Automotive Cybersecurity: Funding, Reports, 1st Realtime Live Detection? & Vectors

In automotive cybersecurity news are Upstream, LHP Engineering, acias GmbH, IntSights, GM, U.S. Army and McKinsey

Upstream Series B Funding

Upstream Security, the leader in cybersecurity for connected vehicles,  announced that a prominent syndicate of investors, including some of the world’s largest OEM automotive vehicle manufacturers, insurance and fleet operators, invested $30 million in a Series B funding round, bringing the company’s total investment to date to $41 million. The round was led by Renault Venture Capital and included Volvo Group Venture Capital, Hyundai, Hyundai AutoEver, Nationwide Ventures and others. Original Upstream investors Charles River Ventures, Glilot Capital and Maniv Mobility all participated in the round.

The inherent risks in connected cars were in the headlines multiple times over the past 18 months culminating with consumer groups identifying connected vehicles as a potential national security threat. Earlier this year a report published by Upstream Security outlining the automotive threat landscape spanning the past decade, demonstrated that multiple stakeholders ranging from OEM vehicle manufacturers to commercial and public sector fleets have been targeted. In many cases attacks were executed indirectly via connected services and applications and from long distance.

1st Realtime Detection Mitigation from LHP

A collaborative, multi-national development of first-of-a-kind automotive technologies for realtime detection and mitigation of cyber intrusions, and vehicle-to-vehicle data sharing, will be introduced at IoT Solutions World Congress 2019.

LHP Engineering Solutions together with AASA’s LiFi subsidiary 01LightComm and aicas GmbH will illustrate critical, connected car cybersecurity threats using live, simulated intrusions on a Go-Kart-sized replica of a fully-functioning connected vehicle.  Attendees during the October 29-31 event hosted in Barcelona, Spain, will be invited to hack the Go-Kart or take control of the vehicle to maintain normal driving functions. Demonstrations will be provided at Stand 7 in the testbed pavilion at Fira Barcelona Gran Vía (Hall 2).

The Go-Kart is an Intelligent Transport testbed, “Safety Implications from Cyber Security Compromises in Connected Transportation.” It is a ‘Testbed of the Year” nominee as one of 10 practical applications selected by a committee of experts coordinated by the Industrial Internet Consortium (IIC), including representatives from the IoT Council, Ametic, Cenesis, Machine Design and ABII.

In addition to introducing technologies that protect malicious access to vehicle functions related to braking, steering, speed and battery, the companies will introduce critical advancements in how intelligent vehicles and smart cities can connect and share streaming data in realtime. AASA will demonstrate its on-vehicle Light Fidelity (LiFi) technologies for bidirectional, high-speed and fully networked data sharing. The new smart lighting technology uses vehicle lights and exterior cameras to transmit and receive data from other vehicles for realtime data sharing about braking, steering, functional safety, smart city, and cybersecurity information.

“In an autonomous vehicle and smart city environment, vehicles must have the ability to connect and share data, quickly. In areas where Wi-Fi or 5G won’t work, vehicle headlights can quickly, accurately and securely communicate important data about the environment to the driver, and to other vehicles in the area,” said Farid Bicharah, CTO of AASA.

The demonstration builds on LHP Engineering Solutions’ automotive cybersecurity demonstrator platform. It is deployed on an Ev-GoKart chassis and highlights LHP’s open-framework automotive functional safety and cybersecurity platform. The platform addresses the security capabilities needed for quick detection and response to compromises and deployment of realtime embedded controllers.

“Safety and security pain-points are being felt across the entire automotive industry with autonomy and connectivity increasing faster than the tools and awareness for cyber security are being adopted,” said Sven Schrecker, VP and Chief Architect of Cybersecurity at LHP. “What we’re addressing with our demonstration are the solutions needed for on-vehicle cyber security for immediate response to threats.”

aicas contributed security functions based on its JamaicaCAR technologies. Similar to what is used to protect billions of Internet-connected devices, it prevents malicious code being executed. aicas added, for the purpose of this testbed, a function that is able to enable and disable an interface layer in Java VM. When enabled, malicious code does not get the respective run permissions and malicious code cannot be executed

IntSights Releases Report

IntSights,the threat intelligence company focused on enabling enterprises to Defend Forward, announced today the release of the firm’s new report, Under the Hood: Cybercriminals Exploit Automotive Industry’s Software Features. The report identifies the inherent cybersecurity risk and vulnerabilities manufacturers face as the industry matures through a radical transformation towards connectivity.

Car manufacturers offer more software features to consumers than ever before, and increasingly popular autonomous vehicles that require integrated software introduce security vulnerabilities. Widespread cloud connectivity and wireless technologies enhance vehicle functionality, safety, and reliability but expose cars to hacking exploits. In addition, the pressure to deliver products as fast as possible puts a big strain on the security capabilities of cars, manufacturing facilities, and automotive data.

Top Vehicle Attack Vectors:

  • Remote Keyless Systems
  • Tire Pressure Monitoring Systems
  • Software and Infotainment Applications
  • GPS Spoofing
  • Cellular Attacks

To download a copy of Under the Hood: Cybercriminals Exploit Automotive Industry’s Software Features, please visit: https://intsights.com/resources/under-the-hood

GM & U.S. Army GVSC Partner for Cybersecurity

The U.S. Army CCDC Ground Vehicle Systems Center (GVSC) and General Motors announced today a new cooperative research and development agreement (CRADA) which aims to strengthen GM’s and the Army’s automotive cybersecurity expertise over the next two years.

This marks the first automotive cybersecurity partnership of its kind between GVSC and a full-line vehicle manufacturer. Cybersecurity experts from both parties will share best practices, methodologies, tools and approaches focused on conducting penetration testing and cybersecurity risk analysis. In addition to improving cybersecurity processes, both organizations aim to share key learnings with the Society of Automotive Engineers (SAE) for the development of common standards.

Two Army engineers will embed with their counterparts at GM, while a GM expert is scheduled to co-locate with the Army’s Ground Vehicle Cybersecurity Team.

“Cybersecurity is an area of growing concern to the auto industry and one GM takes very seriously, which is why a partnership with the U.S. Army is crucially important,” said Kevin Tierney, GM chief product cybersecurity officer. “The insights we can glean from one another will only further benefit how we approach this important issue.”

GM’s multilayered approach to cybersecurity begins with ensuring security is designed into every product from concept through production. It continues with an agile development approach, thorough testing in complex, real-world situations and continuous monitoring to minimize risk.

Army efforts to bolster vehicle cybersecurity progress hand-in-hand with the military’s advances in autonomous driving technology and artificial intelligence. Through events like the Michigan Economic Development Corporation Cyber Truck Challenge, partnerships with industry and other government agencies, and organic efforts at automotive cyber-hardening, the Army takes a holistic approach to the growing discipline.

What Happens in Your Car Doesn’t Stay in it New Report

In the past, what happened in your car typically stayed in your car. That is no longer the case. The influx of digital innovations, from infotainment connectivity to over-the-air (OTA) software updates, is turning cars into information clearinghouses. While delivering significant customer value, these changes also expose vehicles to the seamier side of the digital revolution. Hackers and other black-hat intruders are attempting to gain access to critical in-vehicle electronic units and data, potentially compromising critical safety functions and customer privacy.

Cybersecurity has risen in importance as the automotive industry undergoes a transformation driven by new personal-mobility concepts, autonomous driving, vehicle electrification, and car connectivity. In fact, it has become a core consideration, given the digitization of in-car systems, the propagation of software, and the creation of new, fully digital mobility services. These services include arrays of car apps, online offerings, vehicle features that customers can buy and unlock online, and charging stations for e-vehicles that “talk” to on-board electronics.

Today’s cars have up to 150 electronic control units; by 2030, many observers expect them to have roughly 300 million lines of software code. By way of comparison, today’s cars have about 100 million lines of code. To put that into perspective, a passenger aircraft has an estimated 15 million lines of code, a modern fighter jet about 25 million, and a mass-market PC operating system close to 40 million. This overabundance of complex software code results from both the legacy of designing electronics systems in specific ways for the past 35 years and the growing requirements and increasing complexity of systems in connected and autonomous cars. It generates ample opportunity for cyberattacks—not only in the car but also along the entire value chain

To be sure, the economics of car cybersecurity are inherently unfair: with the right state-of-the-art tools, attacks are relatively affordable, low-effort affairs. Mounting a coherent defense for the complex value chain and its products, on the other hand, requires increasingly higher effort and investment. So far, this reality tilts the playing field in favor of the attackers. Examples abound across the industry. For example, white-hat hackers took control of the infotainment system in an electric-vehicle model. They exploited a vulnerability in the in-car web browser during a hacking contest, causing the electric-vehicle maker to release a software update to mitigate the problem. In another white-hat hack, a Chinese security company found 14 vulnerabilities in the vehicles of a European premium-car maker in 2018. Another global automaker recalled approximately 1.4 million cars in 2015 in one of the first cases involving automotive cybersecurity risks. The impact of the recall was significant, with a potential cost for the OEM of almost $600 million, based on our calculations.

For an industry used to breaking down complex challenges and standardizing responses, cybersecurity remains an unstandardized anomaly. Thus far, automotive suppliers have a hard time dealing with the varying requirements of their OEM customers. Consequently, they try to balance the use of common security requirements that go into their core products against those via the software adjustments made for individual OEMs. However, current supplier relationships and contractual arrangements often do not allow OEMs to test the end-to-end cybersecurity of a vehicle platform or technology stack made up of parts sourced from various suppliers. That can make it difficult for both suppliers and OEMs to work together to achieve effective cybersecurity during automotive software development and testing.

The difficulty is about to change. Regulators are preparing minimum standards for vehicle software and cybersecurity that will affect the entire value chain. Cybersecurity concerns now reach into every modern car in the form of demands made by regulators and type-approval authorities. For example, in April 2018, California’s final regulations on autonomous-vehicle testing and deployment came into effect, requiring autonomous vehicles to meet appropriate industry standards for cybersecurity. While these regulations have an immediate impact on a limited fleet, the World Forum for Harmonization of Vehicle Regulations under the United Nations Economic Commission for Europe (UNECE) is expected in 2020 to finalize its regulation on cybersecurity and software updates. This will make cybersecurity a clear requirement for future vehicle sales; the associated regulations will affect new vehicle-type approvals in more than 60 countries (Exhibit 2). Industry experts see the upcoming UNECE regulation only as the beginning of a new era of technical compliance regulation in the automotive sector addressing the increase and significance of software and connectivity within the industry.

Read all Automotive Cybersecurity.

SUBSCRIBE

You are welcome to subscribe to receive email notification of publication of Connected Car News Cybersecurity, you can also get weekly news summaries or daily emails.

 

COMMENT: Let Us Know What You Think