Cybersecurity Crisis: Auto Manufacturers Face Growing Threat of Cyber Attacks

Cyberattacks have become the biggest concern for car manufacturers. What the biggest risks are and what the industry must prepare for.

Ann-Kathrin Amstutz / ch media

Almost all of the 15,000 American car dealers are customers of the software provider CDK Global. In mid-June, the company fell victim to a ransomware cyberattack and had to shut down all systems. This had massive consequences. Thousands of car dealers across the USA were largely incapacitated for hours. Apparently, CDK felt it had no other choice but to pay a ransom of around $25 million to the digital extortionists, as reported by the US news channel CNN.

The incident shows how vulnerable the automotive industry is to cyberattacks. Awareness of this is growing. The topic of cybersecurity has climbed to the top of the agenda for car manufacturers. According to a report by automation specialist Rockwell Automation, companies see the risk of cyberattacks as “the greatest external hurdle for the company’s growth.” The responses come from 182 executives from car manufacturers, automotive suppliers, and electric vehicle companies from 15 countries.

Two aspects are particularly noteworthy: On the one hand, the subject has gained enormous priority within a year. In 2023, it was ranked only ninth among the top risks. On the other hand, cybersecurity poses an even greater problem for the automotive industry than for other sectors: across all industries, it only ranks third among the main concerns.

Complex Supply Chains and Long Lifespan

What makes cybersecurity in the automotive industry so complex? When answering this question, “the entire product lifecycle of the vehicle from development to production to use” must be taken into account, writes the Center of Automotive Management (CAM) in a study. According to the German research institute, this means control over the entire supply chain and the comparatively long lifespan of cars. This, coupled with the variety of models, significantly complicates efforts to ensure cybersecurity.

Experts identify “a significant vulnerability” in the complex supply chains: Such attacks have a “high probability of occurrence” and are often associated with a “high level of damage.” Areas particularly at risk include the charging infrastructure for electric vehicles.

According to experts, the infrastructure is under significant pressure due to the rapidly growing prevalence of electric cars. A quick and broad coverage of charging stations must be ensured. The problem is that the implementation of cybersecurity is often treated as “secondary or not addressed at all,” the research institute notes.

Charging stations are, according to a study, an easy target for cyber attackers.Image: keystone

At the same time, the charging infrastructure is not a uniform system. Rather, it consists of components operated by various service providers. This makes it “an easy target for attacks,” which “have not yet gone out of control just because the damage potential in individual cases is manageable.”

While this may be true if an attacker is “only” looking to charge their car for free, the consequences can be much more serious. Criminals who penetrate the interior of a charging station can easily gain access to the payment data of various users. This could allow them to take control of backend servers and other charging stations – “in the worst case, even over the load management of the regional power grid,” as stated in the study.

Infotainment as an Entry Point

But cars themselves have also become rolling computers. The increasing networking makes vehicles more vulnerable to attacks. Major risks include data theft and remote hacking, where criminals gain access to the car from a distance – for example, control of the steering or brakes, as Ivan Reedman from the IT security company IOActive said in an interview.

New technologies like “Over-the-Air updates,” which allow car manufacturers to update software remotely, may provide relief. However, they simultaneously offer new attack surfaces.

According to the expert, another entry point for hackers is the infotainment systems. Through connection options like Wi-Fi, Bluetooth, or USB, criminals could connect themselves. Furthermore, the systems store many personal data such as contacts or location data, which could be of interest to cybercriminals, Reedman stated.

Manufacturers Phasing Out Older Models – Due to New Rules

Regulators have recognized the problem. In the EU, a new regulation on cybersecurity and software updates for connected vehicles came into effect in July. Manufacturers must now prove that a certified management system to combat hacker attacks exists during vehicle development for all newly manufactured cars – including older models – across the entire supply chain.

Volkswagen is phasing out the compact car VW Up due to stricter cybersecurity regulations.Image: Uli Sonntag/epa/volkswagen

This, however, is a considerable effort, especially for older models. It costs several million euros per type, as estimated by Stefan Bratzel from CAM – and therefore often no longer pays off. Several models have already fallen victim to the new regulation. VW is discontinuing the compact car Up and the van T6.1. Porsche will only produce the combustion versions of Macan, Boxster, and Cayman for export, and Audi, Renault, and Smart are also phasing out older models. (aargauerzeitung.ch)

The Rising Tide of Cybersecurity in the Automotive Industry

As vehicles become increasingly advanced, the automotive industry is facing growing concerns about cybersecurity threats. The recent cyberattack on CDK Global, which disrupted thousands of auto dealers across the United States, has elevated awareness about the vulnerability of automotive systems to cybercriminals. This incident underlines the pressing need for robust cybersecurity measures throughout the entire vehicle lifecycle—from development and production to the end of a vehicle’s use.

Complex Supply Chains and Electric Vehicle Infrastructure

The intricate nature of automotive supply chains represents a significant vulnerability. Experts note that attacks on these systems can happen with high likelihood and potentially result in substantial damage. Additionally, as electric vehicle infrastructure rapidly expands, the rush to establish extensive charging stations often leaves cybersecurity as an overlooked aspect. The decentralized nature of this infrastructure makes it an attractive target for hackers, emphasizing the need for consistent security measures across various service providers.

Connected Vehicles: New Risks and Regulations

Modern vehicles are equipped with infotainment systems and connectivity features, turning them into potential targets for hackers. Cybercriminals can exploit various entry points, such as Wi-Fi and Bluetooth, to gain access to sensitive data or even vehicle controls. To address these challenges, regulatory bodies are taking action. The introduction of new cybersecurity regulations in regions like the EU mandates that manufacturers demonstrate a certified management system to protect against cyber threats, even for existing vehicle models. This shift may lead to the discontinuation of older models unable to meet these requirements due to high costs associated with implementing security updates.

Looking Ahead: Innovations and Industry Response

As the landscape of automotive technology evolves, manufacturers are recognizing the importance of integrating cybersecurity from the start. Technologies such as Over-the-Air (OTA) updates represent a double-edged sword; while they offer manufacturers a means to quickly address vulnerabilities, they also create new attack surfaces. This highlights a significant trend toward developing comprehensive cybersecurity strategies that focus not only on protecting individual vehicles but also on securing the entire supply chain and infrastructure.

Industry leaders are prioritizing cybersecurity by training personnel and employing advanced security protocols to safeguard their systems. Stakeholders must collaborate to implement robust security frameworks that anticipate and mitigate risks while fostering innovation in vehicle technology.