Modern vehicles increasingly connect to the rest of the world via short range wireless technologies such as Wi-Fi and Bluetooth, wired interfaces such as OBD-II and USB, long range wireless communications such as 4G and the coming 5G for internet, and services such as OnStar, LoJack, and Automatic, to name only some. That world includes your enterprise and the criminal hackers and cyber carjackers who want to undo your data, your corporate fleets, and your people.\n\nThe costs of their attacks include exposure of personal identifiable information and private data, and exposure or destruction of valuable intellectual property, according to Eric Friedberg, co-president at Stroz Friedberg. Loss of life in the midst of vehicle destruction\/collision weighs heavily as a potential personal, professional, and corporate cost, as well.\n\nCSO explores the vulnerabilities and risks of automotive cyber-attacks and methods for securing your data, human resources, and the connected vehicle environment.\n\nAutomotive cyber threats to carmakers and other enterprises\n\nThe threat to automakers is expansive. Phishing attacks or attacks against insecure Wi-Fi and remote access connections, websites, partner and vendor networks, and the physical perimeter can give a cyber-criminal a foothold into the entire corporate network via the connected car ecosystem, says Friedberg.\n\nAttackers then escalate their newly-hacked privileges to access customer PII, gateways into manufacturing networks, connectivity to safety systems and industrial controls, sensitive emails, the software development environment, and other sensitive information about the car or customer, says Friedberg.\n\n\u201cOnce they obtain broad privileges, hackers can discretely perform unauthorized actions including stealing, deleting, or corrupting data, as they have in high-profile retail, healthcare, manufacturing, and pharma cases over the past several years,\u201d says Friedberg. That\u2019s the prognosis inside the automotive industry.\n\nClearly, access to the vehicle could also lead to access to the data owned and used by the company whose people are driving these cars as well as access to employee and passenger personal data. According to Dan Klinedinst, senior vulnerability analyst, CERT Division, Software Engineering Institute, Carnegie Mellon University, there are two scenarios where the enterprise\u2019s data is at risk:\n\nAs for employees, the primary threat is injury or loss-of-life if attackers access the control components of the car (powertrain, brakes, accelerator), says Klinedinst. Even without that access, an attacker can compromise an employee\u2019s privacy by monitoring where and how they drive, connecting to their personal devices, or even attacking the in-car microphones used for hands-free calling, he says.\n\nFinally, cars are at risk because the computers that provide driving information (gas mileage, average speed, geolocation) have access to the vehicles\u2019 internal networks, says Klinedinst. \u201cCriminal hackers can leverage these to unlock and start the car (for theft), stall the car, prevent it starting, crash it, or simply cause maintenance issues."\n\nHow to protect your data used in\/with vehicles against automotive cyber threats\n\nMany of the same security measures that can protect corporate data can also safeguard the lives and welfare of the employees who are using and passing data in these vehicles. With that kind of motivation, you should already have won half the battle for employee education and cooperation in thwarting automotive cyber threats.\n\nAccording to Klinedinst, the enterprise should consider whether employees\u2019 devices, corporate-owned or BYOD, are secure against hostile Wi-Fi\/Bluetooth\/USB devices. \u201cAs a policy, employees should not sync their mobile devices to unfamiliar cars (rentals, for example),\u201d says Klinedinst; \u201cInformation technology security policies such as patching, asset management, monitoring and vulnerability management need to apply to fleet vehicles.\u201d\n\nCriminal hackers can leverage these to unlock and start the car (for theft), stall the car, prevent it starting, crash it, or simply cause maintenance issues.\n\n\nDan Klinedinst, senior vulnerability analyst, CERT Division, Software Engineering Institute, Carnegie Mellon University\n\nAccording to David Barzilai, automotive cyber security expert, chairman and Co-founder at Karamba Security, teach employees to protect your data and themselves by following these policies:\n\nManagers of corporate fleets should follow best practices such as these from Barzilai:\n\nHow to protect vehicles against cyber threats\n\nBecause the automotive ecosystem is highly connected from one end to the other, a vulnerability in any component across vehicle systems is an entry point for hackers looking to pivot from one system to the next, says Friedberg. \u201cAuto executives must insist on a systematic approach to the security of the entire ecosystem\u2014not looking at the vehicle in isolation, but working across the corporate, manufacturing, vehicle management, supply chain, and aftermarket networks that stand behind every connected car."\n\nOrganizations should take specific technical steps to ensure automotive security including hacking themselves in tabletop exercises and adding applications and methodologies such as encryption, strong authentication, digital signing, and intrusion detection to the next versions of the CAN bus and components to protect corporate networks, says Friedberg.\n\nEnterprises using connected fleets need to ask vendors how they secure their vehicles and what they offer in security for third-party fleet management and insurance devices that plug into OBD-II, says Klinedinst. \u201cMature vendors will have a vulnerability response capability, the ability to issue security patches quickly and safely, the results of third-party security assessments, and ready answers for how their products meet industry standard security controls,\u201d says Klinedinst.\n\n\u201cEnsure that you do any remote fleet management over encrypted channels using authentication, limiting access to the people\/computers that need it, and following other best practices for secure access to important assets,\u201d says Klinedinst.\n\nHow to protect your people against automotive cyber threats\n\nManufacturers should provide the minimum amount of access necessary between internet-connected computers and the safety-critical components, says Klinedinst. Fleet managers and information technology security should work together to keep fleet management services secure.\n\nEnterprises should also consider how much information they can gather about employees from their vehicles. If they choose to collect that information, they should properly secure it against both criminal hackers and malicious insiders, says Klinedinst.\n\nIf automakers, your enterprise, information technology security, fleet managers, and employees work together, you can minimize unauthorized access and malicious activity in and around the connected car.