As more vehicles plug in, connect to the internet and swap data, a cybersecurity knowledge gap is emerging in Canada that is putting us years behind the rest of the world and which stakeholders aren’t addressing fast enough
It is common knowledge that we have never lived in a more connected world, which now increasingly includes vehicles, or, as some refer to them: computers on wheels. While this advance opens up a world of opportunities, it also presents some compelling and urgent safety concerns.
Today, behind the wheel of any connected vehicle lies a complex, murky and evolving web of rules, regulations and loopholes in transportation cybersecurity. Most countries, companies, policymakers and legislators around the world, including in Canada, are playing catch up with the rapidly advancing vehicle technology. The need to get cybersecurity regulations ahead of the curve is clear.
“Companies didn’t really know about the risks three or four years ago,” says Sean Cho, director of business development at Autocrypt, a South Korea-based cybersecurity firm, in an interview with Electric Autonomy Canada.
“Cybersecurity always comes at the last minute. When you are building connected infrastructure the first thing you care about is ‘Does it communicate? Does it work properly?’ Then, lastly, they care about security. But now with vehicles getting more connected, cybersecurity needs to be a top priority.”
Wide range of threats
In the not-so-near future it’s possible a connected vehicle could have thousands, if not tens of thousands of different connectivity points in a day. From chargers to syncing over Bluetooth to infotainment systems to GPS to communicating with other vehicles, pedestrians, cyclists and buildings on or near a road, the opportunities for a breach are copious.
Concerns in vehicle cybersecurity range from annoying to life-threatening. The spectrum extends from a car that has its infotainment system hacked and infected with viruses to malware that takes out charging services for an entire provider, to a vehicle that is remotely taken over to be used as a weapon on the road.
Harken back to 2015 when hackers (luckily, the white hat kind) were able to hack and take control of a passenger-carrying 2014 Jeep Cherokee, remotely. The hack was part of a demonstration for a story in Wired, but the results were very real: over 1.4 million vehicles were recalled by Chrysler for a security update to fix the flaw and the company — along with the driving public — was given a sobering preview of the stakes, which in a real hack could have been much worse.
With so many potential threats both to vehicles as well as the ecosystem and supply chain, it is nearly impossible to imagine that any one entity can (or should) be responsible for cybersecurity. Instead, says one industry expert, the answer is in creating an ecosystem of safety.
“There’s a huge opportunity here, which is of consumer awareness, changing the mindset and letting them know that this is something which needs to be done,” says AJ Khan, president of the Windsor, Ont.-based not-for-profit Global Syndicate for Mobility Cybersecurity, in an interview with Electric Autonomy.
“Automotive cybersecurity is different from traditional cybersecurity. If you think about the vehicle it has many different areas: there’s the office of the OEM (original equipment manufacturer or automaker), which is on the corporate side; then you have operational technology cybersecurity, which is on the manufacturing side; you have supplier cybersecurity, which is the 20,000 suppliers; you have the vehicle cybersecurity; then you have the vehicle-to-everything (V2X) cybersecurity, with the data, the cloud and the edge cybersecurity and that goes to the privacy side. So all of these are things which need to be considered.”
Rules and regulations
Governing the cybersecurity space are a patchwork of regulations that vary country-by-country, focus on different areas of the cybersecurity environment and are absent one core set of guiding principles and rules.
There are some umbrella regulations — WP.29 and the upcoming ISO 21434 — that the tier-one companies, often the direct suppliers of parts or the OEMs themselves, must (or will need to) meet in order to manufacture and sell their product.
Experts say what makes a newer regulation like ISO 21434 more helpful is that, in addition to detailing the minimum requirements for the physical, completely assembled vehicles ready to be sold, the rules extend to securing the supply chain. It obligates manufacturers to ensure the companies providing parts to the final product are adhering to best cybersecurity practices.
“How many suppliers would an OEM have? I would say thousands,” says Khan. “If you take apart the supply chain, you have the OEM — the tier-one which develops the infotainment unit — and there is a tier-two, which develops the software for the infotainment unit. Now, how do you secure their supply chain?”
The short answer is that it’s a multilayered problem. And the reality is that regulations are being outstripped almost before they can be ratified and implemented. The technology is evolving so quickly — in both vehicles and among hackers — and the spread of connected, connected vehicles increasing daily.
All to say that most of the battle with vehicle security involves coming to terms with the fact that driver’s modes of transport are now “computers on wheels” with thousands of V2X vulnerability spots.
“At every single point of connectivity there is a bridge,” says Cho, who points to Autocrypt’s team of “white-hat hackers” who help to test, break and rebuild Autocrypt’s software so that it stays as current and as strong as possible against hacking threats that evolve by the hour.
“Each aspect must be individually dealt with to enable security. When you look at electric vehicles: you plug into the charging station and there is energy communication and data communication. There is the point where the charge point operator and the vehicle act as an open door for a (potential) data breach.”
This, says Cho, is an example of where the role of experts, trained in cybersecurity, becomes of paramount importance. Whether it’s a white-hat hacker, a company’s dedicated chief privacy or protection officer, or a vehicle cybersecurity specialist there is a need for a watchdog at every “open door” to ensure no information is getting in or out that shouldn’t be.
Protecting the entire chain
Mitra Mirhassani is a co-director at SHIELD Automotive Cybersecurity Centre of Excellence and associate professor at the University of Windsor. She has been working in automotive cybersecurity for years and despite a general awareness of the issue, she is concerned that so little is being done at a policy and legislation level to bolster protection for Canadian commuters.
“Cybersecurity and automotive is not on our radar — yet. We leave it to OEMs and tier-one manufacturers,” says Mirhassani, in an interview with Electric Autonomy. “It’s getting worrisome. Automotive cybersecurity is a different beast and we are wanting the government to pay attention to this new evil coming our way.”
Mirhassani is one of several experts Electric Autonomy spoke with who are pointing to gaps between Canada’s data security best practices and connected vehicles. Their calls for attention are becoming increasingly alarmed. The critical element to appreciate is that if a breach happens it won’t be one car or one charger — it’s a domino effect with potentially devastating consequences.
“It’s not only going to be an attack on automotive. It’s going to be a very easy entry point to attack the infrastructure and that’s when the devastating impacts are going to happen,” says Mirhassani, who along with other industry stakeholders is active in trying to raise awareness of the problem at the federal and provincial policy levels — with little success to date.
“They are interested, but then they try to forget. I would love to see a collaboration of governments — both provincial and federal — industry and academia creating a consortium and looking at it more seriously.”
Keeping talent in Canada
Even where Canadian market participants are trying to catch-up, there are problems. For example, while some Canadian organizations are offering training at an advanced cybersecurity level — SHIELD at Windsor and AVRIL at the University of Waterloo being two examples — most of the jobs in this sector exist outside of Canada. And once a brain drain starts, it’s difficult to reverse.
“I’m in constant communication with my graduate students. All of them would love to come to Canada, but cybersecurity and automotive is not on our radar,” says Mirhassani.
With a dearth of experts likely to slow up progress even more, the industry as a whole and in Canada in particular has to also identify a key question: who is responsible for securing what part of the supply chain?
The short answer, say Khan, Mirhassani and Cho, is that all stakeholders — from government to OEMs to charging network operators and drivers — have a role to play to ensure a safe connected vehicle ecosystem. But few are stepping up there, either.
So, with foot dragging happening on the legislative side, the public still largely unaware of the risk and then creating and implementing binding regulations that hold everyone to the same standard just how long will it take to get Canada’s transportation infrastructure to a safe, connected driving future?
“It depends on the cost, the concentrated effort, industry portion, but I would say at least five years,” speculates Khan. “This is a dynamic environment and there will always be new components, which will have vulnerabilities and those vulnerabilities will be exploited by hackers. So when I say five years, what I mean is that we will have the infrastructure and the knowledge and the skill set to be able to look at protective mechanisms and have those, but that doesn’t mean that we will not be vulnerable.”
Khan suggests in the interim individual drivers will have to take it upon themselves to try to secure their vehicles as best they can. His tops tips include: being selective about what public chargers you frequent as well as doing your due diligence before buying an EV by making sure both entities have robust security policies in the fine print of their user agreements and contracts; practice good security hygiene on your cellphone as that’s the most likely device to be connected to your vehicle and, finally, even though you may not be able to see the threat, remain vigilant.
Mirhassani echoes a similar sentiment: “We have a lot of education to do in Canada. We are very trusting as a country and we shouldn’t be.”