Automotive supply chain vulnerable to attack as cybersecurity regulation looms

Almost two-thirds (64%) of automotive industry leaders believe their supply chain is vulnerable to cyberattacks, with many businesses inadequately prepared for a connected automotive era. That's according to new Kaspersky research based on 200 interviews with C-level decision makers in large enterprises of at least 1,000 employees in the automotive sector. It revealed a vast range of attacks encountered by automotive companies - from vendor to supplier - at almost every stage of production. Meanwhile, many respondents reported being behind the curve on upcoming regulation, which will stipulate that every vehicle is secured throughout its lifecycle.

Infotainment systems, connectivity biggest cybersecurity concerns

The integration of infotainment systems and connectivity technology provided by software providers is the biggest supply chain risk faced by the automotive sector, with 34% of respondents listing this as their top cybersecurity concern, according to the Automotive Threat Intelligence report. Infotainment systems with increasing levels of connectivity are a main selling point among a lot of drivers, but they also introduce a range of new vulnerabilities.

Such is the concern about connectivity that connected vehicles, over-the-air software updates, and vehicle-to-vehicle communication are perceived to be the biggest automotive cybersecurity challenges over the next two years, the report found. The greatest attack concerns cited by respondents were phishing, Wi-Fi/Bluetooth, and ransomware attacks. Over the past 12 months, Conti, LockBit, and Hive were the ransomware most found in automotive cyberattacks, according to Kaspersky.

Despite recognizing the risks their organizations face, automotive C-suites appear to be struggling to connect real implications of threat intelligence to specific business operations, with almost a third (29.5%) of respondents stating they currently do not see value from their cyber intelligence investments. What's more, C-suite challenges are compounded by ongoing issues associated with interpreting and understanding cybersecurity jargon. More than a third (35%) of respondents said confusing industry terms present the biggest barrier to the broader management team's ability to develop a holistic understanding of cyber risk and what they should do about it, the research found.

New automotive cybersecurity regulation on the horizon

From July 2024, UN155/156 (as set out by UNECE WP.29) will require all original equipment manufacturers (OEMs) and their supply chains to include multi-layered cybersecurity solutions to protect against current and future cyberattacks. It is the first-ever regulation requiring vehicle type approval with regards to cybersecurity, and vehicles under development need to comply with these new regulations, from development and production through to customer-use. Failure to do so could lead to vehicle production being shut down.

However, the findings indicate that the automotive sector is still largely behind, with 42% of respondents stating they do not currently have a plan in place ahead of the deadline. A further 63.5% stated they were not very involved in planning for compliance, despite 64% agreeing that dealing with cyberthreats is a strategic board issue. More than two-thirds said there needs to be more understanding across the sector of the implications of the standards and what they mean for businesses.

Collateral damage of automotive cyberattacks could be severe

The automotive supply chain is susceptible to cyberattacks due to its inherent safety and reliability requirements, as well the range of data acquired from a layered network of OEMs with each one bringing different components, Clara Wood, automotive research leader at Kaspersky, tells CSO. "The sheer number of components talking to each other can provide an entry point if not properly protected. Any disruption or compromise of the supply chain can have severe consequences, but in the case of vehicles, the potential collateral damage could be very severe, including loss of life."

As the sector rapidly evolves with the introduction of cutting-edge features and services such as autonomous driving, connected vehicles, electric vehicles, and shared mobility, it is likely to become a playground for malicious actors, Wood says. "Their motivations are likely to vary, encompassing financial gain through tactics like ransomware and IP theft, disruptive attacks, or even cyberattacks driven purely by malevolent intent."

Securing automotive supply chain demands a layered, comprehensive approach

Securing the automotive supply chain in the modern digital landscape demands a layered, comprehensive approach, Wood says. "In the past, companies typically focused on protecting their immediate systems and networks. However, with the proliferation of connected devices and digital communication, this approach is no longer sufficient."

Cybersecurity should be seamlessly integrated into all aspects of operations, in a collaborative manner where all suppliers, partners, and stakeholders share the same definition of cyber risk and are on the same page to ensure they all adhere to the highest cybersecurity standards, she adds. "An attack can start at any point in the chain from any supplier, however small, therefore proactively scrutinizing the partner network is absolutely crucial."

Training and awareness programs are vital to ensure that everyone in the organization, as well as external partners, understands cybersecurity best practices. In addition, tailored threat intelligence reports can provide valuable insights into emerging threats from the dark web and trends specific to the automotive industry, enabling SOCs to protect their networks more effectively. "At the basic level, there is no replacement for patch management, network segmentation, and regular security assessments to set the foundation of a solid cybersecurity strategy," Wood says. "This can be then fortified with continuous monitoring of the supply chain and having a well-defined incident response plan to react swiftly and effectively in the event of a security breach."