All industries go through periods of dramatic evolution. For the automotive industry, that time is now. Following 100 years of the ‘petroleum engine’ era the industry is being forced to change the heart of the car – the engine – from fossil fuels to electric. Another exciting evolution is the application of Artificial Intelligence (AI) to power driver assistance technology and the development of autonomous vehicles. The speed of this transformation is unique in comparison to the age of this industry.
Another element further complicating the business model for automotive manufacturers is the option to customise vehicles after they’ve left production and are sitting outside new owners homes. While Tesla is pioneering this area other manufacturers are also looking to adopt ‘over-the-air’ software updates that introduce new features and updates to the vehicle making it safer and more capable over time. Enabling this adaptation has seen traditional automotive manufacturers re-invent car digitalisation powered by cloud and AI.
And it’s not just the vehicles themselves that are evolving but the production process is also facing an overhaul. Automation adoption by automakers has always been ahead of the curve, with industrial robots and sensor technology used in assembly plants to increase productivity and efficiency for many years, but increasingly artificial intelligence is part of this process. According to Deloitte, the automotive AI market size is forecasted to grow to $27 billion by 2025 — more than double its size today.
Powering all of this evolution is IT transformation.
The time of old segregated operational technology (OT), used to control physical systems on a traditional production line, is over. Instead Industrial Internet of Things (IIoT), connected devices, cloud and traditional technology are all part of the physical car production supply chain.
However, any rapid IT transformation isn’t without risks and cybercriminals have stepped into the breach and capitalised on the opportunity to deploy attacks and compromise these new processes. A cyber attack can result in significant financial losses, production downtime, and reputational damage. In some cases, a cyber attack on critical machinery can also result in safety risks for workers.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
Bad people doing bad things
The largest global automakers have tens or hundreds of manufacturing facilities across the US, Europe, Asia and Africa, producing thousands of vehicles to exacting standards. Even the slightest production slow-down or shutdown in the automotive sector, or any industry for that matter, will produce massive losses.
According to a report by Pingdom, in the auto industry downtime costs are about $50,000 per minute, which translates to about $3 million per hour. Couple this with a report from Statista that claims that between 2010 and 2022, business disruption was the second-most common impact of cyber attacks against the automotive industry and it illustrates the severity of the issue.
In 2021, Kia Motors America allegedly suffered a ransomware attack, impacting not just production but it was purported that hackers requested $20 million to decrypt files and not leak confidential data. In March 2022, Toyota halted production across 28 production lines at 14 plants in Japan for two shifts following a cyber incident at one of its suppliers. In March 2023, Ferrari held its hands up to a ransomware attack that impacted customer data. These are just a few from a long line of automotive manufacturers who have found themselves impacted from cyber incidents and out of pocket as a result.
Legislation is also driving change
The General Data Protection Regulation (GDPR) is arguably one of the world’s strongest set of data protection rules. It stipulates how personally identifiable information (PII) can be collected and used. Importantly it also mandates that personal data must be protected against “unauthorised or unlawful processing,” as well as accidental loss, destruction or damage. There are hefty fines for organisations who fail in their duty to protect PII.
In January 2023, the European Union adopted a new version of The Directive on the security of Network and Information Systems (NIS2). The Directives aim is to strengthen cybersecurity resilience and NIS2 expands the scope of entities covered which includes automotive manufacturers and their suppliers as “important entities” under its scope. All EU member states, and non members trading in the EU, will need to transpose NIS2 into national legislation by October 17, 2024
But it’s not just data, or even the production line, that automotive manufacturers need to have visibility of but the vehicles themselves too.
The Global Forum for Harmonisation of Vehicle Regulations of the United Nations Economic Commission for Europe (UNECE or UNECE) has adopted two standards [UNECE R155 and R156 in 2021] to help build automotive cybersecurity frameworks. They address, among others, car software and system security, personal data protection, and cybersecurity incident management. For R155 and R156, the requirements in the member states have been in force for the approval of new vehicle types since July 2022. The requirements will be applied to all vehicles produced starting in July 2024. 7 July 2026 is the cut-off date for R156 implementation for a special purpose or small series vehicles. The one year countdown for the automotive industry to prepare to implement these standards across ‘all’ vehicles by July 2024 has begun.
Automotive manufacturers need a cybersecurity strategy
Production uptime is obviously paramount as well as protecting intellectual property and other sensitive or personal data. Avoiding incidents, whether it’s the result of traditional cyber-attacks, human error or malicious intent, has to be the ultimate objective making a preventative approach in Industrial cybersecurity paramount.
When it comes to cyberattacks, what we know is that threat actors’ attack methodology is not advanced or even unique but opportunistic. They’re looking for an open window to crawl through. When evaluating an organisation’s attack surface, they’re probing for the right combination of vulnerabilities, misconfigurations and identity privileges. In the majority of instances it is a known vulnerability that allows threat actors an entry point to the organisation’s infrastructure. Having gained entry threat actors will then look to exploit misconfigurations in Active Directory to further infiltrate the organisation to steal data, encrypt stems or other nefarious activities.
To mitigate the risks, it is essential to gain full visibility into all assets that control the myriad of industrial robots and sensor technology that collectively define the automotive manufacturing industry to eliminate many of the core risks associated with the new trends and challenges that are present.
Organisations must employ a system that can perform regular inventory checks that provide detail including the devices model numbers, firmware version, vulnerabilities, patch levels and much more. Doing so will pinpoint and triage the devices with the most serious vulnerabilities to deal with first when the affected system or device can be idled to perform the required maintenance.
Because of the constantly changing threat conditions, this information should be updated regularly and kept in sync with newly discovered vulnerabilities. If a deviation is detected, it must be captured in real-time, as well as historically. Furthermore, if changes are made, a full paper trail is essential. This should include the user that logged in, the processes that were running, the code downloads initiated, as well as whatever was changed in the environment — and much more. Capturing and maintaining this detailed information can help speed incident response, highlight and prioritise newly discovered vulnerabilities and demonstrate proactive compliance both internally and to the required compliance organisations.
It is also important to recognise the significant difference in IT and OT life cycles. While IT infrastructure is designed to be updated regularly, OT infrastructure often persists for years, even decades. Due to the cost of downtime in the automotive industry and the need to adhere to a strict production schedule, it’s difficult to stop operations to perform routine maintenance or even apply patches when a vulnerability is discovered. The result is that vulnerability windows can remain open indefinitely and be susceptible to both known and unknown threats.
Preventing cyber attacks requires full visibility into all assets and exposures, extensive context into potential security threats, and clear metrics to objectively measure cyber risk. Automotive manufacturers that can anticipate cyber attacks will be the ones best positioned to defend against today’s emerging threats.
Bernard Montel, EMEA Technical Director and Security Strategist, Tenable