Over 17% of all attack vectors examined were high risk. These require only a limited understanding of connected car technology and could be accomplished by a low-skilled attacker."

Mitigations to connected car cyberattacks

By 2022, it is projected that 125 million connected cars will have shipped worldwide. While they will not be fully autonomous, the progress presents a complex ecosystem comprised of cloud, IoT, 5G, and other key technologies. This also creates a large attack surface made up of millions of endpoints and users.

Currently, there are not many opportunities for cybercriminals to monetize attacks on connected cars, and the overall risk assessment of a successful cyberattack was graded as medium, per the report.

But this will likely change as the industry continues to progress. As SaaS applications and other technologies become an integral part of connected vehicles and cybercriminals create new monetization strategies, the risk of a successful cyberattack will increase. 

Trend Micro provided some risk mitigation techniques to implement for protecting connected cars:

  • "Assume compromise and have effective alert, containment, and mitigation processes.
  • Protect the end-to-end data supply chain across the car's E/E network, the network infrastructure, backend servers, and VSOC (Vehicle Security Operations Center).
  • Apply lessons learned to further strengthen defenses and prevent repeat incidents.
  • Relevant security technologies include firewall, encryption, device control, app security, vulnerability scanner, code signing, IDS for CAN, AV for head unit, and much more."

Canadian auto industry behind on cyber threats

Another recent report in the space looks at the challenges of connected and autonomous cars, specifically in Canada.

The Canadian Automotive Parts Manufacturers' Association (APMA) and KPMG recently collaborated to analyze Canadian automotive cyber preparedness.

Analysts concluded that the Canadian auto industry is underprepared for cybersecurity threats.

John Heaton, a partner and advisor at KPMG Canada, says a mindset shift is needed:

"Building a cyber secure culture means keeping security awareness top of mind for all individuals in the organization—not just IT. Every company—no matter the product—has cyber 'digital crown jewels' that must be secured. Companies at every link in the supply chain must identify and protect these and ensure the partners they share data with are taking the same steps."

The research revealed that many suppliers believe their product is not technologically advanced enough to require privacy and cyber safety in their operations.

The report also found that 49% of Canadian APMA members surveyed had not designated a person in charge of overseeing their cybersecurity strategy. It also found that 30% of organizations surveyed had experienced a breach within the last 12 months. 

Auto manufacturers and suppliers will also need to prepare for domestic and international cybersecurity regulations, including Transport Canada's Vehicle Cyber Guidance and the United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations.

The UN regulation will require companies to document how they will prevent specific kinds of incidents, report information on cyberattacks, and inform authorities at least once a year on whether their cybersecurity measures have been effective.

The future of connected and autonomous cars is emerging, and so are the strategies needed to secure it.