The Expanding Attack Surface of Connected Vehicles
As technology continues to revolutionize the automotive industry, vehicles are becoming increasingly connected, offering greater convenience and safety for drivers and passengers. The integration of networked hardware and software systems has enabled features like Wi-Fi, Bluetooth, cellular, and satellite connectivity, allowing connected vehicles to seamlessly integrate with external devices and services.
However, this enhanced connectivity has also expanded the potential attack surface for malicious actors. The complex hardware and software systems that enable connected vehicle functionalities can introduce vulnerabilities that cybercriminals and nation-state adversaries may seek to exploit. Compromised connected vehicles could become gateways for data exfiltration, remote manipulation, or even physical sabotage – posing significant risks to both individual users and critical infrastructure.
Vulnerable Components in the Connected Vehicle Supply Chain
A thorough analysis of the connected vehicle supply chain reveals several key systems that are most vulnerable to exploitation by foreign adversaries:
Vehicle Connectivity Systems (VCS)
The VCS, which includes components like telematics control units, cellular modems, and wireless communication modules, serves as the primary interface between the connected vehicle and external data sources. These systems collect and transmit a vast array of information, from vehicle diagnostics to driver behavior, making them a prime target for data exfiltration. Adversaries could potentially leverage vulnerabilities in VCS components to gain unauthorized access to this sensitive data or even remotely control vehicle functions.
Automated Driving Systems (ADS)
As vehicles become more autonomous, the complexity and importance of ADS software increases. These systems, responsible for object detection, classification, and decision-making, rely on a vast network of sensors and data sources to navigate safely. Compromised ADS software could enable adversaries to manipulate sensor inputs, leading to erratic or even dangerous vehicle behavior that could endanger both drivers and critical infrastructure.
The Malicious Potential of Foreign Adversary Involvement
The risks posed by compromised connected vehicle systems are amplified when the underlying hardware and software are designed, developed, manufactured, or supplied by entities under the influence of foreign adversaries, such as China and Russia.
China’s Expanding Automotive Footprint and Military-Civil Fusion
China’s automotive industry has experienced rapid growth in recent years, fueled by state subsidies, joint venture requirements, and other preferential policies. This expansion has allowed Chinese automakers to gain a significant global footprint, increasing the likelihood of Chinese-made components and software entering the U.S. connected vehicle supply chain.
Moreover, China’s military-civil fusion strategy blurs the lines between its civilian and military sectors, enabling the government to leverage private-sector innovations for military purposes. This heightens the risk that Chinese-made connected vehicle components could be exploited for espionage or sabotage, potentially allowing the Chinese government to exfiltrate sensitive data or remotely manipulate vehicles.
Russia’s Automotive Ambitions and History of Cyber Aggression
While Russia has traditionally had a smaller presence in the global automotive market, the country has recently sought to revitalize its domestic auto industry in the face of sanctions and the exodus of foreign automakers. This resurgence, coupled with Russia’s long-standing history of cyber attacks against critical infrastructure, raises concerns about the potential for Russian-made connected vehicle components to be used for malicious purposes.
Russia’s expansive legal framework, which enables the government to compel domestic companies to cooperate with security and intelligence services, increases the risk that Russian-made VCS hardware or ADS software could be exploited to exfiltrate data or remotely control connected vehicles.
Regulatory Efforts to Secure the Connected Vehicle Supply Chain
In response to the growing threat, the U.S. government has taken steps to address the undue and unacceptable risks posed by foreign adversary involvement in the connected vehicle supply chain. In 2019, President Trump issued Executive Order 13873, which empowered the Department of Commerce to regulate transactions involving information and communications technology and services (ICTS) that pose national security risks.
Building on this executive order, the Bureau of Industry and Security (BIS) within the Department of Commerce has proposed a rule that would, in the absence of a general or specific authorization:
-
Prohibit VCS Hardware Importers from knowingly importing into the United States certain hardware for VCS if it is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of China or Russia.
-
Prohibit Connected Vehicle Manufacturers from knowingly importing into the United States completed connected vehicles incorporating covered software (including software for VCS and ADS) that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of China or Russia.
-
Prohibit Connected Vehicle Manufacturers from knowingly selling within the United States completed connected vehicles that incorporate covered software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of China or Russia.
-
Prohibit Connected Vehicle Manufacturers Owned by, Controlled by, or Subject to China or Russia from knowingly selling in the United States completed connected vehicles that incorporate VCS hardware or covered software.
These proposed regulations aim to strike a balance between mitigating national security risks and minimizing supply chain disruptions. To facilitate compliance, the rule includes several mechanisms, such as Declarations of Conformity, general authorizations, and specific authorizations, which would allow market participants to engage in otherwise prohibited transactions in certain circumstances.
Adapting to the Evolving Threat Landscape
As the connected vehicle ecosystem continues to expand and evolve, the cybersecurity challenges facing the automotive industry will only become more complex. Automakers, suppliers, and policymakers must remain vigilant in identifying and addressing emerging vulnerabilities, while also adapting to the shifting tactics of foreign adversaries.
Key strategies for securing the connected vehicle supply chain include:
- Enhancing supply chain transparency: Automakers and suppliers must work to better understand the depth and complexity of their supply chains, identifying potential entry points for malicious actors.
- Implementing robust security standards: The industry should continue to develop and adopt comprehensive security standards and best practices to harden connected vehicle systems against cyber threats.
- Fostering public-private collaboration: Strengthening partnerships between the automotive industry, government agencies, and cybersecurity experts will be crucial for staying ahead of the evolving threat landscape.
- Advocating for targeted regulation: Supportive policies, such as the proposed BIS rule, can provide a crucial framework for securing the connected vehicle supply chain against foreign adversary influence.
By proactively addressing the malware threat to connected vehicles, the automotive industry can help ensure the safety, security, and resilience of this critical transportation technology. As the industry continues to innovate, maintaining a vigilant and collaborative approach to cybersecurity will be paramount.
Conclusion
The integration of networked hardware and software systems in connected vehicles has brought significant benefits to consumers and the automotive industry as a whole. However, this increased connectivity has also created new vulnerabilities that malicious actors, particularly those associated with foreign adversaries, may seek to exploit.
The risks posed by compromised connected vehicle systems, ranging from data exfiltration to remote manipulation, underscore the urgent need for robust cybersecurity measures and targeted regulatory efforts. By working together to enhance supply chain transparency, implement rigorous security standards, and advocate for effective policies, the automotive industry can help safeguard connected vehicles and the critical infrastructure they support.
As the technology continues to evolve, remaining vigilant and adaptable in the face of emerging threats will be crucial for ensuring the long-term security and resilience of the connected vehicle ecosystem.
