With cybersecurity incidents involving connected, autonomous, shared and electric vehicles on the rise, a Deloitte Canada report outlines the risks and lays out a strategy showing industry stakeholders how they can meet their responsibilities to ensure a safer mobility ecosystem

Connected, autonomous, shared and electric (CASE) vehicles are opening up a whole new world of possibilities for convenient travel and transportation in Canada. But increased connectivity and greater data sharing also bring an increased risk of cybersecurity attacks — a threat that businesses in the CASE supply chain must address proactively to protect vehicles and their operators.

This is one of the key messages from a recent report by Deloitte Canada called “Connecting Canada: Securing the vehicles of the future.”

“Ensuring that automotive cybersecurity technologies stay well ahead of the tactics of threat actors will no longer be a choice but an imperative for all businesses in the supply chain,” the report states.

Stressing that these challenges need not “become a barrier to entry for business,” the report details how safety measures should be developed and applied as these transportation technologies become more complex and capable of putting drivers’ private information and control and access to their vehicles in jeopardy.

Mitra Mirhassani, an automotive cybersecurity expert who is co-director at SHIELD Automotive Cybersecurity Centre of Excellence and associate professor at the University of Windsor, welcomes the findings.

“The report actually highlighted a lot of important issues that are currently existing in the automotive [sector],” says Mirhassani in an interview with Electric Autonomy Canada.

“When you consider the manufacturing of a car, consider it like a large puzzle, with many pieces from software or hardware body parts coming from different providers…When these pieces [from around the world] are put together, one might cause a little bit of a weakness in the operation of the other or open up a new pathway for attacks.”

Remote incidents on the rise

The Deloitte report identifies a number of cybersecurity risks for Canadian drivers and fleet operators, ranging from low risks like altering car diagnostic data and illegal access to back-end systems, to more serious breaches like GPS monitoring and stalking, and manipulation of acceleration and braking.

As technology continues to advance in the automotive sector, Deloitte says “physical proximity is no longer needed for attacks to occur.” In 2021, the report says, 84 per cent of cyberattacks on vehicles were done remotely, with more than 50 per cent of cybersecurity-related automotive incidents ever reported happening in the last two years.  

“It’s important to remember that there are a lot more cyberattacks that go on that are not reported,” says Mirhassani. “And it’s good, we shouldn’t advertise that we are under attack…[but] attack numbers are going to grow much, much higher.”

The Deloitte report echoes Mirhassani’s statement that automotive cyber incidents will continue to rise and cites the reasons why as an “amalgamation of hardware and software components.”

“In many instances, responsibility [for these attacks] can fall on multiple stakeholders within the automotive supply chain,” reads the report.

These stakeholders include government bodies, Tier 1, 2, and 3 suppliers, automobile manufacturers, communication service providers (CSPs), cloud provision companies and smart transport business consumers.

“Strong partnerships, clear delegation of responsibilities and identification of opportunities to mitigate cyber risk will be key to using the entire ecosystem safely, securely and confidently,” says Deloitte.

However, getting stakeholders to take up responsibility is easier said than done, says Mirhassani. As a result, she believes it will be a major challenge to ensure that every aspect of a vehicle’s manufacturing process and supply chain is void of risks.

“As a scientist or engineers, we are not at the level that we can demand these safeguards or these protocols to be inserted into manufacturing,” says Mirhassani. “We need a closer connection to policymakers and regulators with finance and insurance institutions to provide our expertise, and then they have to take this expertise and extend it into something tangible.”

Concluding recommendations

Looking to the future, the Deloitte report recommends that all participants in the automotive supply chain should prioritize “security by design” in order to ensure that the sector can adapt to the vast range of new and emerging cybersecurity risks without having it impede the widespread adoption of CASE technologies.

The role of regulators and government bodies will be to address cybersecurity standards and their enforcement across the whole ecosystem.

Currently, the Canadian government is “trying” to incorporate global cybersecurity standards in their designs, says Mirhassani, but the problem is that they are “not demanding” that these global standards be implemented (a topic we covered in more detail in a previous story).

“I feel like we really need to wake up. For example, Europe is way ahead of North America in general and then we are way behind the U.S,” says Mirhassani. “This will impact our economy, this will impact our job security and competitiveness. It’s very easy for [other] countries to say that these programs or these cars that are coming out from Canada are not secure enough and just brush us aside and go for new providers.”

Deloitte also emphasizes the importance of incorporating cybersecurity measures into fleet asset management and the necessity for business and technology leaders to consider the risks associated with hyperconnected fleets.

“I’m happy to see that automotive cybersecurity is now taking a front row seat to the design of vehicles,” says Mirhassani, but adds that Canada still needs to take cybersecurity more seriously.

“We can’t always rely on what is coming from Europe, Asia, or the U.S.,” she says. “We have to develop solutions that are Canadian and for Canadians.”