Development of innovative automotive cybersecurity technologies and the promotion of strategic connected vehicle cybersecurity projects is on the top of the agenda for many carmakers. The awareness about the risk of cybersecurity threats and attacks on vehicles, their components, and the overall supply chain is also increasing. Safeguarding of digital systems and networks against unauthorised access, malicious attacks, and potential damage or disruption is a critical concern for stakeholders, including manufacturers, suppliers, regulators, and consumers. The proliferation of connected and autonomous vehicles also becomes the focus area as the market for cybersecurity in terms of connected vehicles is poised to grow at a CAGR of 18.15 percent from 2023 to 2032. According to Precedence Research, the market size for cybersecurity services in 2023 is expected to be around US$ 3.66 billion.
Karthik Ramanarayanan, Head of R&D, Smart Mobility, Continental Automotive India looks after the business area of smart mobility and cloud solutions at Continental (India). He shares with Autocar Professional what OEMs are doing to mitigate the problem and the way forward.
Can you tell us about what’s happening in the background at Continental when it comes to cybersecurity for mobility segment?
Cyber security is one of the key topics of discussion about especially in the sense of connected cars. So, if one looks at the history, the first car to incorporate the embedded software was way back in 1977, which was done by GM and by 1981, GM had already deployed around 50,000 lines of code. But if one looks at the cars today, they depend on millions of lines of codes and are running up to 100 network ECUs. ECUs are called Electronic Control Units, which can monitor everything right from powertrain, safety, brakes, airbags, sensors, wipers and other functions like Infotainment Centre. There are separate ECUs for each of those functionalities and now we are looking at network ECUs. Current cars are using Big Data to deliver premium connectivity services, especially for the infotainment center. People want the latest and the greatest only and with these connected cars, it also becomes very critical to provide Over the Air (OTA) updates. Connected cars give the consumers a lot of opportunities by providing them with the latest information. But as more and more connected vehicles hit the roads, software vulnerabilities become accessible to a lot of hackers. Some of the use cases also mention about how the car that one is driving can provide information back to the cloud, whereas the other cars on the road can leverage this information to inform the passengers about the road conditions.
The chances of vehicles getting hacked increases when cars utilise information present in the connected units and when cars provide information to the consumer through the environment which can compromise critical safety systems which not only puts user’s personal information at risk because in like infotainment centre, personalised playlist, etc but also can risk the physical safety of the car as well. The vehicle manufacturers need to adopt a cyber security approach that not only addresses the obvious exposures in the car software, but also a lot of hidden vulnerabilities as we see a lot of third-party integration coming into play and addressing these issues becomes important.
How do you address the cyber security issue?
Continental acquired Argus cyber security back in November 2017 to ensure secure data channels for the car and inter-platform connectivity through its devices. It is a part of Continental and the company is developing end-to-end solutions with the aim of always ensuring the highest possible degree of security. We do not wait for any incidents to take place but follow a more proactive approach that takes cyber security into account right from day one with product development which does not let a lot of the potential security loopholes arise.
Within the Smart Mobility Business area, we have both, embedded software development as well as cloud based back-end development and that is the overall solution, because a lot of products are involved right from firmware to embedded hardware to cloud back end, so we do the end-to-end solution. In both these solutions, we conduct a very detailed risk analysis to ensure secure products that that comply with the regulations.
We begin from the roots as we have quality gates of security where developers have to maintain basic standards to ensure that there is no scope left for vulnerability.
Vehicle manufacturers need to adopt a cyber security approach that not only addresses the obvious exposures in the car software, but also a lot of hidden vulnerabilities.
In context of cyber security, what can a hacker can do once he gets into the system? One could be lane changing or diffusing the engine, what are the other possibilities one can look at?
Today, the car is becoming more and more autonomous, right from remotely starting to turning on the AC to opening the doors and trunk and also the braking system. All these features use software which is being incorporated heavily into the cars. There are multiple potential hacking points, one of them is the external interface where the car shares information with other devices. The other could be in-vehicle network, where the ECU can be hacked where each ECU is responsible for a particular function in the car. All these features can make a vehicle vulnerable to attacks and this needs to be monitored.
Do you think data mining and machine learning can be leveraged as a preventive mechanism? If an OEM has loads of data, which you can use and suppose if a driver is behaving in a certain way, preventive steps can be taken because the AI or the ML knows that this is not the way a driver behaves. Is it possible?
It is possible, there is a mechanism which monitors the health of the vehicle. Continental also takes into account the permanent monitoring of the current status of vehicles as communication takes place between the CAN bus and all the ECUs. The CAN bus information is continuously sent to a Security Operation Center, which is outside the car.
There are multiple potential hacking points, one of them is the external interface where the car shares information with other devices.
Through the security operations centre, we can identify a lot of patterns that emerge based on the data, however this is still at infancy. AI and ML can be applied on them to observe the irregularities in their behaviour and there would be a possibility of it being hacked. In case there are any irregularities, the issue is then flagged which is further analysed. In case the vehicle has been hacked, Continental sends out patches, also called Over the Air updates which are sent immediately from the Security Operation Centre. This use case for AI and ML is theoretically definitely possible. Some effort is already being done in that particular way because a lot of information is being shared from the cars to the security Operation Center, which can flag a potential hacking threat.
If you can more towards being more practical, as a cybersecurity expert, could you highlight one or two instances which you came across in a car or a bike that had been hacked, without revealing the identity of the OEM or the customer. If you could just illustrate what happened and how it was tackled by that particular OEM or by the software vendor.
There was an incident about Chrysler where they had to recall about 1.4 million jeeps worldwide. There was once a demonstration where hackers could control the braking system of the vehicle over the internet and that demonstration proved that it was a possibility, corrective actions were taken. The company recalled the vehicles and addressed those issues by replacing some of the ECUs as some of them did not have the potential to fix the issue through OTA.
Tesla is another such example which had a vulnerable Infotainment system where the hacker could gain control over the car to either start or stop the motor while it was running. This was resolved immediately by sending a patch through Over The Air updates. Security Operation Center plays a critical role especially for the connected cars as they help identify any potential threats.
These two cases seem to be a case of ethical hacking wherein the company or some of the ethical hackers just try to test the vulnerability of the vehicle. But are there any such case studies in real life where in an actual hacker tried to do it if you have if you are aware about it.
There is one incident that I vaguely recall, it is about GM’s Onstar where there was a potential cyber security hack that took place where the hacker was trying to either disable the engine or hacked the braking system. But I am not too sure of the details.
So is there any template which India can just borrow from some of the more matured markets like Europe? I believe there is something called UN 136 in Europe which is more of an advisory rather than a mandate for the OEMs. Are these good enough for India to implement?
These kinds of templates are very Europe specific because they are very specific to that region. Some of it might be applicable to India which could be a good starting point but from an Indian legislation perspective, there need
to be some modifications so that it suits the Indian market. We can start with it and then modify it to suit the local demands.
This interview was first published in Autocar Professional’s May 15, 2023 issue.