Electro-mobility (e-mobility) is a technological innovation that is environmentally friendly and full of promise, yet it presents abundant opportunities for compromise by hackers.
By incorporating internet connections, external communication ports, and digitizing processes that used to be wholly mechanical, automotive manufacturers have unwittingly provided cybercriminals new targets to exploit.
E-mobility encompasses the principles and concepts surrounding the use of electric-powered vehicles in a wide range of product categories such as drivetrains, drones, and unmanned aerial vehicles, oil tankers, hoverboards, corporate fleets, and a host of others.
Protecting these Electric Vehicles (EVs) demands confronting an ever-increasing range of cybersecurity issues that a fast-paced innovation is exposing e-mobility providers, users, and manufacturers.
The Dangers Involved with E-mobility
While e-mobility provides a lot of benefits, the safety stakes remain much higher if a moving vehicle is hacked. The threat of malign actors successfully exploiting its wide surface of attack and diverse points of vulnerability poses more dire consequences than hacking a company’s information systems and stealing data.
According to Vic Harkness, a security consultant at F-Secure Consulting, “A nation-state or serious organized crime group could induce a range of vehicles to crash at high speeds. Attackers wishing to harm critical national infrastructure without direct loss of life could force all traffic to attempt to go through certain areas, creating largely localized traffic jams.”
Hence, with the possible catastrophic impact on human lives, the risk of e-mobility compromise can cause, the security concerns surrounding the e-mobile ecosystem have to be addressed and fortified so the domain can be resilient and secure.
Hiding your IP address and safeguarding your online activities by encrypting your data should be a must for every e-vehicle. Just think about it for a moment - in a world where a hacked e-vehicle can potentially cost someone’s life, the use of reliable VPN services will become an integral and crucial part of our society as a whole. VPNs won’t be just great tools to protect your privacy and increase your security on the Internet, but they will also be seen as one’s e-ID.
The General Approach to Prevent E-mobility Breaches
To secure the future of e-mobility, the solutions proffered and implemented need to incorporate a comprehensive approach to cybersecurity.
The challenge, however, is that e-mobility is still a nascent industry, and although mobility operators can look into other industries to understand how they have coped, there isn’t much experience in dealing with EVs, and cybersecurity expertise mainly lies in stopping threats on PCs and phones.
Any comprehensive approach should incorporate the following:
- Building in safeguards: A lot of onboard software in these vehicles will require navigational and security updates, which will need dedicated communication links back to the manufacturer to transmit patches and updates, especially with autonomous vehicles.
- Securing the most sensitive assets: Balancing the need for business growth, cost optimization, and productivity on the one hand, with the need to reduce risk.
- Establish security standards and best practices: Create sophisticated threat models to deal the type of non-conventional attacks that are bound to arise with e-vehicles.
- Implementing digital signatures in e-mobility infrastructure: These communication controls provide much-needed confidentiality, integrity, and accountability for messages.
E-vehicle Mitigation Techniques for Remote Threats
Vehicles are becoming more sophisticated and connected. The number of vehicles offering internet connectivity is rising. Contracting solutions that allow personnel and passengers to enjoy onboard Internet access while guaranteeing safe browsing and installing tools able to track vehicles and monitor the received signal strength along vehicle routes will help companies optimize their operations and deliver improved user experiences.
Numerous companies are already providing Software-as-a-Service (SaaS) capabilities in order to deliver a complete Wi-Fi solution for your fleet, which means that you can deliver your applications to customers through the cloud as a service. In other words, you can offer a portal in your vehicles, filter browsing content, and block malware threats. You can also remotely monitor all your devices, tracking their location, and obtaining information on the received signal quality.
However, this integrated connectivity poses the largest attack potential for EV networks. Cybersecurity researchers Charlie Miller and Chris Valasek provided an insight into the dangerous mischief that EV networks can pose. Initially, hardwiring computers directly to a car in 2015, they were able to shut down a Jeep’s acceleration while it was on the highway, eventually disabling its brakes in a parking lot. More troublingly, they were later able to develop the capability to send messages remotely.
Unfortunately, things haven’t improved in the remote threat to the EV domain. Research shows that by connecting cellular phones to vehicles, attackers can potentially take control and crash systems.
These are some things that can be done to mitigate remote threats by drivers and fleet managers:
- Freight on Board (fob) keys should be stored in an enclosed metal box to prevent cloning or message relaying
- Ensure any fob key failure is reported to the fleet manager.
These are the things manufacturers can do to lessen the risk of remote access compromise:
- Incorporating digital signatures, requiring authentication and authorization from users - including strong passwords for mobile applications that establish communications with vehicles.
- Ensure Over-The-Air (OTA) vehicle data house remotely, firmware updates, safety-critical inter-Engine Control Unit (ECU) communications are all encrypted.
- Making infotainment systems operate on a different communications network other than those used for safety and operations.
E-vehicle Mitigation Techniques for Physical Threats
Some of the directives may seem mundane, but the older fashioned physical access is a viable threat to internal vehicle communication system buses, so do the following:
- Park EVs in secure locations, securing their keys and locking doors to prevent unauthorized access.
- Ensure only reputable mechanics and trusted partners have physical access to EVs.
- Keep an eye for signs of intrusive physical access on the vehicles, signs the dashboard has been removed, and report any concerns regarding unknown devices connected to ports that can be used to transmit malware.
EV manufacturers can assist fleet operators and managers in reducing physical risk by:
- Installing tampering alarms and network traffic monitoring.
- Installing firewalls, implementing whitelisting, and blacklisting of the Engine Control Unit (ECU) messages to prevent unsafe commands from being transmitted.
- Safeguard the EV’s networked functionality with fail-safe mechanisms that are mechanical.
E-vehicle Mitigation Techniques for Threats Against Telematics
With over 50% of business computing devices being of the mobile variety, mobile devices are now posing new challenges to enterprise network security. Even when a manufacturer has done its best to secure a mobile device, the telematics service involved could be a source of compromise. And e-vehicles are no exception to this rule.
A security researcher, Vangelis Stykas, detailed that although he couldn’t find any vulnerability in a new smart car alarm system, he was able to discover a bug in the telematics server its app was connected to. This ultimately enabled him not only to gain access, but also to modify and control “millions of connected vehicles, user privacy, safety, and vehicles,” with direct access to sensitive data such as user information and vehicle locations.
Monitoring the entire chain of communication between an EV, its apps, and the telematics server is the only reliable way to enforce rigorous protection over telematics data.
E-vehicle Mitigation Techniques for Connected and Automated Vehicle (CAVs) Threats
Electric vehicles (EVs) use smart grid communications through utility and energy service networks, thereby posing risk to the collective smart grid. Propagation of viruses can occur among electric vehicles (EVs) and Electric Vehicle Supply Equipment (EVSE) networks.
Since an infected EV can communicate with its connected charging station, there is the risk that malware can spread from this point to a network of other vehicles and the electric grid at large. To forestall this scenario, stakeholders should ensure network segmentation should be employed between EVs, their charging points, and other EVSEs.
E-vehicle Mitigation Techniques for Corporate Fleets
The advantage of corporate fleets is that the organization has full control over the vehicles driven by their employees, and this control often extends to choosing the vehicle safety features. However, they lack this level of control when it comes to connected and automated vehicles (CAVs), EVs, and electric vehicle supply equipment (EVSE).
In the e-mobility ecosystem, these fleets are vulnerable to conditions beyond their control like charging stations using out-of-date Open Charge Point Protocols based on HTTP, which doesn’t encrypt communications data, unlike HTTPS.
E-mobility is different from data moving through the cloud or the web. Instead of sitting at API endpoints, EV data is normalized and aggregated across relevant streams to provide fleets, OEMs, and other relevant stakeholders a holistic view of how data flows in the e-mobility environment. This unified picture provides clarity and visibility to spot threats in the network and pinpoint anomalies before they spiral.
Therefore, fleets and e-mobility stakeholders need to jettison their current practice of relying on silos, with their in-vehicle security, or network security, since this is inadequate to meet the challenges of an increasingly complex environment. The only solution to keep these stakeholders ahead of the game is a single pane of glass approach that provides them a panoramic view of what is happening with their e-vehicles.
It is predicted that by 2030, 125 million electric vehicles will be on the road. Other statistics are equally impressive; with market research showing EV sales reaching 2.3 million vehicles, with 2.4 percent market penetration in 2019.
Yet, with so much promise comes a lot of peril. Ominously, in 2018, black hat attacks exceeded research-based white hat attacks for the first time, according to reports. A great deal of effort, research, and innovation in this domain is necessary to ensure malign actors don’t get the upper hand.
About the Author:
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphasis on technology trends in cyberwarfare, cyberdefense, and cryptography.