In this Help Net Security interview, Yaron Edan, CISO at REE Automotive, discusses the state of cybersecurity in the automotive industry, with a primary focus on electric and connected cars.
Edan will highlight the challenges of technological advancement and outline strategies for automakers to effectively deal with cyber threats. Additionally, it emphasizes the importance of consumer awareness in ensuring vehicle security.
Could you explain the state of cybersecurity in the automotive industry, particularly in the context of electric and connected cars?
The automotive industry is experiencing digital breakthroughs that are transforming the way cars are designed, manufactured, and used, primarily through the introduction and proliferation of electric and self-driving cars. Technological advances have been introduced and integrated throughout the vehicle lifecycle. While this brings many benefits to the cars we drive every day, including increased safety and efficiency, it also introduces new and pressing cybersecurity challenges.
Today, vehicles are increasingly connected to the internet, perform over-the-air (OTA) updates, use remote management, are equipped with advanced driver assistance systems (ADAS), and employ AI, making them more susceptible to cyber-attacks. The means are expanding into threats. It could be exploited by an attacker in serious ways.
What steps are automakers taking to address cybersecurity challenges in modern car models?
We use many different forms of software in our vehicles, and the amount is increasing. The first challenge lies in the supply chain, and not just in terms of who provides the software. The problem permeates through each layer. Car manufacturers need to understand this from a risk management perspective and pinpoint the occurrence and location of each specific risk. Suppliers must be involved in this process and continue to follow the guidelines set by the vehicle manufacturer.
The second challenge involves software updates. As technology continues to evolve and add more features, cybercriminals find new ways to exploit flaws and gaps in our systems that we were unaware of due to the newness of the technology. Regular software updates should be performed on your product to fix holes in your system, improve existing vulnerabilities, and improve product performance.
To address these challenges, automakers need to conduct an initial risk assessment to understand what types of threats and adversaries are operating within each tier of the auto industry's product and supply chain. there is. Based on the experience gained from the initial risk assessment, steps should be put in place to ensure that each internal and external employee and supplier is aware of their role in maintaining the security of the company.
This step determines the types of threat actors operating within the automotive industry, their location, and the severity of each threat. This is complex because there are many threat actors around the world, and each group uses different forms of attacks to varying degrees. Car manufacturers use the information collected every day to protect their assets. In addition, audits should be conducted regularly to assess each supplier and employee to ensure that procedures are being followed correctly, do not need to be updated, etc.
Can you explain how automakers integrate cybersecurity into their design and development processes?
Once your factory line is up and running, the first step to integrating cybersecurity into your manufacturing process is to understand the risks and how to close the gaps to ensure your operational technology (OT) policies. Manufacturers need to address her OT threat. OT threats include thousands of unique threats that originate not from systems such as computers, but from product lines, sensors, and other equipment involved in the manufacturing process.
Due to the simplicity of the equipment used at this stage, these threats can be particularly dangerous if left ignored. Let's say you're a threat actor and you want to harm an automaker. In that case, it would be much more difficult to launch a cyberattack against the cloud or the automaker's employees. Still, factory lines are easy to attack because they use intrusive equipment and their actions are difficult to detect. This is a very common area targeted by threat actors.
What are the key strategies you recommend to protect connected and electric vehicles from cyber threats?
Automotive companies need to approach cybersecurity threats proactively rather than reactively. This allows security teams to avert threats rather than reacting after the damage has occurred. Here are some proactive strategies I recommend for companies:
- Perform risk assessments to understand and prioritize current and future risks.
- Create company-wide security policies and procedures and ensure all employees understand their role in maintaining security.
- Hold regular security training and awareness programs to educate your employees.
- Implement strong network security measures, such as firewalls, detection systems, and encryption, and regularly monitor network traffic for anomalies.
- Back up your important data regularly and store it in a safe place.
- Create a comprehensive incident response plan that outlines the steps to take in the event of a cyberattack.
- Conduct regular security audits to assess the effectiveness of security measures and identify areas for improvement.
Cybersecurity is a continuous process that requires constant vigilance and adaptation. Current strategies are likely to become outdated and will need to be revised as new threats emerge.
What role will regulatory bodies play in developing cybersecurity standards for electric and connected vehicles?
Although regulatory bodies play a role in shaping cybersecurity standards, they cannot directly assist in product security. It is up to each party in the auto supply chain. The regulator's goal is to provide automakers with best practices on what steps to take in the event of a cyberhack, which players to communicate with, and how far to go depending on the severity of the threat.
Once an automaker complies with certain regulatory rules, they request on-site visits from regulators, where they conduct audits for months at a time, hacking through each layer as much as possible to look for areas of weakness. , identify what needs patching up. This process must be repeated until the automaker is fully compliant.
What are the best practices consumers should be aware of to ensure the cybersecurity of electric or connected vehicles?
Consumers must ensure that the data collected in their vehicles remains confidential. For example, if you own an electric vehicle (EV) and need to charge it, you might visit a public charging station. Not many people know this, but public charging stations transfer not only electricity but also data, so vehicle data can be easily hacked.
To prevent this from happening, vehicle owners should ask the right questions. Owning an EV is no different than, say, a homeowner shopping for a large kitchen appliance. You need to ask the right questions, such as who wrote it, does the company have cybersecurity procedures in place, and is it currently compliant with regulatory agency requirements? It is also important to ensure that all software is regularly updated. EV users should download official software from a trusted brand using a secure network.
Like automakers, consumers are partially responsible for their own security, and this needs to be further emphasized to the general public. Without this knowledge, consumers remain highly vulnerable to hacking by cybercriminals.
