Cybersecurity in a smart mobility age

Connected car cybersecurity has been one of the hottest automotive topics for a decade now, with increasingly frequent and sophisticated attacks met by ever more advanced defences.

The issue went mainstream in 2015 when tech website Wired released footage of hackers Charlie Miller and Chris Valasek remotely seizing control of a Jeep containing journalist Andy Greenberg. He let out a an expletive or two as they shut off the engine while he was driving at 70mph.

Although the number of connected cars was still relatively small, the industry was worried. In 2018, the Society of Automotive Engineers found that 84% of automotive professionals had concerns that cybersecurity was failing to keep pace with evolving technologies.

The International Organisation for Standardisation rules on vehicle cybersecurity engineering were still “under development”, and the ‘prevention, detection and mitigation’ mantra was getting a lot of attention.

Fast forward to 2023 and the challenge has escalated. According to data analytics provider Upstream, the number of automotive and smart mobility app-related incidents increased by a staggering 380% in 2022, with ‘black-hat actors’ – the bad guys – behind 63% of them.

The top three attack vectors were: telematics and application servers (35% of all attacks); remote keyless entry systems (18%); and electronic control units (14%). The main threats, therefore, are safety compromise and theft, either of the car itself or, more likely, data.

Statista predicts that the global connected car market will be worth $121 billion by 2025, by which time there will be over 400 million connected cars worldwide, up from 237 million in 2021.

What’s that mean for the UK

This represents a huge commercial opportunity. Several of our universities consistently rank among the top 10 in the world for cybersecurity courses, sparking a plethora of exciting start-ups.

A leading light among them is Belfast-based Angoka, with its hardware solution to what is generally considered a software problem. It creates unique identities to enable trusted data exchange. Established in 2019, it graduated from the National Cyber Security Centre’s prestigious Accelerator programme, and now employs 45 people.

Richard Barrington, Director of Smart Cities & Land Mobility at Angoka, said: “My first car was an Austin A35. I’m not sure I locked it much and the term cyber didn’t exist. Today, my plug-in hybrid tells me when it needs servicing, it’s always locked, and the risk of a software fault disabling the vehicle has increased exponentially.

“Level 4 automation is around the corner and billions are being spent by companies aiming to be part of the value chain. Some are spinouts from academia, others have been created within the exascale computing companies, and more within the automotive sector itself.

“While significant investment has gone into safety cases, nowhere near enough has been invested in understanding and protecting against the risks associated with cyberattack.

“The digitisation of the vehicle, drive-by-wire, electronic control systems, and the systems that manage transport at scale are all vulnerable, as are over-the-air updates and even the EV charging infrastructure.

“Numerous attacks have taken place, or been demonstrated, setting alarm bells ringing throughout the industry. So much so that standards are being mandated, with companies trying to retrofit what should have been built-in from the start.

“One approach is a fortress mentality – encrypt everything, regardless of need. But this doesn’t work in the complex world of connected and automated mobility. There are too many cracks for bad actors to gain entry.

“With the hundreds of devices that make up a modern vehicle – sensors, actuators, controllers, infotainment – coupled with the range of connectivity options needed to transmit, receive and share data, a new model is needed.

“Our solution is built from the ground up, secure by design. It starts at an electronic component or subsystem level, so that each device has an immutable identity. It can then safely exchange data with other trusted devices, with encryption applied when needed. It gives us a real opportunity to get ahead of the hackers.”

They call it safeguarding critical machine-to-machine communications, and it could be a gamechanger, because as more connected vehicles come to the market, the greater the need to protect them from harm.