Automotive Companies and Data Security

In recent years, connected cars, electric vehicles and automation have been three major driving forces of innovation in the automotive industry. Built on the digitization of in-car systems, these leaps forward by introducing software and connectivity to car IT systems, have opened the door to cyber threats.

The number of annual automotive cybersecurity incidents have increased by an astounding 605% since 2016, according to Upstream Security’s 2020 Automotive Cybersecurity Report. More than half of these cyberattacks were carried out remotely by hackers with the aim of disrupting businesses, stealing property, and demanding ransom. Popular attack vectors included keyless entry systems, backend servers, and mobile apps.

Recognizing the need for cybersecurity standards for connected, digitized and autonomous vehicles, the World Forum for Harmonization of Vehicle Regulations (WP.29), a working party of the United Nations Economic Commission for Europe (UNECE), issued new regulations to address these growing risks. UN Regulation No. 155 on Cyber Security and Cyber Security Management Systems is the first international regulation governing modern vehicles’ cybersecurity. Under it, among other provisions, automakers have an obligation to perform vehicle cybersecurity risk assessments and monitor and report security incidents.

UN Regulation No. 156 on Software Updates and Software Updates Management Systems introduced a series of standards for software updates, including those over-the-air, to mitigate cybersecurity risks. Adopted in June 2020, these two landmark UN vehicle regulations came into force on 22 January 2021 and are applicable in the 54 countries that are parties to the 1958 Agreement.

Internal Data Security

However, connected vehicles are not the only vulnerabilities the auto industry faces. They are also big companies with complex IT infrastructures and global supply chains. They collect massive amounts of sensitive information from customers, partners and employees and often process payment information on a large scale. Innovation also means the existence of patents and intellectual property (IP) whose safeguarding is paramount to an automaker’s success.

Personally identifiable information (PII) is protected under data protection laws such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) while the Payment Card Industry Data Security Standard (PCI DSS) enforces the protection of payment systems from breaches, fraud, and theft of cardholder data.

In countries like Germany, carmakers took matters into their own hands: automotive group Verband der Automobilindustrie (VDA) developed an Information Security Assessment (ISA) based mainly on existing international standards ISO/IEC 27001 and 27002. The VDA then set up the Trusted Information Security Assessment Exchange (TISAX) to act as an assessment and exchange mechanism through which organizations can submit ISA compliance audits.

These laws and standards impose several cybersecurity best practices for vehicle manufacturers and the companies that want to work with them. Noncompliance can mean massive financial penalties when it comes to laws such as GDPR and CCPA, the inability to accept credit or debit card payments in the case of PCI DSS or a loss of business contracts in case of a failure to present a valid TISAX assessment.

Protecting Sensitive Data

Automakers can turn to cybersecurity solutions to meet these requirements and protect both personal data and sensitive corporate information. To prevent ransomware and malware attacks, vehicle manufacturers can implement both basic security measures such as the use of firewalls and antimalware solutions, but also more advanced strategies such as the use of Trusted Platform Module (TPM) capabilities and the adoption of Zero Trust architecture.

However, malicious outsiders are not the only concern. The automotive industry must also be mindful of insiders. Especially when it comes to IP and sensitive business information, car companies are vulnerable to insider data theft and corporate espionage. Removable devices, in particular, have long been a problem vehicle makers have struggled to address. Through small devices such as USBs, data can easily be exfiltrated even from computers located in secured environments and offline machines.

A simple way to address this issue is to use Data Loss Prevention (DLP) solutions with device control modules. Through them, automakers can monitor, control and block the use of peripheral and USB ports and Bluetooth connections. By applying user-based authorization of removable devices, they can identify which employee has used a removable device at what time.

DLP also helps prevent sensitive data from leaving the company network. Through predefined profiles for regulations such as the GDPR or CCPA or standards such as the PCI DSS, but also for different categories of IP such as patents, blueprints or proprietary algorithms, automotive companies can apply policies at the data level, ensuring that files containing sensitive data cannot be transferred and any attempt to move it will be logged and reported. Through both device control and DLP policies for data transfers, companies in the automotive industry can thus identify potential malicious insiders attempting to steal data and prevent it in real-time.

Securing all operating systems

The automotive industry often runs multi-operating system networks. Linux is the preferred OS for secured environments and while it is true that it is more resistant to external threats than Windows, it is just as vulnerable to insider threats, whether they come in the form of malicious or careless employees. The same is true of macOS that has recently started gaining more traction in the enterprise.

Automotive companies should therefore search for suitable solutions that offer the same data protection features for Linux and macOS as they do for Windows. While rare, cross-platform solutions like Endpoint Protector, which can be applied to all three, do exist. Such tools make company-wide implementation easier and allow admins to control data protection policies for all endpoints from a single interface.

Vehicle manufacturers and all the companies that make up their supply chain, process not only personal and financial information but also sensitive data concerning their prototypes, patents and schematics. Losing them can have a severe impact on a company’s competitive advantage which is why businesses must do all in their power to protect them from both insider and outsider threats.