As Darktrace’s CTO for the Americas, Eloy Avila works closely with its R&D team, helping to develop its world-leading cyber AI and assessing what an attack against an autonomous vehicle might look like. Avila also sits on The Experiences Per Mile (EPM) Advisory Council, an industry body of automobile manufacturers, suppliers, and thought leaders engaged in defining the future of the automotive and mobility sector. He discusses a threat landscape that has been described as cybersecurity’s “Wild West”.
Where are the major trends driving cybersecurity conversations in the automotive space?
As members of the EPM Advisory Council, one of the big shifts we’ve been discussing is what we call CASE, the shift towards “connected autonomous shared electrification”.
Vehicles are increasingly data driven. We’ve got some 280 to 290 million connected vehicles on the road right now, producing vast amounts of data. By the end of this decade, 96% of new vehicles will be connected in some form.
This shift requires the sharing of a large amount of personal data across platforms and vehicles, an increasing proportion of which will be shared, against a backdrop of ever-increasing supply chain complexity. This all amounts to a widening attack surface, growing vulnerabilities, as well as regulatory challenges.
How much of an attack target are autonomous vehicles today?
What we have seen up to this point has come mainly from proof of concepts and hacktivists, but that won’t be the case for long. Data shared by autonomous and connected vehicles is approaching 30,000 petabytes per day. For context, a petabyte is around 1,000,000 gigabytes of data storage. With the attack surface on autonomous or connected vehicles increasing in size at such an exponential rate – it may soon become too lucrative to resist.
What could an attack on an autonomous vehicle look like?
A headline danger is cyber-physical attacks. As more of these vehicles are powered by software, it will be technology – not humans – that control everything from speed to braking. The risk here is that these components are attacked or disrupted in such a way that it affects the physical functioning of the vehicle and potentially puts someone in harm’s way.
Then you also have the potential of an attack actually manipulating the technology used to power the car, which interprets the surrounding environment and uses that information to navigate and drive. Researchers have demonstrated that these technologies can be manipulated into ‘seeing’ surrounding objects that aren’t there in reality, or into believing they’re in a 90mph zone while actually driving through a residential area, for example. This again could put the user of the vehicle and others in danger, as well as undermine public trust in autonomous vehicles altogether.
Does increased connectivity also mean an increased likelihood of more typical IT attacks pivoting through connected automobiles?
Yes, we’ve seen cases of parked cars accessing businesses’ WiFi within neighbouring buildings, which attackers can use as a way to try and access corporate networks. At that point, your vehicle becomes an exfiltration source for data or access to other networks.
With the increase in vehicles’ computing power, I wouldn’t be surprised to see vehicles eventually being hacked and used for crypto mining, for example – something already happening across the OT and IT space. There are few groups more creative than hackers.
Is it fair to say the automotive industry hasn’t traditionally had to grapple with such threats?
It has not, but the fact that this is all quite new also means they’re ripe for adopting new technologies incredibly quickly, taking advantage of the best practices in secure software development found in edge computing and cloud, for example.
The industry on the whole is also very appreciative and knowledgeable when it comes to the power and capability of AI. It’s no secret cybersecurity talent is scarce, and this is magnified in the automobile industry, which requires not just security experience, but also knowledge of the data systems, networks and protocols running these vehicles.
One solution is applying AI techniques to understand patterns of behaviour – and then, to alert and respond when indicators of malicious activity arise. The IT space took a long time to appreciate the value of AI in this regard, but automotive manufacturers have the opportunity to leapfrog a lot of hard lessons.
Do security providers also have to learn new tricks
Those that are focused on more traditional approaches will need to need to adapt, learning new protocols and paradigms as vehicles evolve.
The advantage of AI is that it learns by itself – Darktrace’s cyber AI is self-learning, meaning it autonomously adapts to new environments and systems ‘on the job’. For us, it doesn’t matter if it’s a SCADA system controlling an oil pipeline or an ECU in a vehicle; these are all connected network devices that our AI can look at, and tell us whether everything is behaving as it should – crucially, it can also intervene and stop the attack. The same applies to autonomous and connected vehicles.
Are you already working with the automotive sector extensively?
Several of the EPM members, such as McLaren Group, are Darktrace customers and we’re certainly pushing existing partners and the industry as a whole to recognise where these trends are taking us.
And security must be ensured across the supply chain?
Yes, there can always be another attack vector to infiltrate to access data or systems. By various estimates, there are some 100 or so independently developed components from multiple vendors in a vehicle today, including software. There will inevitably be some bug or vulnerability within that supply chain that allows hackers in. It’s not a question of if, but when – and how quickly you respond to it, both from a remediation and a response standpoint.
And properly harnessing AI gives you that power?
We’re talking about a moving target with people onboard. You need to investigate and take action autonomously and immediately. AI delivers that.