This isn’t your grandfather’s Ford.
The automotive industry has undergone a revolution in recent years. Connected, autonomous, shared, and electric (CASE) vehicles were once fodder for science fiction, with many movies and tv shows depicting cities of flying cars. Now, commercial car manufacturers are pledging to totally overhaul and electrify their fleets — for example, Chrysler’s plans to be an all-electric vehicle (EV) brand by 2028 and Ford’s push to build 600,000 EVs annually by 2023.
Even on the business side, there’s a growing business case for autonomous vehicles that could conceivably operate 24/7, boosting productivity. Think about public transit or parcel delivery.
The TL;DR of it all? There’s huge potential and opportunities — even in the last couple of years — for CASE vehicles.
But with this hyperconnectivity and complex deployment of IoT, it begs the question: what about cybersecurity? A new report from Deloitte Canada looks at this issue, noting that the automotive sector needs to be on high alert — and proactive — at addressing the inherent increase in risk.
The new cybersecurity threat to CASE vehicles
In Connecting Canada: Securing the vehicles of the future, Deloitte Canada outlines the new challenges brought by CASE vehicles, impacting manufacturers, suppliers, regulators, fleet owners, and governments.
For starters, Deloitte’s report explains that physical proximity to a vehicle is no longer needed for an attack to occur. In 2021, they outline, remote attacks “largely exceeded” physical attacks.
Of attacks that were reported, only 15.5% required the attacker to actually access the vehicle. A whopping 84.5% of attacks were remote, with over 50% of all cybersecurity-related automotive incidents taking place in just the last two years.
What type of attacks are happening on CASE vehicles? Citing information from Upstream Security Limited, threats range from diagnostic data manipulation (low-risk), key spoofing and targeted malware (medium-risk), and GPS tracking/stalking and control of acceleration and braking (high-risk).
The aforementioned stakeholders — manufacturers, suppliers, regulators, fleet owners, and governments — all share responsibility of embedding cybersecurity capabilities into operations, the report explains. These need to be considered at five specific stages of the CASE vehicle life cyle: design, manufacturing, rollout, operations, and end of service.
Ultimately, as the Deloitte team outlines in the report’s final thoughts, “even if a fleet owner or individual consumer does not wish to proactively engage in the new features, the connected vehicle is here to stay, and should therefore be considered when reviewing the cyber security strategy of any business.”
A welcome report
“When you consider the manufacturing of a car, consider it like a large puzzle, with many pieces from software or hardware body parts coming from different providers…When these pieces [from around the world] are put together, one might cause a little bit of a weakness in the operation of the other or open up a new pathway for attacks.”
Mirhassani also added that Canadian-made solutions need to be at the forefront.
“We can’t always rely on what is coming from Europe, Asia, or the U.S.,” she says. “We have to develop solutions that are Canadian and for Canadians.”
