With a global shift towards renewable energy, the automotive industry is also adapting and making a move towards EVs (electric vehicles). EVs typically offer lower operating costs, reduced emissions, quieter operation and smoother driving experience. EVs and autonomous vehicles in Asia is one of the fastest growing markets and most of the Southeast Asian countries have already pledged to ramp up their EV push and achieve net-zero emission targets.
For example, the EV ASEAN market has a forecasted CAGR of 32.73% from 2023 to 2028. There are also ambitious plans for next 30 years. Thailand aims to raise EV to 30% of all domestic vehicle production by 2030 and Malaysia wants 38% of vehicles sales to be EV by 2040. To further push EV sales, Singapore will stop selling petrol & diesel cars by 2040 and Indonesia will only sell electric powered cars and motorbikes by 2050. Australia is aiming for EVs to be 70% of new vehicle sales in 2030 and 100% by 2040.
Is the market ready?
While these are grandiose goals, there are still a lot of gaps to fill in the market before EVs can really take off in terms of infrastructure, regulations and also security concerns.
In 2021, Singapore released a set of provisional national standards called TR 68 with Part 3 focusing on cybersecurity principles and assessment framework for autonomous vehicles. Also in 2021 the ISO/SAE 21434 international standard on cybersecurity engineering was released. These standards provide requirements on incorporating cybersecurity activities in the organisation in order to build more secure cars.
As EVs and autonomous vehicles contain more valuable data and connect to more services these vehicles also become more lucrative targets for cyber attackers. According to an automotive cybersecurity report, the 3rd most reported cybersecurity issues in 2022 were related to EVs and charging. There have been several published examples of cyberattacks on EVs and the infrastructure.
For instance, one attack abused the plaintext communication and lack of authentication over the Controller Area Network (CAN) bus protocol between the EV and the charging station. An attacker can spoof the Vehicle Identification Number (VIN) which makes it possible to charge the vehicle for free. Another example is an attack targeting the charging station, where a vulnerable open-source software component Log4j was used. An attacker can spoof the car and send a malicious payload to exploit the vulnerability. As a result, the attacker is able to execute arbitrary commands and could possibly charge the vehicle for free.
AI powered opportunities
With the development of powerful AI technologies, there are new opportunities that the automotive industry can seize. One famous example that comes to mind is ChatGPT, an artificial intelligence chatbot that was released in November 2022 and reached 100 million users within two months.
Based on these powerful AI language models, automakers can build their own digital assistants and train the AI model with automotive specific information. Similar to how ChatGPT was trained with, e.g., Linux and Unix man pages, C and Python programming languages, one can imagine an automaker training their digital assistant with information from the car user manual as well as information on how to support common use cases including route planning, integration with smart homes and devices, charging, etc. This would allow a user to easily ask questions about a warning light blinking on the dashboard, plan an efficient route to the airport, to open the garage door or connect a user device, find and reserve a charging spot etc., without having to dig through a large user manual or use and manage multiple devices or systems.
But what about the risks?
It is extremely important to consider what type of training data is used as well as to apply policies that define what responses with what type of information are allowed.
Similar to how early usage of ChatGPT could allow users to write malware and hacking tools or to gain information that could be used with malicious intent, a digital assistant in your car could also be abused to potentially gain certain harmful information, e.g., how to clone keys or run unauthorised commands which could lead to attackers stealing cars or charging for free.
As more EVs are deployed and the necessary infrastructure built up, it is imperative for the automotive industry to consider improving the overall cybersecurity posture for the entire ecosystem. Automotive organisations need to establish a cybersecurity management system (CSMS) with improved cybersecurity awareness in the organisation as well as incorporating dedicated cybersecurity activities during product development.
In particular for software development, these activities include static application security testing, vulnerability scanning and fuzz testing. Moreover, to improve the quality of code, ensuring compliance to certain coding standards such as CERT C/C++, MISRA C/C++ or AUTOSAR C++ are also recommended.
Another aspect organisations need to consider is the risks in the software supply chain such as software vulnerabilities and open-source license violations and how to address them. For example, the procurer should give requirements to the supplier to perform certain cybersecurity activities on their product before it is provided to the procurer. Examples of requirements include following certain coding guidelines, ensuring license compliance for open-source software components and performing fuzz testing.
Using automated tools to perform these activities is recommended to improve efficiency and reduce manual effort. In other words, establishing a secure software development lifecycle with automated tools running continuously in a CI pipeline is becoming paramount for organisations developing software.
By: Dennis Kengo Oka, Principal Automotive Security Strategist, Synopsys Software Integrity Group
26 April 2023