CAM study on „Automotive Cyber Security“ in cooperation with Cisco
👉 The importance of cyber security is increasing with the digitization and networking of vehicles, electromobility and autonomous driving
👉More and more cyber attacks on vehicles and companies are constantly increasing the risk situation
👉Comprehensive cyber security strategies are necessary today, but are not being implemented everywhere
„Automotive cyber security must be tackled with a holistic approach as the industry’s top priority,“ says study director Stefan Bratzel: „It’s about building and strengthening a kind of immune system for the car ecosystem.“
„For automotive companies, the issue of cyber security is crucial to success,“ adds Christian Korff, Managing Director Global Accounts and member of the management board of Cisco Germany and commissioner of the study. „The automotive industry is a cornerstone of our German economy. We cannot afford to be vulnerable in the cyber area. Only those who provide secure vehicles and services at all levels will retain the trust of customers.“
Press release
With the increasing networking and digitization of cars, production and logistics, the risk of cyber attacks on the automotive industry is increasing. In a comprehensive analysis, the various attack vectors were systematically analyzed. In the case of connected vehicles alone, there are 12 different attack areas, in which there are potentially several entry points.
The list also shows that cyber attacks in the automotive industry are not limited to large, established manufacturers, but are increasingly affecting supplier companies, automobile dealers and other players along the value chain. An analysis of 52 significant security incidents between January and June 2022 shows that around two thirds (67%) mainly affected automotive suppliers. The complex supply chain is considered a major vulnerability and offers central attack points that are exploited with a high degree of probability and often with great damage.
„The cyber threat situation for the automotive industry has increased continuously in recent years. With the spread of software-defined vehicles, electromobility, autonomous driving and the connected supply chain, cyber risks are increasing further. A professional cyber security strategy by companies is becoming increasingly important as an essential hygiene factor in the automotive industry,“ explains study director Prof. Dr. Stefan Bratzel from the Center of Automotive Management (CAM). „However, companies differ considerably in terms of the quality of conception and implementation. A high level of cyber security performance increases resilience to the increasing number of cyber attacks and enables rapid detection and appropriate response to corresponding incidents.“
Connected cars & services lead to more attack vectors
Customer requests for connected cars and connected services create enormous competitive pressure, which sometimes pushes security aspects into the background. In addition, the implementation of automotive cyber security is very complex: it covers the entire product life cycle of the vehicle, from development to production and vehicle use. Security must be ensured in a complex value chain with distributed responsibility in the large supplier and partner network.
This is also required by new regulatory requirements for cyber security in motor vehicles such as UN R155 (15) and EU Regulation 2018/858. From July 2022, they have been mandatory for manufacturers in the EU to implement them for all new vehicle types and from July 2024 also for all existing vehicle types.
„For automotive companies, the issue of cyber security will be crucial to success,“ adds Christian Korff, Managing Director Global Accounts and member of the management board of Cisco Germany and commissioner of the study. „The automotive industry is a cornerstone of our German economy. We cannot afford to be vulnerable in the cyber area. Only those who provide secure vehicles and services at all levels will retain the trust of customers.“
Cyber attacks are increasing
A meta-analysis of cyber attacks on vehicles and companies in the automotive industry carried out as part of the study reveals the sharply increasing risks. The evaluations of the previous points of attack on the cyber security of the international automotive industry show that the quantity and quality of attacks has increased considerably in recent years. They affect the entire automotive industry, as recent examples from 2022 and 2023 show:
- After a supplier of plastic parts and electronic components was hit by a suspected cyber attack, Toyota had to temporarily suspend operations at its Japanese factories in February 2022 and was unable to build around 13,000 cars as planned.
- US manufacturer General Motors announced that it was the victim of a cyber attack in April 2022 in which some customer data was exposed and hackers were able to redeem reward points for gift cards.
- Supplier Continental was also targeted by cyber criminals. An investigation into the incident in summer 2022 revealed that the attackers were able to steal some data from affected IT systems despite established security precautions.
- In March 2023, a cyber attack on Tesla was reported in which hackers were able to remotely dial into a vehicle and perform various functions. These included honking the horn, opening the trunk, turning on the low beam and manipulating the infotainment system.
- Software vulnerabilities in the multimodal mobility app Moovit meant that in August 2023, security researchers were able to intercept numerous registration data from various user accounts and exploit them for free rides.
„The increasing networking also means that the automotive industry offers many opportunities for professional cyber attackers to attack – whether in the car itself, in production or in the complex logistics chains,“ explains Holger Unterbrink, Technical Leader at Cisco Talos – one of the largest commercial threat research units in the world. „Attackers today act extremely professionally. They look for poorly secured access in complex IT environments at companies with a high reputation and high cash reserves. The automotive industry is a worthwhile target. I expect cyber attacks to continue to increase in the coming years.“
In a „deep dive“ into electromobility, the study found that the charging infrastructure for electric vehicles is one of the areas at particular risk. The charging ecosystem is extremely complex due to its various market participants and basically offers many points of attack for cyber criminals. Overall, the analysis of cyber attacks shows that awareness of the dangers and risks in the industry is still significantly underdeveloped.
Big differences in status
Achieving a high level of cyber security performance in automotive companies therefore requires great effort and must be continuously monitored. The companies located at different value creation levels and stages in the industry differ considerably in terms of the quality of the design and implementation of cyber security programs. They are still at a low level, especially for many suppliers and service providers. However, as the supply chain becomes increasingly networked and automated, the attack surface increases. Malware can spread from a supplier’s internal systems to service provider networks and even the corporate networks of automobile manufacturers.
The study proposes a model for the empirical evaluation of the cyber security performance of automotive companies. The 4C model combines relevant performance criteria of cyber security in four dimensions: competencies, cooperations, culture & organization, and cyber strategy. According to the study authors, meeting the associated criteria is an important prerequisite for high performance quality of cyber security and thus the long-term success of companies.
The study can be downloaded free of charge here.