The automotive industry is tied up in knots over cybersecurity. Consumers expect their cars to be secure. Car makers spend millions on securing cars, but don’t know how, what, or if to charge consumers for security.
Meanwhile, most cyber penetration reports to organizations such as the Auto-ISAC are related to enterprise attacks. The only cars being regularly hacked are Teslas. Tesla is effectively the automotive industry’s canary in a coal mine.
Like the proverbial canary in a cage in a coal mine – whose asphyxiation might serve as a warning to miners – the high profile attacks on Teslas – the latest reported by a German teenager – are a persistent reminder of what is in store for the rest of the industry. While there have been infamous hacks (like the infamous Jeep hack of 2016), Tesla has been the target of everyone from teenagers to professional Chinese hacking organizations.
A consumer survey was released by vehicle infrastructure supplier Sonatus last week under the provocative headline: “Sonatus Survey Shows Majority of Consumers Would Spend Big to Alleviate Automotive Cybersecurity Concerns.” The survey found that “despite seemingly constant headlines about automotive cybersecurity breaches, over a third of respondents are not concerned about their vehicles being hacked.” Most automotive industry participants would consider that percentage of unconcerned respondents a little on the low side.
The Sonatus release continues: “Most of the surveyed consumers who did have cybersecurity concerns expressed a willingness to pay a premium for added security features, with nearly 60% of all consumers willing to spend at least $250, and 30% willing to spend at least $1,000.” This finding would be greeted by skepticism by most. The disconnect may reflect a definition of “security” within which Sonatus appears to have included vehicle theft.
Says the Sonatus press release: “With regards to specific concerns over what a hacker might do if they were to infiltrate a vehicle’s security system, consumers are most concerned about their vehicle being physically stolen, which is not something typically associated with cybercrime. 60% cited this as a key concern, compared to 55% that reported concerns of hackers gaining access to their personal data, 53% that have concerns about location tracking, and 52% that are concerned about hackers interfering with driving capabilities.”
Alas, Sonatus polluted its cybersecurity interest level findings (too high) with stolen vehicle and privacy violation concerns – after all, your phone is more likely to be tracked than your car. Cybersecurity is a problematic issue because consumers are less familiar with the likely scenarios associated with cyber vehicle crime – such as ransomware that might lock out a vehicle owner or brick the car by preventing it from being started.
While the spectacular Jeep hack, with its demonstration of remote control was alarming, anyone hacking a car is more likely to be after financial gain of some kind – not a remote joy ride of someone else’s car. What is really remote is the potential for a terrorist attack.
Most vehicle attacks in the news have been for sport and have typically involved disabling a car or remotely activating functions for fun. This contributes to the uneasy confidence of auto makers that continue to invest in hardening their vehicles and their networks in anticipation of an attack that has yet to materialize.
The low level of threat activity directed at vehicles is deceptive. With thousands of suppliers working with the typical auto maker, the level of vulnerability is extraordinarily high. This is especially so when taking into account networks of dealers and independent servicers.
You can add to the risk profile dozens of in-vehicle electronic control units, multiple in-vehicle networks, and a dozen or more wireless connections to the car. In addition, electric vehicles are not only interacting with network operating centers and telematics service providers, they are also plugging into the power grid.
The list of companies providing cybersecurity solutions is long and growing. These companies are targeting everything from in-vehicle gateways and ECUs to car maker network operating centers and engineering operations. At the same time, semiconductor suppliers themselves are building secure elements directly into their devices.
All of this points toward the dashboard-ization of vehicle management. Any car maker worth its welds is going to want a command center where the entire connected fleet can be monitored in real time for physical crashes or cyber penetrations. Some have had this in place for years.
But day after day it is Tesla seeing the brunt of vehicle-centric attacks, while legacy auto makers contend with hackers targeting their enterprise operations. The Sonatus survey highlights the growing awareness of cybersecurity among consumers, but it misrepresents the willingness of consumers to pay for cyber protection.
Consumers expect this protection and auto makers must provide it. In the end, it boils down to the value and reputation of a brand and how it is perceived by consumers. This is a question of consumer confidence, customer retention, and cost avoidance.
It’s time for auto makers to start establishing their cybersecurity credentials – along with theft and privacy protection. Tesla has established a reputation for paying hacker bounties for finding vulnerabilities and also for rapidly fixing them. It’s time to pay attention to that canary.
Also Read:Share this post via: