《Upstream：2023全球汽車網絡安全報告（英文版）（110頁）.pdf》由會員分享，可在線閱讀，更多相關《Upstream：2023全球汽車網絡安全報告（英文版）（110頁）.pdf（110頁珍藏版）》請在三個皮匠報告上搜索。

1、 2023 Upstream Security Ltd.All Rights ReservedGLOBAL AUTOMOTIVE CYBERSECURITY REPORT2023The Automotive industry is rapidly expanding into a vast smart mobility ecosystem,introducing new levels ofcyber sophistication andattack vectors2 2023 Upstream Security Ltd.All Rights Reserved2TABLE OF CONTENTS

2、2Opening letter from our CEO Methodology Executive summary Chapter 1:New attack vectors redefine Automotive cybersecurity OEMs must shift their focus to trust,as connected vehicles evolve Cybersecurity risks expand beyond traditional automotive stakeholders,threatening new revenue streams Vehicle su

3、bscription services Third-party automotive mobile apps EV charging networks and infrastructure Fleet management Mobility-as-a-Service New insurance models The new attack vectors of the smart mobility ecosystem Smart mobility APIs EV charging New attack vectors are fading the boundaries between vehic

4、le-centric and IT cybersecurityThe birth of the“Fusion vSOC”shifts the spotlight to cross-functional collaboration Chapter 2:Automotive cyber threat trends Review of incidents Most attacks in 2022 were carried out by black hat actors Nearly all attacks are remote CVEs must be monitored closely Overv

5、iew of 2022 CVEs The impact is felt across a vast smart mobility ecosystem OEMs,Tier-1 suppliers,and Tier-2 suppliers share responsibility The EV ecosystem is rapidly expanding Commercial fleets Smart mobility services Insurance Autonomous vehicles The impact of Right to Repair on agriculture vehicl

6、es 25 26283031323435363636373738567911131314151617171919212323 3 2023 Upstream Security Ltd.All Rights ReservedTABLE OF CONTENTS39 40414144444545464647485051 53545556575759616263666768707173747577Chapter 3:2022s diverse attack vectors Increasingly sophisticated attacks Telematics and application ser

7、vers Remote keyless entry systems ECUs APIs Mobile applications Infotainment systems EV charging infrastructure Bluetooth OTA updates V2X Chapter 4:Impact of cyber attacks on the Automotive Industry The reputational and financial impact of cyber attacks Data and privacy breaches Vehicle thefts and b

8、reak-ins Financial impact on insurance providers Chapter 5:Regulation reality check Putting UNECE WP.29 R155 and ISO/SAE 21434 into practice UNECE WP.29 overview The impact of regulation on the smart mobility ecosystem Building long term trust with ISO/SAE 21434 Does R155 align with in-field threats

9、?The regulatory landscape is changing NHTSA cybersecurity best practices Vehicle data and privacy laws are inevitable A new standard for EV charging infrastructure is emergingChapter 6:Automotive and mobility threats in the deep and dark web What is the deep and dark web?What occurs in the deep and

10、dark web?Forums Marketplaces Messaging Applications 4 2023 Upstream Security Ltd.All Rights ReservedTABLE OF CONTENTSThreat actors in the deep and dark web Security researchers Fraud operators Black hat hackers Car enthusiast Ransomware actors increasingly target automotive suppliers Right to Repair

11、 puts the deep and dark web at the spotlight Increased deep and dark web activities require immediate actions by the entire supply chain Regulators take a clear stand against the dark webChapter 7:Automotive cybersecurity solution landscape Cybersecurity solutions are evolving Securing the vehicles

12、full lifecycle Protecting against attacks in the supply chain Security by design Multi-layered cybersecurity solutions Developing an effective vSOC The next generation of vSOCs Automotive-specific threat intelligence keeps you one step ahead Benefits to OEMs Benefits to Tier-1 and Tier-2 suppliers B

13、enefits to CISOs Benefits to vSOC analysts Benefits to the insurance ecosystem Benefits to smart mobility applications and services Upstreams cloud approach to automotive cybersecurity The Upstream Platform Upstream Managed vSOC Expanding detection and response to accommodate the smart mobility ecos

14、ystem Smart Mobility API Security Integrating In-Vehicle Security Data Stream Built-in Threat Hunting Upstream AutoThreat PRO Cyber Threat Intelligence Chapter 8:Predictions for 2023 References 78787979808082838586878787888991929494949595969697981001011011021021031041065 2023 Upstream Security Ltd.A

15、ll Rights ReservedIt is my pleasure to present you with the 2023 Global Automotive Cybersecurity Report.Connected and electric vehicles,coupled with rich digital experience and data-driven applications,have transformed the automotive industry into a vibrant smart mobility ecosystem with enhanced dri

16、ving and features,as well as new monetization opportunities.With the transformation,though,there are new cybersecurity risks that must be addressed as proven by the exponential increase in the magnitude,frequency and sophistication of cyber attacks over the last decade.This report marks Upstreams fi

17、fth annual report,uncovering the expanding and emerging automotive cybersecurity risks,and how they impact the entire smart mobility ecosystem.Our predictions from last year were borne out by the first signs of attacks and manipulations on EV infrastructure.The geopolitical situation in Europe has a

18、lso given rise to several significant automotive-related cyber incidents,including a ransomware attack on EV charging stations.Additionally,API-based attacks have dramatically increased,enabling adversaries to expand impact to a larger scale of vehicles,including across entire fleets.Over the last y

19、ear,our ecosystem has been busy implementing new technologies,regulations and standards required to secure smart mobility assets,and ensure drivers trust and safety.UNECE WP.29 R155,which came into force in the beginning of 2021,introduced its first milestone in July 2022 and now applies to all new

20、vehicle types for type approval.Although weve made significant progress,so have adversaries,and our community must remain ever-more vigilant to ensure were able to deliver on our collective promises to our customers,regulators,partners and ultimately drivers.Upstream has led the effort to secure con

21、nected vehicles since 2017,when we first introduced the Upstream Platform,which proved to be a fundamental,innovative pillar in the automotive cybersecurity technology stack.Over that time,we have been proud to be working with some of the leading OEMs,suppliers and mobility service providers to prot

22、ect millions of vehicles that are already on the road today across the globe and comply with cybersecurity regulations.Upstream is committed to helping the entire ecosystem leverage data gathered from connected vehicles to ensure the safety and security of smart mobility.I am excited about the futur

23、e of our ecosystem as we tackle the worlds greatest mobility challenges and work towards a safer,frictionless and connected world.OPENING LETTER FROM OUR CEOBest regards,Yoav LevyCo-Founder&CEO6 2023 Upstream Security Ltd.All Rights ReservedMETHODOLOGYA continuously updated database of security inci

24、dents is essential for the automotive industry.Upstreams cybersecurity researchers and analysts investigated 1173 incidents,as early as 2010,and monitored hundreds of deep and dark web forums to compile this comprehensive,actionable report that will help you safely navigate the year ahead.Upstream h

25、as been monitoring and analyzing worldwide automotive cyber incidents to learn,understand,and help protect the entire smart mobility ecosystem from existing and emerging threats.Upstreams AutoThreat cyber threat intelligence platform uses advanced technology and automation tools to constantly search

26、 the surface,deep and dark web for new cyber incidents in the automotive ecosystem and index them to the AutoThreat platform.Our researchers and analysts carefully categorize and analyze the data we collect to gain a deeper understanding of cyber threats and their impact on connected vehicles on the

27、 road today.Each incident and relevant contextual data such as the attacks geolocation,impact,attack vector,company type,and required proximity of the attacker to its target are added to the platform to create an accurate and actionable repository.Upstream also offers a community version of AutoThre

28、at,AutoThreat Intelligence Cyber Incident Repository,1 aimed at raising awareness and enhancing security postures.Incidents examined in this report were sourced from the media,academic research,bug bounty programs,verified Twitter accounts of government law enforcement agencies worldwide,the Common

29、Vulnerabilities&Exposures(CVEs)database,as well as other publicly-available online sources.In addition to publicly reported cyber incidents,Upstreams analysts monitor the deep and dark web for threat actors that operate behind the scenes of automotive-focused cyber attacks.These incidents are discus

30、sed in a separate chapter of this report titled Automotive and mobility threats in the deep and dark web,and are excluded from statistics and charts in other chapters.While every effort has been made to identify and analyze every automotive cyber incident,it is possible there have been additional at

31、tacks that have not been publicly reported,and therefore,have not been included in this report.Select details of the publicly reported incidents are available in the AutoThreat Intelligence Cyber Incident Repository.Additionally,a comprehensive analysis is available to AutoThreat PRO customers.7 202

32、3 Upstream Security Ltd.All Rights ReservedConsumers and regulators are becoming more aware of the dangers of connectivity,and OEMs and smart mobility stakeholders must take proactive steps to establish trust.An ever-growing group of stakeholders in the smart mobility ecosystem from subscription ser

33、vices,third-party mobile applications,commercial and government fleets to mobility-as-a-service,and EV infrastructure must take direct action to ensure the subscription economy,sensitive data,and safety are protected.EXECUTIVE SUMMARY2022 marked the first year of UNECE WP.29 R155 implementations.We

34、witnessed the rapid rise of mobility applications,services and expanded mobility assets.Cyber attacks are increasing in frequency and sophistication as connected vehicles become more prevalent on the road,and cyber hacking tools and knowledge become more advanced.Vehicle security teams are challenge

35、d with mitigating threats that go beyond direct attacks against vehicles,targeting fleets,mobility applications and services,and even EV charging infrastructure.In 2022,an ever-changing attack landscape has led to the emergence of a new attack vector that will be at the core of smart mobility electr

36、ic vehicle(EV)charging infrastructure,which now accounts for 4%of total incidents.Smart mobility APIs open up new revenue streams and,consequently,also open the door to new attack vectors.In 2022,the number of automotive API attacks has increased 380%accounting for 12%of total incidents despite OEMs

37、 employing advanced IT cybersecurity protection.The evolution of connected vehicles requires OEMs to shift their focus to trustNew revenue streams,including the smart mobility subscription economy,are under threat as cybersecurity risks expand beyond traditional automotive stakeholdersEV charging ha

38、s emerged as an attack vector that may dramatically change the way vehicles are protectedSmart mobility APIs present a new and significant fleet-wide attack vectorNew attack vectors,prone to massive scale and fleet-wide attacks,may have a significant impact on a wide range of mobility assets,requiri

39、ng a fresh outlook on both technology and mitigation methods.Real-time collaboration between vehicle,IT and enterprise SOC cybersecurity perspectives the fusion vSOC is critical to detect and effectively mitigate todays ever-growing and complex attack vectors.As attack vectors grow and become more c

40、omplex,vehicle-centric and IT cybersecurity are becoming increasingly entwined8 2023 Upstream Security Ltd.All Rights ReservedThe UNECE WP.29 R155 and R156 regulations and the ISO/SAE 21434 standard have reached critical mass,and are changing the operations around the world.Other regulatory organiza

41、tions across the world are also accelerating cybersecurity regulations,including the US National Highway Traffic Safety Administration(NHTSA),and Chinas Ministry of Industry and Information Technology(MIIT)which issued its roadmap and guidelines for connected vehicles cybersecurity and data security

42、 in March 2022.2 OEMs are working closely with suppliers,and cybersecurity companies to support industry-wide compliance and certification efforts,and establish robust cybersecurity governance structures and testing processes.Insurance stakeholders and underwriters are struggling to assess new cyber

43、security risks and the implications of software-defined vehicles,as well as new types of losses,such as bricking of vehicles due to ransomware,and safety risks associated with software and connectivity.Upstream AutoThreat PRO cyber analysts discovered a higher amount of information on deep and dark

44、web sources and platforms.In 2022,automotive-related searches,along with the proliferation of knowledge on attack techniques,revealed an increase in attack methods and available access points to connected vehicles including unauthorized access via OEM diagnostic tools,unauthorized 3rd party apps,and

45、 various new exploits connected directly to infotainment,telematics and other connectivity components in vehicles.Regulators are continuously expanding the scope of cybersecurity protection and measures,as vehicles become more vulnerable to hackingAutomotive cyber threats are having a significant im

46、pact on the insurance industryData sharing on the deep and dark web has dramatically increased during 2022 and requires action by the entire supply chainRansomware attacks impact the entire automotive supply chainThe next generation of regulations is expected,shifting focus to protecting data and EV

47、 charging infrastructureRemote keyless vehicle thefts and break-ins account for nearly a fifth of all incidents in the industryMalicious actors are increasingly targeting suppliers of automotive parts and even EV charging infrastructure with ransomware attacks,resulting in severe data breaches,denia

48、l of service,and production shutdowns that impact the entire supply chain.In addition to Plug-and-Charge security outlined in ISO 15118,legislators and regulatory bodies around the world are becoming more aware of cybersecurity risks to vehicles,EV infrastructure,and consumer privacy,and are startin

49、g to work on new regulations to address them.this also includes autonomous vehicle regulations.In 2022,remote keyless vehicle thefts and break-ins continue to be ubiquitous accounting for 18%of total incidents and easier to carry out,often leaving the police and insurers completely in the dark.NEW A

50、TTACK VECTORS REDEFINE AUTOMOTIVE CYBERSECURITY01New sophisticated attacks are changing how vehicles are protected in a rapidly expanding smart mobility ecosystem10 2023 Upstream Security Ltd.All Rights ReservedOEMS MUST SHIFT THEIR FOCUS TO TRUST,AS CONNECTED VEHICLES EVOLVEIn recent years,the auto

51、motive industry has undergone rapid transformations and has expanded dramatically into an ecosystem for smart mobility.Connectivity is at the foundation of this ecosystem,enabling an advanced digital experience as well as a vast range of value-added applications and services that can be built on top

52、 of connected vehicles.Drivers are increasing the pressure for personalized user experiences and flexibility,as well as sustainability-driven capabilities.With advanced connectivity,automakers and consumers alike realized major benefits,such as the ability to enhance vehicle features and performance

53、 post-purchase.It may seem as though the journey has been a short one,but it has been 40 years in the making.The origins of the connected vehicle can be traced as far back as the mid 80s when Formula 1 teams first integrated the cars on-board computer to transmit bursts of data back to the pits usin

54、g radio signals as they went past pitlane.In the late 90s the first consumer cars were equipped with automated accident detection using telematics data and an emergency call function.In the early 00s vehicle diagnostics enabled car manufacturers to examine the systems functionality and,if there were

55、 any problems,find the root cause more quickly.Almost a decade later,with the introduction of in-vehicle SIM cards and smartphones,connectivity exploded to the consumer side with services such as in-vehicle internet connectivity,enhanced infotainment,and smartphone apps that could lock and unlock do

56、ors.ALL AUTOMOTIVE STAKEHOLDERS MUST TAKE DIRECT ACTION TO ENSURE TRUST AND SAFETY TO ALLOW THE DIGITAL TRANSFORMATION TO RAPIDLY PROCEED.11 2023 Upstream Security Ltd.All Rights ReservedFrom there,it exponentially evolved with connectivity to deliver over-the-air(OTA)software updates,connectivity t

57、o third party mobility services,and internet-of-things(IoT)connectivity for uninterrupted communication to and from any desired ECU or smart device in the car.In fact,the amount of data exchanged between vehicles and their back-end systems is growing rapidly,in parallel with many other IoT use cases

58、.Today,new technologies are beginning to leverage advanced connectivity for a multitude of Vehicle-to-Vehicle(V2V),Vehicle-to-Infrastructure(V2I),Vehicle-to-Pedestrian(V2P),Vehicle-to-Grid(V2G)and Vehicle-to-Everything(V2X)connectivity that enable the current development of advanced smart mobility a

59、pplications.Additionally,advanced connectivity is enabling vehicles to evolve beyond their electromechanical hardware to become software-defined vehicles(SDVs),which can be gradually activated and continuously upgraded delivering enhanced experiences for customers and new revenue streams for OEMs.In

60、 this race towards advanced mobility services delivered by OEMs,fleet managers,and mobility providers connected vehicle services instantaneously became vulnerable to increasingly sophisticated cyber attacks.Hackers are becoming more sophisticated,targeting connected vehicles,their backend servers,EV

61、 charging infrastructure,and any application connecting the different dots.12 2023 Upstream Security Ltd.All Rights Reserved12CYBERSECURITY RISKS EXPAND BEYOND TRADITIONAL AUTOMOTIVE STAKEHOLDERS,THREATENING NEW REVENUE STREAMSIn the ever-growing connected vehicle ecosystem,no one is free from the t

62、hreat of cyber attacks or the responsibility of securing smart mobility assets.The development of smart mobility services required stakeholders to expand their digital footprints,increasing cybersecurity concerns beyond OEMs and Tier 1 and 2 suppliers,introducing new and sophisticated attack vectors

63、.Vehicle subscription services Subscription-based economy is becoming increasingly prevalent in mass-market vehicles as mainstream automakers look to generate billions in revenue by charging car buyers on an annual or monthly subscription basis for some in-car features,services and upgrades.In 2021,

64、General Motors reported it earned over$2 billion in in-car subscription service revenue,3 a number the company expects to grow to$20-25 billion by 2030,putting it in the same league as Netflix and Spotify are today.Based on McKinseys analysis,4 OEM revenue growth will be significantly driven by subs

65、cription services.These innovative revenue streams are expected to increase OEM revenue by 30 percent over the next decade.Source:McKinseymore revenue with data driven services30%+$2.8B$0.8B$0.03B$1.2B$4B$1.5BService based recurring revenues:Shared mobility Data-enabled servicesAfter marketOne time

66、vehicle sales2015203013 2023 Upstream Security Ltd.All Rights ReservedIn-vehicle purchases and microtransactions were originally pioneered by Tesla,which started selling vehicles with upgradable software-locked capabilities such as Acceleration Boost,Range Boost,Premium Connectivity,Autopilot,and Se

67、lf-Driving Capabilities.Software-defined vehicles and APIs make it possible for automakers to patch problems,unlock pre-built functionalities,and add new features on the fly with over-the-air software updates opening up new revenue streams and,consequently,also opening the door to new attack vectors

68、.Earlier this year,when a German OEM announced subscriptions for heated seats,5 it sparked a huge wave of objections and calls for hacking among angry vehicle owners.In fact,within a week of the official announcement,a group of hackers stepped forward to unlock subscription-only features for free.6

69、Growth in microtransactions and subscription-based services also requires more personally identifiable information(PII)and digital user fingerprinting,introducing user IDs as yet another attack vector.Credentials shared by users or administrators,knowingly or unintentionally,can be used by hackers t

70、o gain access to networks,systems and applications.Third-party automotive mobile apps Third-party automotive applications deliver enhanced experiences beyond native OEM apps,but do so at a growing risk for OEMs.These apps are built to work with a users mobile device or the cloud,enhancing the users

71、experience of driving,charging,or owning a vehicle.However,because of the nature of their services,these service providers require access to sensitive vehicle data such as telemetry,location,charging,service,PII,model,and even VIN,to deliver their unique features and tailored experiences.Often,third

72、-party applications also require access to vehicle command and control,which poses a significant risk.Since many third-party apps and services are not OEM approved,users must provide their original credentials directly to the third-party service provider,which then uses the OEM API to generate a tok

73、en,resulting in severe security vulnerabilities for both OEMs and users.In early 2022,a German cybersecurity researcher exploited a vulnerability in a popular third-party companion application,7 that gave him access to all the functions of the OEMs native application and allowed him to remotely cont

74、rol 25 EVs around the world.A minority of OEMs bypass this vulnerability using vehicle data platforms or specially developed solutions,which avoid exposing credentials directly to third parties and provide limited vehicle access.14 2023 Upstream Security Ltd.All Rights ReservedEV charging networks a

75、nd infrastructure The success of electric vehicles(EVs)depends on a reliable,consistent network of charging stations,removing driver“range anxiety”and adoption barriers.To ensure that EVs can be charged conveniently and affordably,EV charging stakeholders and OEMs rely on a complex and multi-layered

76、 charging infrastructure one that will start impacting power grids as EV adoption expands.The rise in EVs has also increased the attack surface dramatically,rendering EV charging infrastructure vulnerable to both physical and remote manipulation.In April 2022,researchers from University of Oxford an

77、d Armasuisse S+T disclosed details of a new attack technique,8 dubbed“Brokenwire”,that could remotely disrupt the ability to charge electric vehicles at scale.These vulnerabilities can have a profound effect on both consumer adoption of EVs and fleet electrification.All EV stakeholders need to enfor

78、ce a new cybersecurity paradigm that makes sure consumers can trust the charging infrastructure they use and that EVs and their charging infrastructure are protected at all times.In June 2022,The Electric Vehicles(Smart Charge Points)Regulations 2021 came into force in the UK.9 The regulations requi

79、re charging stations to include cybersecurity measures,anti-tampering measures,event monitoring,secure software updates,and more.Based on extensive research and emerging incidents,we expect additional regulatory initiatives and standards in the coming years,focused on promoting the safety of EV char

80、gers and ensuring their security posture.In October 2022,the Office of the National Cyber Director(ONCD)hosted the Cybersecurity Executive Forum on Electric Vehicles and Electric Vehicle Charging Infrastructure to discuss cybersecurity issues in electric vehicles and electric vehicle supply equipmen

81、t(EVSE)with government and private sector leaders.Industry participants included representatives from OEMs,component manufacturers,and EV charging infrastructure manufacturers who were asked to share their organizations views on current cybersecurity practices,gaps,and recommendations for improvemen

82、t throughout the EV ecosystem.10 15 2023 Upstream Security Ltd.All Rights ReservedParticipants agreed to work together to identify opportunities for harmonization of cybersecurity standards across the EV and EVSE ecosystems;identify key cybersecurity attributes needed and outline a shared vision for

83、 the emerging ecosystems;and identify opportunities for further cybersecurity research and development work.This discussion is a step in the right direction,although no specific information has been released by the ONCD regarding planned legislation.Fleet management As fleets become more connected a

84、nd electrified,fleet management is rapidly transforming toward digitization and advanced analytics specifically in the form of telematics for fleet vehicle monitoring,predictive maintenance,and liability monitoring.By leveraging telematic data already collected from connected vehicle assets,fleets a

85、re modernizing processes,proactively managing vehicle maintenance,preventing breakdowns,reducing unplanned downtime,maximizing fleet utilization,and bolstering revenue streams.While this modernization is mostly advantageous,current connected fleet infrastructures create multiple attack vectors for h

86、ackers with the potential to impact multiple fleet vehicles at the same time,causing immediate danger to the safety of the drivers,widespread service disruption,and lead to massive financial and brand damage to the fleet.While fleet-wide vehicle attacks are not yet widespread,data breaches and ranso

87、mware attacks continue to be persistent business threats for fleet operators.In April 2022,a German-based vehicle rental,car sharing,and ride-hailing service provider,was hit by a cyber attack that forced it to restrict access to all IT systems,causing widespread disruption to its global operations.

88、11 The company reacted quickly and effectively,restricting impact to short term disruption in customer services and specific branches.Continuity of business is essential in the event of data breaches and ransomware attacks.Fleet operators must be prepared with pre-planned recovery processes and cont

89、inuity plans.Regardless of what other stakeholders are doing,it is up to fleets to maintain their own cybersecurity.Fleet operations are responsible for detecting cyber attacks,and they need access to OEM vehicle data to do so.CONTINUITY OF BUSINESS IS ESSENTIAL IN THE EVENT OF DATA BREACHES AND RAN

90、SOMWARE ATTACKS.FLEET OPERATORS MUST BE PREPARED WITH PRE-PLANNED RECOVERY PROCESSES AND CONTINUITY PLANS.16 2023 Upstream Security Ltd.All Rights ReservedMobility-as-a-Service At its core,Mobility-as-a-Service(MaaS)is a data-driven,user-centric paradigm powered by the widespread penetration of smar

91、tphones;vehicle connectivity;secure,dynamic,up-to-date information on travel options,schedules,and updates;and cashless payment systems.MaaS platforms such as ride-hailing or sharing services,taxi aggregators,multi-modal trip planners,and micro-mobility providers(e.g.,bike-sharing,scooter-sharing)ar

92、e creating an increasingly diverse smart mobility landscape that offers passengers more flexibility in getting where they need to be.MaaS is at a relatively early stage in its development,with much innovation and experimentation underway,and with it,the cyber attack surface is expanding,demanding ne

93、w security standards in these uncharted territories.Electric-driven and fully autonomous mobility services have the potential to solve some of the worlds biggest transportation challenges,but the cyber risk is equally high.MaaS cyber attacks that have the potential to wreak havoc on cities and users

94、.One of the largest taxi services in Russia,12 was hacked on September 1st,2022 by Anonymous,causing massive traffic jams in Moscow.The hackers exploited an API vulnerability and ordered all available taxis to a particular address.The vehicles were not used as targets in this attack,but rather as to

95、ols to attack the citys public infrastructure.New insurance models Telematics-based insurance has transformed the automotive insurance industry by shifting the focus to driver behavior and usage.By adopting this new approach to risk indicators,new insurance models have emerged:usage-based insurance(

96、UBI)that uses information on the actual trips/miles and drivers to dynamically adjust insurance premiums,and behavior-based insurance(e.g.,Pay-How-You-Drive)that uses real-time monitoring of the drivers habits on the road which poses an incentive for safer,smarter,and more responsible driving.OBD do

97、ngles,installed to enable access to telematics data and enable advanced insurance capabilities,have also opened the vehicle to additional attack vectors.Cyber attacks on vehicles may even impact an insurance companys IT networks,customers,and cloud and OT infrastructure.ELECTRIC AND FULLY AUTONOMOUS

98、 MOBILITY SERVICES HAVE THE POTENTIAL TO SOLVE SOME OF THE WORLDS BIGGEST TRANSPORTATION CHALLENGES,BUT THE CYBER RISK IS EQUALLY HIGH.17 2023 Upstream Security Ltd.All Rights ReservedBut the biggest lingering question around connected vehicles and EVs revolves around cybersecurity underwriting.Risk

99、 considerations have traditionally revolved around liability or theft,but have evolved to include things like loss due to full or partial bricking.For insurance companies to make informed decisions,it is imperative that they understand the cybersecurity posture of each make and model of vehicle,as w

100、ell as the potential frequency and severity of cyber attacks.Underwriters are unable to assess these risks on their own and have to work with automotive cybersecurity experts to determine the relevant risks.2023 Upstream Security Ltd.All Rights Reserved18%Remote keyless entry systems14%ECUs(includin

101、g TCU,GW,etc.)8%Infotainment systems35%Telematics and application servers12%Automotive and smart mobility APIs4%EV charging infrastructureTHE NEW ATTACK VECTORS OF THE SMART MOBILITY ECOSYSTEM Alongside incidents the industry has witnessed during the last decade,2022 introduced new attack vectors th

102、at demonstrate the expansion of cybersecurity threats beyond discrete vehicles,impacting fleets,smart mobility applications and services,EV charging infrastructure,and many other mobility stakeholders.As attack vectors continue to expand,detection and response capabilities must also rapidly expand a

103、nd deliver holistic protection across the entire connected vehicles ecosystem.6%Mobile applicationsThis illustration highlights the key attack vectors and their percentage of total incidents in 2022.2023 Upstream Security Ltd.All Rights Reserved19 2023 Upstream Security Ltd.All Rights ReservedFrom A

104、pple CarPlay to Android Auto,level 2+advanced driver assistance systems(ADAS),performance enhancements,parking assistance,internet connectivity,traffic guidance,new infotainment features,and vehicle personalization the connected,software-defined vehicle is revolutionizing the automotive industry and

105、 delivering enhanced experiences for drivers.Indeed,the SDV is key to OEM competitiveness,differentiation,and future revenue streams.However,along with these exciting features comes an increase in software and connectivity vulnerabilities.The growing combination of connected and software-defined veh

106、icles will continue to expose new attack vectors to hack and exploit.While OEMs and their supply chains are actively investing in improving cybersecurity protections,data shows that hackers are gaining capabilities everyday,and even car owners have joined in jailbreaking their ECUs to unlock paywall

107、ed services,13 and hacking their infotainment systems to work with Apple CarPlay.14 Attack vectors have expanded well beyond traditional vectors such as servers,TCUs,ECUs,Bluetooth,infotainment,and remote keyless entry systems.Smart mobility APIsConnected vehicles and smart mobility services use num

108、erous APIs,and OEMs are challenged with monitoring and managing billions of API transactions every month.Everything from OEM-driven companion apps,infotainment systems,OTA and telematics servers to EV charging management and billing apps rely heavily on APIs to achieve core functionalities.These API

109、s unlock data-driven services and advanced features,providing new revenue opportunities for automotive stakeholders as smart mobility consumerization evolves.But APIs also present significant and fleet-wide attack vectors,resulting in a wide range of cyber attacks,including the theft of personal inf

110、ormation,such as banking and social security numbers,or fatal collisions caused by hackers remotely seizing control of moving vehicles.APIs are riskier they make hacking easier and cheaper,require relatively low technical expertise,and can be done remotely without any special hardware.IN 2022,THE NU

111、MBER OF AUTOMOTIVE API ATTACKS HAS INCREASED BY380%20 2023 Upstream Security Ltd.All Rights ReservedIn 2022,the number of automotive API attacks has increased by 380%,accounting for 12%of total incidents,despite OEMs employing advanced IT cybersecurity protections.Some notable API-based attacks and

112、risks include:IT-based solutions are struggling to handle the scope and magnitude of vehicle attacks,especially as they lack the context and deep understanding of how vehicles behave and operate.White hat hackers demonstrated the ability to remotely start,stop,lock,and unlock multiple OEM vehicles b

113、y sending API requests to a telematics system with the VIN in the unique ID field.15Hackers attacked a popular taxi app and caused massive traffic jams in Moscow.16 Hackers want to unblock vehicles of a German OEM to avoid paying for new services.17 Popular vehicle GPS tracker gives hackers admin pr

114、ivileges and enables them to remotely disable vehicles.18 App account of American mobility service hacked.19Hacker remotely controls 25 American OEM EVs around the world.20Vehicles of North American OEM can be controlled via API scripts published on Github.21 21 2023 Upstream Security Ltd.All Rights

115、 ReservedEnergy generation Energy creation,storage,retailGrid and transmission operation(DSO/TSO)Creation,operation and maintenance of public distribution grids;delivery balancingEquipment supply Manufacturing and sales of AC/DC chargersInstallation and field services Charge site/points installation

116、 and maintenanceSite and asset ownership Electricity retailingOperations(charge point operator)Charging point operations and monitoringCharging services(eMSP)Charging and mobility services,and billing end users via mobile applications or charge card(including roaming)OS/Application securityMalware/r

117、ansomwareFraud and data lossService denialGrid attackEV value chain and its cyber risk spectrum V2GVehicle to Grid G2V Grid to Vehicle/FleetISO 15118EV PowertrainCharging Network InterfaceCharging Point OperatoreMobility Service Provider ChargingManagment RemoteCommandsAPIs 2023 Upstream Security Lt

118、d.All Rights ReservedEV chargingElectric vehicles are a critical pillar of the global automotive revolution we have been experiencing.Over the next five years,the US government will invest$5 billion in charging infrastructure,22 paving the way for long-distance travel,V2X,and V2G,along with more sus

119、tainable transportation.As the number of EVs continue to rise,EV charging stations have become a growing battleground for attacks.22 2023 Upstream Security Ltd.All Rights ReservedIn 2022,researchers and hackers showed that charging stations are valuable targets to physical and remote manipulation,ex

120、posing users to fraud and ransomware attacks,and slowing chargers down or stopping their functionality altogether:Several vulnerabilities found in EV charging stations.23 Russian electric vehicle chargers hacked.24 EV charging station displays show inappropriate content.25 New combined charging stat

121、ions attack technique found.26Most EV charging stakeholders are still in the early stages of implementing advanced cybersecurity platforms.New regulations are emerging such as The Electric Vehicles(Smart Charge Points)Regulations 2021 which came into force in the UK in June 2022.27 VEHICLE TO GRID C

122、harging fraud avoiding payment,for example,by impersonating another vehicle Using the Electric Vehicle Supply Equipment(EVSE)as the entry point to attack the Charging Station Management System(CSMS),and from there other EVSEs or the infrastructureGRID TO VEHICLE Combined Charging System(CCS)physical

123、 attack from charging station to vehicle ISO 15118 EVSE attacking the Electric Vehicle Charge Controller(EVCC)and from there attacking other ECUs in the vehicleGRID TO FLEET A charging network is attacking multiple vehicles from multiple EVSEs A single EVSE is attacking multiple vehiclesCSMS ATTACKS

124、 Application attacks on the CSMS Changing of billing record Incorrect or incomplete transactionsOCPP ATTACKS Bad OCPP commands from the CSMS to the EVSE Installing bad firmware on the EVSEAPI ATTACKS Attacks on the public charging APIsOEMs and various charging infrastructure stakeholders are challen

125、ged with mitigating additional risks to EVs across a variety of charging attack vectors:2023 Upstream Security Ltd.All Rights Reserved23 2023 Upstream Security Ltd.All Rights ReservedNEW ATTACK VECTORS ARE FADING THE BOUNDARIES BETWEEN VEHICLE-CENTRIC AND IT CYBERSECURITY Cybersecurity is an ever-tr

126、ansforming realm.The threat landscape is expanding exponentially as vehicles become more connected and software-driven.During 2022,most attacks were carried out by black hat actors who hacked systems for personal gain or malicious purposes.Malicious automotive black hat attacks not only lead to serv

127、ice disruption or monetary loss,but can result in injury or loss of life.In the race between threat actors and security teams,expanding and contextualizing cybersecurity scope for smart mobility assets is the key to staying ahead.During 2022,Upstreams vSOC team discovered and mitigated multiple flee

128、t-wide and API-based attacks,which attempted to allow threat actors access to remote vehicle control functions.Emerging attack vectors highlight the fading boundaries between the two silos of product cybersecurity,driven by OT models,and IT risk mitigation.As IT-based solutions arent native to the a

129、utomotive industry,they lack the context that is vital to understanding how vehicles behave and detecting advanced vehicle-related attacks.But,with so many new applications and services entering the mobility ecosystem,attack vectors have become far more sophisticated,and include IT-based elements th

130、at require a fresh mitigation approach.The birth of the“Fusion vSOC”shifts the spotlight to cross-functional collaborationVehicle security operations centers(vSOCs)are already used by many OEMs to monitor their connected fleets.The coming into effect of R155 was a significant driver in the fast adop

131、tion of vSOCs,but the methodologies and processes required to manage the vSOC and effectively mitigate automotive-specific cyber risks are still embryonic.The rise and complexity of cyber attacks,including rising concerns regarding cross asset attacks(V2X)and API-driven attacks,requires OEMs and aut

132、omotive stakeholders to deeply collaborate with other cybersecurity efforts,such as the IT SOC,and transition into an integrated fusion vSOC model that strives to fully understand the full context of smart mobility assets.ENTERPRISEvSOCSOCTHE FUSION VSOC IS A PART OF THE BROADER CONNECTED VEHICLE OP

133、ERATIONS CENTER,AND INTRODUCES A CROSS-FUNCTIONAL APPROACH.24 2023 Upstream Security Ltd.All Rights ReservedThe fusion vSOC is a part of the broader connected vehicle operations center,and introduces a cross-functional approach combining the basic vSOC functions together with OT-related functions,OT

134、A health monitoring,DTC monitoring,etc.It will also require real-time collaboration between the different SOC perspectives vehicle,IT,and enterprise which is critical to detect and effectively mitigate todays ever-growing and complex attack vectors.As a part of the fusion vSOC ongoing operations,cro

135、ss-organizational and functional tabletop exercises are expected to gain momentum.With new attack vectors continuously emerging,using attack simulations enables vSOC teams to accelerate collaboration and deepen the vSOC response methodologies and playbooks beyond the current cybersecurity posture.Wi

136、th a high-quality stream of data,the fusion vSOC can monitor,predict,detect,and respond to the most sophisticated cybersecurity threats,while helping OEMs comply with R155 and ISO/SAE 21434 standards.AUTOMOTIVECYBER THREAT TRENDS02Increasing sophistication and novel attack vectors present new challe

137、nges across the entire automotive and smart mobility ecosystem 26 New Combined Charging Stations(CCS)attack technique found with the potential to disrupt the ability to charge electric vehicles at scale.37 Automotive tools manufacturer discloses data breach claimed by Conti ransomware gang.38MARCHIN

138、CIDENTS2022 saw an increase in sophistication and the rise of new attack vectors,bringing new challenges to the entire automotive and smart mobility ecosystem.During 2022,Upstreams AutoThreat researchers analyzed 268 automotive and smart mobility cybersecurity incidents.Top incidents in 2022:Hacker

139、remotely controls 25 American OEM EVs around the world.28 Several vulnerabilities were found in multiple charging stations which allowed remote attackers to impersonate charging station admin users and carry out actions on their behalf.29 App account of American mobility service hacked.30 Russian el

140、ectric vehicle chargers were hacked and disabled by a Ukrainian EV charging parts supplier as part of a cyberwar effort.31 Cyber attack on a Japanese OEMs supply chain shuts down 14 factories in Japan for 24 hours.32 Tier-2 company hit by cyber attack.33 FEBRUARYJANUARY APRIL OEM-affiliated supplier

141、 hit by cyber attack.34 Two major OEMs vulnerable to replay attacks let hackers remotely unlock and start vehicles.35 Italian railway firm falls victim to ransomware attack.36 MAY Chinese OEM vehicles were found to be vulnerable to attacks via update processes.39 German automakers targeted in a year

142、-long malware campaign.40 Agriculture vehicles,valued at$5 million,were remotely disabled and stolen.41 JUNE Hackers targeted vehicles of an American OEM through Bluetooth attacks.42 Eight zero-day vulnerabilities discovered in a popular industrial control system used in the transportation sector.43

143、 Japanese automotive supplier hit by ransomware attack.44 2023 Upstream Security Ltd.All Rights Reserved27 Italian OEM hit by ransomware attack.54 Japanese OEM customers affected by data breach in its mobile app.55 UK car retail giant hit by ransomware attack.56 SEPTEMBER27 A hacker gained control o

144、ver a head unit of Japanese automotive through the dashboards API.45 Popular vehicle GPS tracker gives hackers admin privileges.46 Car rental firm experiences a data breach,affecting employees and possibly customers.47 Three ransomware attacks were launched against a Tier-1 supplier.48 A new mobile

145、app vulnerability was discovered,enabling man-in-the-middle attacks on EV OEMs.49 North American automotive dealership affected by data breach.50 AUGUSTJULYOCTOBER Hackers attacked a popular taxi app,causing massive traffic jams.51 American moving and storage rental company impacted by data breach.5

146、2 Vehicles of American OEM can be stolen with a new relay attack.53 NOVEMBER A ransomware group offered all information stolen from a global Tier 1 supplier,in a ransomware attack,for sale on the dark web for$50 million.57 Cyber attack shuts down Denmarks largest train company.58 White hat hackers r

147、emotely started,stopped,locked,and unlocked vehicles of multiple OEMs by sending API requests with the VIN on a unique ID field via a widely used infotainment system.59 DECEMBER US-based mobility service provider impacted by a data breach at a 3rd-party vendor used for asset management.60 Chinese EV

148、 OEM impacted by a data breach and ransomware demand of$2.25 million in Bitcoin.61 2023 Upstream Security Ltd.All Rights Reserved28 2023 Upstream Security Ltd.All Rights ReservedMOST ATTACKS IN 2022 WERE CARRIED OUT BY BLACK HAT ACTORSAs technologies and cybersecurity measures advance,hackers have a

149、lso evolved,and stakeholders must get deep visibility into who is carrying out attacks.Typically,hackers fall into two categories:White HatWhite hat hackers,often researchers without malicious intent,who try to penetrate and manipulate systems to validate security or assess vulnerabilities.White hat

150、 hackers constantly find new and disturbing vulnerabilities.They operate independently,through companies leveraging their services,or as part of a bug bounty program,where they are rewarded for responsibly disclosing the vulnerabilities.Black HatIn contrast,black hat hackers attack systems for perso

151、nal gain,financial gain,or for malicious purposes.Todays black hat hackers are no longer lone malware developers.They are part of well-organized and well-resourced operations which employ thousands of cybercriminals worldwide,capable of coordinated simultaneous attacks against multiple companies.Mos

152、t attacks in 2022 63%of incidents-were carried out by black hat actors WHITE HATBLACK HAT63%BLACK HAT37%WHITE HATSource:Upstream Security29 2023 Upstream Security Ltd.All Rights ReservedA major difference between automotive black hat attacks and IT black hat attacks is the consequences and impact of

153、 such attacks.Malicious automotive black hat attacks which are closely aligned with cyber attacks on critical OT infrastructure,such as health,energy,and governmental facilities result in not only disruption of services and financial losses,but also potential for safety hazards and loss of lives.In

154、January 2022,a white hat hacker managed to gain remote access to over 25 American OEM EVs across the world by exploiting security vulnerabilities in a popular open-source logging tool used by vehicle owners.62 He could disable the security system;unlock doors and roll down windows;start the engine w

155、ithout keys;identify if a driver was present in the vehicle;turn on the vehicles sound system;and flash the headlights.Within the white hat category,there are also“gray hat”hackers who hack for their own personal benefit,often driven by monetary considerations.In response to OEMs growing use of in-v

156、ehicle subscriptions for connected services and software-enabled features,gray hat hackers are constantly looking for ways to bypass security measures to access these services for free.In July 2022,following an announcement by a German OEM that it will begin charging car owners a subscription fee fo

157、r heated seats,hackers said they would unlock the controversial feature for free.The move has been met with resistance from vehicle owners,and many owners will try to hack the feature to avoid paying for it.63 It may seem harmless on the surface,but gray hat attackers negatively impact OEMs credibil

158、ity and revenue by accessing paid services and manipulating systems.Furthermore,the vulnerabilities they expose,and often disclose in forums on the deep and dark web,can be exploited by malicious hackers.30 2023 Upstream Security Ltd.All Rights ReservedOver two thirds of 2022 remote attacks were lon

159、g-range 70%30%long-rangeshort-rangeNEARLY ALL ATTACKS ARE REMOTEMost automotive cyber attacks can be divided into two main categories:remote attacks,which can be short-range(e.g.,man in the middle attack)or long-range(e.g.,API-based attack),and physical attacks which require a physical connection to

160、 the vehicle(e.g.,OBD port).Since 2010,remote attacks have consistently outnumbered physical attacks,accounting for 85%of all attacks between 2010 and 2021,and 97%in 2022.Remote attacks rely on network connectivity(e.g.,Wi-Fi,Bluetooth,3/4/5G networks),and have the potential to impact multiple vehic

161、les simultaneously.In July 2022,a security researcher from a Los Angeles-based firm broke into an American OEM vehicle using free software and an off-the-shelf$20-device,an example of a short-range Bluetooth attack.The researcher exploited a vulnerability in the phone-as-a-key keyless entry system.6

162、4 Many OEMs use phone-as-a-key technology,a keyless entry technology based on Bluetooth,which can be vulnerable to these types of attacks.Long-range attacks increased in 2022 due to increased connectivity and API reliance.In June 2022,a Japanese automotive supplier was hit by a ransomware attack for

163、cing it to shut down its computerized production controls.65 In November 2022,a cyber attack targeting third-party IT providers shut down Denmarks largest train company.The attack hit enterprise asset management solutions companies for railways,transport infrastructure,and public passenger authoriti

164、es.It is likely that the threat actor targeted operational disruption,paralyzing railway service for several hours.Analysts speculated that the IT provider may have been hit by a ransomware attack.66 Nearly all 2022 attacks are remote Source:Upstream Security97%3%remotephysical31 2023 Upstream Secur

165、ity Ltd.All Rights ReservedCVES MUST BE MONITORED CLOSELYCommon Vulnerability Scoring System(CVSS)is a vulnerability scoring system designed to provide an open and standardized method for rating CVEs.By communicating the base,temporal,and environmental properties of a vulnerability,CVSS helps organi

166、zations prioritize and coordinate joint responses.67 Vulnerabilities are graded from Critical,High,Medium to Low,or None,depending on their CVSS score.68 Security teams,developers and researchers use several methods to assess risks,including CVSS.CVSS scores have practical applications across the pr

167、oducts supply chain helping to determine whether vulnerabilities have already been exploited and prioritize efforts to patch them,as well as allocate time and human resources more effectively.CVSS is also used by ISO/SAE 21434 as part of the standards risk assessment process to determine attack feas

168、ibility.Fleet managers and operators should also be tracking CVEs closely.CVEs may not only impact the risk assessment of the entire fleet,and they can also be considered when strategically designing the composition of the fleet.Number of automotive-related CVEs found in 2019-2022Source:Upstream Sec

169、urity20203320192022151202113924The automotive industry has experienced 347 CVEs since 2019,151 in 2022,compared with 139 in 2021.32 2023 Upstream Security Ltd.All Rights ReservedOVERVIEW OF 2022 CVESCVEs are acknowledged and cataloged cybersecurity risks that can be quickly referenced across the aut

170、omotive ecosystem.It is common to find these threats on OEM products,but they can also appear in the products of OEM supply chain companies.OEMs,who manufacture the vehicles,assemble them from hundreds of software and hardware modules produced by Tier-1 suppliers.The Tier-1s construct these modules

171、from various individual components supplied by their Tier-2s.Each components quality and safety rests with the company that produces it.Consequently,each company involved in the supply chain has the responsibility to oversee and ensure the quality and safety of each automotive-related product.Becaus

172、e vulnerabilities are not always addressed on time,or even at all,a single flaw in a commonly used software module or component can impact millions of vehicles.Although CVEs disclose critical vulnerabilities,they can also be exploited by hackers looking for vulnerabilities in similar systems.Breakdo

173、wn of publicly reported automotive-related vulnerabilities(between 2019-2022)CVEsOEM-Vehicle manufacturerTier-1-Components supplierTier-2-Chipset supplierSoftware/Hardware service provider-(e.g.,fleet management systems,aftermarket devices)1303275Source:Upstream Security11033 2023 Upstream Security

174、Ltd.All Rights ReservedCRITICAL VULNERABILITIES33HIGH VULNERABILITIES74MEDIUM VULNERABILITIES44In 2022,the CVSS-scored vulnerabilities analyzed by Upstreams analysts had:Source:Upstream Security3434OEMs Tier-1s Tier-2s Electric Vehicles EV Charging Infrastructure/Local Grids Autonomous Vehicles Agri

175、culture Equipment TSP/Fleet Management Car Dealerships Car,Commercial and Delivery Fleets Public Transportation Government Fleets/Emergency Services Car Sharing Bike Sharing Car Rental Ride Sharing Ride Hailing Smart Cities Insurance Source:Upstream SecurityTHE IMPACT IS FELT ACROSS A VAST SMART MOB

176、ILITY ECOSYSTEM Sectors that have expanded their digital footprints such as EV charging,fleets and mobility sharing applications are facing attacks that target not only data for financial gain,such as ransomware,but also public safety and infrastructure.Cyber attacks threaten every segment of the au

177、tomotive,smart mobility and mobility-as-a-service(MaaS)ecosystem.2023 Upstream Security Ltd.All Rights Reserved35 2023 Upstream Security Ltd.All Rights ReservedOEMS,TIER-1 SUPPLIERS,AND TIER-2 SUPPLIERS SHARE RESPONSIBILITY Besides costly recalls,brand damage,and loss of data,cyber attacks against O

178、EMs and their component suppliers have led to production shutdowns.In March 2022,a cyber attack on a Japanese OEMs supply chain led to the shut down of 14 factories in Japan for 24 hours.69 As OEMs rely heavily on suppliers,the risk of cyber attacks is compounded.A dedicated hacker can exploit a vul

179、nerability in a Tier-1 or 2 component supplier to gain direct access to an OEMs network or even the vehicle itself,as was the case in March 2022,when two major Japanese OEMs were found vulnerable to relay attacks that let hackers remotely unlock and start their vehicles.70 Researchers discovered a v

180、ulnerability in remote keyless systems supplied by Tier-1s of the Japanese OEMs,which left them open to replay man-in-the-middle(MITM)attacks.Video evidence was posted as a demonstration that hackers could exploit the vehicles remote keyless system using a radio transmitter.The remote keyless system

181、 transmitted the same radio frequency(RF)code every time,instead of changing the code after each request,allowing a nearby attacker to intercept the RF codes sent by the remote keyless system and later use them to unlock and remotely start the car.In August 2022,a hacking group conducted a ransomwar

182、e cyber attack against a multinational Tier-1,71 threatening to publish the companys data.In November 2022,in response to the companys refusal to comply with the ransom demands,the group offered all the information for sale on the dark web leak site for$50 million.72 In September 2022,a vulnerabilit

183、y known as CVE-2022-37709 impacting a US EV OEM,was detected by security researchers.The EVs mobile app was vulnerable to authentication bypass attacks through spoofing,enabling MITM attacks against the EVs phone key authentication via Bluetooth Low Energy.By exploiting the vulnerability,attackers c

184、ould unlock the vehicle,start the engine,and drive the car away.73 36 2023 Upstream Security Ltd.All Rights ReservedThe EV ecosystem is rapidly expanding As the number of EVs increases,so do concerns over charging infrastructure and grid cybersecurity.Due to the rapid growth of electric vehicles,cha

185、rging infrastructure is being developed and deployed relatively quickly,often overlooking cyber flaws and vulnerabilities.Chargers are vulnerable to physical and remote manipulation that can manipulate their functionality,and expose EV users to fraud,data breaches and even ransom attacks.Additionall

186、y,there are new threats associated with various charging attack vectors,including vehicle-to-charging network,grid-to-vehicle,and grid-to-fleet.In February 2022,electric vehicle chargers along Russias M11 motorway were hacked by a Ukrainian parts supplier as part of a cyberwar effort.The chargers we

187、re disabled and programmed to display political messages.The chargers showed an error message reading in English“CALL SERVICE NO PLUGS AVAILABLE”before new screens showed additional political messages and videos.74 Commercial fleets As commercial fleet operators such as car rental,logistics and deli

188、very companies increasingly rely on connectivity and software for vehicle management,their cybersecurity risks multiply.In July 2022,a car rental firm experienced a data breach affecting employees and customers.The data breach occurred after an unauthorized party gained access to sensitive consumer

189、data on the companys network.Among the types of data compromised by the breach are names,direct deposit information,health insurance numbers,dates of birth,social security numbers,drivers license numbers,state identification card numbers,passport numbers,and other government-issued identification nu

190、mbers.75 Smart mobility services As ride-sharing,ride-hailing and other smart mobility services continue to grow in popularity and use,they represent high-risk targets within the smart mobility ecosystem.These services hold sensitive PII and payment data from thousands of unique users.In January 202

191、2,a US mobility service reported an increase in scams targeting drivers and passengers and revealed that a customers account was hacked and the customer was locked out.The hacker managed to activate 37 2023 Upstream Security Ltd.All Rights Reservedthe two-factor authentication,change the password,an

192、d add a false charge to the customers credit card.76 An additional incident occurred in February 2022,when the same mobility service advised its customers to check recent bank transactions after reports of fraudsters impersonating the companys application and stealing money from its customers.77 As

193、some smart mobility services have a direct impact on vehicle controls via API-based applications,vulnerabilities can pose risks to vehicles,drivers,and passengers,as well as public infrastructure.In September 2022,hackers from Anonymous attacked a taxi-hailing application and ordered all available t

194、axis to the same location,causing massive traffic jams.78 Insurance Insurance companies are realizing that the cyber-threat landscape directly impacts premiums on connected vehicles.Insurers can leverage connected vehicle data to determine which locations,vehicle types,and components are usually mor

195、e prone to cyber attacks,and calculate insurance premiums accordingly.New behavior-based insurance models leverage aftermarket devices to share telematics with insurers to reduce premiums and insurance costs.However,bad actors can exploit vulnerabilities in these devices and manipulate data or commu

196、nications to hack insurance companies IT networks.Insurers and their telematics suppliers must work together to ensure that their telematics infrastructure is secure.Autonomous vehicles The global AV market is expected to grow exponentially in the coming years,with some researchers projecting a stag

197、gering 40%CAGR until 2030.79 AV innovations are being introduced at a rapid pace by many stakeholders,including OEMs,smart mobility and ride-sharing services providers,and large technology enterprises.Other manufacturers are not far behind.Autonomous fleets are gaining momentum,delivering unpreceden

198、ted efficiencies and customer experiences,as demonstrated by many announcements made in 2022.Furthermore,new sensor types,software and hardware functionalities,and communication types expose potential vulnerabilities,increasing the likelihood of a future attack.BY 2030 THE GLOBAL AV MARKET IS EXPECT

199、ED TO GROW(CAGR)BY 40%38 2023 Upstream Security Ltd.All Rights ReservedAutonomous vehicles are equipped with and rely upon navigator sensors(e.g.,GPS,LIDAR,cameras,millimeter wave radar,IMU)that receive data and directions from multiple sources including the internet and satellites.It is therefore p

200、ossible for attackers to prevent the sensor from retrieving useful data,cause it to retrieve incorrect data,or manipulate the sensor function through crafted data.80 In March 2022,researchers at Duke University demonstrated the first attack strategy that can manipulate industry-standard autonomous v

201、ehicle sensors into believing nearby objects are closer(or further)than they appear without being detected.The new attack strategy was executed by shooting a laser gun into a cars LIDAR sensor to add false data points to its perception.The research showed that 3D LIDAR data points,carefully placed w

202、ithin a certain area of a cameras 2D field of view,can manipulate the system and alter its functionality.81 In June 2022,an autonomous and electric robotaxi fleet,owned by a large technology enterprise,completed a critical checkpoint in robotaxi testing and rollout.The company demonstrated how vehic

203、les can operate completely autonomously in an unstructured environment at human-plus safety levels.82 In the same month,another vendors robotaxis blocked traffic for hours in California.Though this incident was not caused by a cybersecurity attack,it highlights the potential challenges still ahead.8

204、3 The impact of Right to Repair on agriculture vehicles Conflicts over the Right to Repair of agricultural vehicles made big headlines in 2022.Farmers looking to self-repair their equipment turned to online forums where they discussed software bugs,how to manipulate their tractor systems,and swapped

205、 code and data.Consequently,hacking in this sector has increased.In August 2022,at the DefCon security conference,a hacker known as Sick Codes,revealed a new jailbreak that provided unrestricted root access to two popular tractor models of a US OEM.The hacker soldered control units onto a printed ci

206、rcuit board and bypassed all the security measures of the tractors systems,allowing him to take full control and change anything at will using the touchscreen including unlocking blocked manufacturer features.Farmers could gain full control of their vehicles by exploiting these types of vulnerabilit

207、ies.84 2022S DIVERSE ATTACK VECTORS03Emerging attack vectors require immediate attention by Automotive and Smart Mobility stakeholders40 2023 Upstream Security Ltd.All Rights Reserved35%18%14%12%8%6%4%3%Telematics and application serversRemote keyless entry systemsECUs(including TCU,GW,etc.)APIsInfo

208、tainment systemsMobile applicationsBluetoothSource:Upstream SecurityINCREASINGLY SOPHISTICATED ATTACKSIn 2022,cyber attacks became more sophisticated and frequent.New attack methods have made the industry acutely aware that any point of connectivity is vulnerable to attacks.The ever-changing attack

209、landscape has driven the introduction of two new attack vectors in 2022,which are the core of the smart mobility ecosystem:APIs for mobility applications and services,and EV charging infrastructure,which is expected to replace ICE fueling infrastructure in the next decade.Incidents by Attack Vectors

210、EV charging infrastructure41 2023 Upstream Security Ltd.All Rights ReservedTELEMATICS AND APPLICATION SERVERSConnected vehicles collect,transmit and receive essential information throughout a vehicles life to the OEMs back-end servers and to vehicle owners.To accomplish this,they rely on two types o

211、f servers for open communication with OEMs.Telematics servers,which communicate with the vehicle,and application servers which communicate with the vehicles companion applications.Furthermore,some vehicles also have aftermarket servers which are responsible for communicating with third parties such

212、as insurance companies,fleets,car rental and leasing companies,EV charging networks,and more.A black hat actor could attack vehicles on the road by exploiting vulnerabilities in backend servers.Remote keyless entry systemsDuring the past decade,remote keyless entry systems(wireless key fobs)have evo

213、lved from a luxury feature to an industry standard.Vehicle theft and break-ins have increased dramatically because of wireless key fob manipulation.These attacks have become prevalent due to the publicly available hacking tutorial videos and devices which are sold online without registration,enablin

214、g black hat actors to carry out their attacks freely.Keyless fobs are equipped with a short-range radio transmitter.Whenever a vehicles key fob is within close proximity to its vehicle,it transmits a coded signal via radio communication to the receiver unit.Communication between the fob and the vehi

215、cle can be intercepted using devices designed to interfere,or steal information from a key fobs radio signal.4204It is also possible for car thieves to break into vehicles using a signal jammer that interferes with the communication between the key fob and the vehicle.This device prevents the owner

216、from locking the vehicle,allowing thieves free access.Jamming communication between a key fob and a vehicleThe communication between the key fob and the vehicle can be attacked in a few different ways:020301Using a more sophisticated and expensive device,hackers can also reprogram the key fob system

217、 and create a new key for the car to communicate with,rendering the previous key unrecognizable.The reprogramming device can be legally obtained on online ecommerce websites and is used by authorized mechanics and service centers.It connects to the OBD port,making it relatively easy for car thieves

218、to gain full control over vehicles.Reprogramming key fobsIn another type of relay attack,hackers intercept and store messages sent from a key fob or vehicle remotely for later use.Having obtained the relevant message,the hacker can use it whenever they want to carry out an attack,such as unlocking t

219、he cars doors or starting the engine.Replay attacks using a stored signalIn relay attacks,hackers intercept the normal communication between the key fob and the vehicle.Even when the key fobs signal is out of range,hackers can amplify it using a transmitter or repeater.Thieves increasingly use this

220、type of attack to intercept the signal from a key fob located inside a vehicle owners house.An additional device is placed near the car,which amplifies and relays a message to unlock and start the vehicles engine.Relay attacks using a“live”signal 2023 Upstream Security Ltd.All Rights Reserved43 2023

221、 Upstream Security Ltd.All Rights ReservedHow a relay attack works88 01040203In March 2022,police in Macclesfield,UK sought public assistance after five keyless vehicles of a British OEM were stolen using relay attack devices.85 In October 2022,French police discovered that hackers were using a modi

222、fied version of a popular Bluetooth speaker to steal multiple OEM vehicles.The Bluetooth device,marketed for 5,000 on the dark web,contained a quick start key that enabled the hackers to start vehicles.86 In November 2022,the US National Insurance Crime Bureau reported vehicle thefts were approachin

223、g record highs,with over 745,000 vehicles stolen in the first three quarters of 2022 in the US a 24%increase over the same period in 2019.87 Step 1:A thief stands near the vehicle,transmitting a signal to another thief near the owners house with a hacking device.Step 2:Next to the house,the other th

224、ief holds a second device and tries to lock on to the signal from the owners key,which is located inside the house.Step 3:Once locked on to the signal,relays the information from the key inside the house to the thief near the vehicle.Step 4:Using the relayed signal,the first thief can unlock the doo

225、rs,start the engine,and drive off.44 2023 Upstream Security Ltd.All Rights ReservedECUsElectronic Control Units(ECUs)responsible for engine,steering,braking,windows,keyless entry,and various critical systems can be interfered with or manipulated.Hackers try to manipulate ECUs and take control of the

226、ir functions by running multiple sophisticated systems at the same time.In January 2022,an attacker manipulated a German OEM Electronic Power Steering ECU by modifying its firmware.After failing to extract the firmware over the CAN bus,the hacker managed to gain enough information to brute-force the

227、 ECU authentication,allowing him access to the password-protected diagnostics mode.Using this method,the attacker was able to find the upgrade file,decrypt it,and finally modify the ECU firmware.89 APIs Smart mobility services and connected vehicles use numerous APIs,resulting in billions of transac

228、tions every month.Everything from OEM mobile apps,infotainment systems,and OTA and telematics servers to EV charging management and billing apps rely heavily on APIs to achieve core functionalities.APIs also present significant and fleet-wide attack vectors,resulting in a wide range of cyber attacks

229、,such as stealing personal information or remotely controlling vehicles remotely.Entry-level API hacking requires relatively little technical expertise,has standard techniques in practice,costs a lot less than hacking other types of systems,and can be done remotely without special hardware.Automotiv

230、e API-based attacks have become increasingly common in 2022,accounting for 12%of total incidents,up from 2%in 2021.In November 2022,a group of white hat hackers revealed the details of how they managed to access and control multiple vehicles from various OEMs by exploiting an APIs broken object-leve

231、l authorization(BOLA).90 They discovered that by sending API requests with the VIN on a unique ID field,via a telematics system,they could remotely start,stop,lock,and unlock vehicles of several OEMs worldwide.Furthermore,the hackers also gained access to sensitive vehicle owner information.In Septe

232、mber 2022,hackers from Anonymous attacked a taxi-hailing application and ordered all available taxis to the same location in Moscow simultaneously.Many videos were shared on social media showing hundreds of taxis gathering in the same area,causing massive traffic jams.91 OF TOTAL INCIDENTS IN 2022 W

233、ERE API-BASED ATTACKS.12%45 2023 Upstream Security Ltd.All Rights ReservedMobile applicationsThanks to greater vehicle connectivity,OEMs have been able to provide remote services with vehicle companion applications that connect vehicles to smartphones allowing owners to conveniently control critical

234、 functions.With mobile applications,users can get the location of vehicles,track their routes,open their doors,start their engines,turn on their auxiliary devices,and more.On the flip side,these same apps,which enable drivers to enjoy a digital user experience,can also be exploited by hackers to acc

235、ess the vehicle and the apps back-end servers.Companion applications may also have vulnerabilities including open-source software vulnerabilities,credentials that are hard-coded,and weaknesses in the mobile apps API or back-end server.Vehicle mobile apps can also be used to commit identity theft.Bla

236、ck hat actors can exploit vulnerabilities in mobile devices and application servers to obtain credentials and compromise private user information on a large scale.In July 2022,researchers found six vulnerabilities in a popular Chinese GPS tracker,which allowed attackers to access GPS location data a

237、nd send SMS commands directly to GPS trackers as if they were coming from the GPS owners phone number.Its estimated that the GPS tracker is installed in over 1.5 million vehicles worldwide.The findings pose significant privacy and security risks,indicating that hackers can potentially manipulate the

238、 GPS tracker to track users,disarm alarms,and manipulate data.92 Infotainment systemsIn-vehicle infotainment(IVI)systems are one of the main attack vectors.They connect to the internet,and are exposed to installed applications and short range communications with mobile phones and Bluetooth devices.T

239、his type of connectivity allows them to access private information,such as contacts and messages.IVI systems often connect to a vehicles internal networks,posing a serious risk to the vehicle.IVI systems can be the path of least resistance for malicious software to enter the internal systems.In July

240、 2022,a hacker gained control over a Korean OEMs head unit through its dashboard API.The hacker bypassed all authentication mechanisms for firmware updates,reverse-engineered the code,and created subversive update files that granted him access to the root shell of the head unit.Next,the hacker rever

241、se-engineered the app framework to create his own app,which he then used to monitor the vehicles status and control the locking mechanism using the dashboard API.93 46 2023 Upstream Security Ltd.All Rights ReservedEV charging infrastructureProviding a reliable and safe charging infrastructure is ess

242、ential to accelerating the adoption of electric vehicles.But today,many chargers are vulnerable to physical and remote manipulation that can stop them from working,expose EV users to fraud and ransom attacks,and have widespread implications on the charging network,local electric grid,or even vehicle

243、 fleets.The following are a few of the top incidents related to EV charging that occurred in 2022:In February 2022,a Ukrainian EV charging parts supplier hacked and disabled Russian electric vehicle chargers as part of a cyberwar effort.94 In April 2022,security researchers disclosed a new attack te

244、chnique against the popular Combined Charging System(CCS)that could potentially disrupt the ability to charge electric vehicles at scale.95 In May 2022,experts reported a rise in charging station hacking incidents,including incidents where hackers would load ransomware onto chargers to slow them dow

245、n or stop functionality altogether.Additionally,they reported that hackers could also lock users out of their user profiles until they pay a ransom fee,or hack into chargers themselves to save on charging fees.96 BluetoothBluetooth is a wireless communication technology that uses radio frequencies t

246、o connect devices and share data.Bluetooth Low Energy(BLE)is the standard protocol used for sharing data between devices that companies have adopted for proximity communication to unlock millions of vehicles,residential smart locks,commercial building access control systems,smartphones,smartwatches,

247、laptops,and more.In May 2022,security researchers at the NCC Group announced that they had developed a tool for conducting a new type of BLE relay attack operating at the link layer,allowing them to circumvent existing relay attack mitigations.They demonstrated the capability using a popular model o

248、f an American EV OEM,although it affects virtually every device that uses the protocol.Researchers demonstrated they could unlock and operate a vehicle from an iPhone,while the iPhone was outside the BLE range of the vehicle.97 47 2023 Upstream Security Ltd.All Rights ReservedOTA updatesOver-the-air

249、(OTA)programming is a method for remote software-management of systems that allows for wireless distribution of new software,firmware,or configuration settings from a central location to all devices through the network.Remote updates are riskier than physical ones because wireless communication open

250、s the door to numerous cyber attacks and may affect multiple vehicles,and even the entire fleet at once.Additionally,updates could be crucial to the vehicles functionality.An update failure could result in a severe vehicle malfunction.In May 2022,hackers discovered a new attack vector in a Chinese O

251、EM vehicle,which allowed them to conduct unapproved software upgrades to vehicles.Despite being outside the approved update region,the systems could be accessed remotely via OTA updates or physically via the OBD port.In this specific incident,the ability to update some vehicle models extended beyond

252、 simple features to engine power and safety features.Pirated installations raise concerns about malfunctions in vehicle systems,including active safety systems.98 Upstreams AutoThreat researchers are continuously monitoring OTA-related activities in the deep and dark web.Our researchers have identif

253、ied a growing interest by adversaries in exploiting OTA updates to execute cyber attacks.48 2023 Upstream Security Ltd.All Rights ReservedV2X ATTACKS ARE AT THEIR INFANCY,BUT ARE EXPECTED TO BECOME MUCH MORE FREQUENT IN THE COMING YEARSTelematics,smart mobility,and other services require connected v

254、ehicles to share data with servers,apps,and various vehicle components.V2X,or Vehicle-to-Everything,is the term for the communication between a vehicle and any other entity which could affect or be affected by the vehicle.There are seven primary modes of vehicle connectivity:Within a few years,vehic

255、les will constantly communicate and interact with their surroundings through APIs,sensors,cameras,radars,cellular IoT modules,and more enhancing vehicle operation by processing various inputs from the environment.The most profound addition will be the capability of a vehicle to communicate with othe

256、r vehicles on the road,and receive data from external sources such as EV chargers or road infrastructure.V2X ATTACKS ARE AT THEIR INFANCY,BUT ARE EXPECTED TO BECOME MUCH MORE FREQUENT IN THE COMING YEARSTelematics,smart mobility,and other services require connected vehicles to share data with server

257、s,apps,and various vehicle components.V2X,or Vehicle-to-Everything,is the term for the communication between a vehicle and any other entity which could affect or be affected by the vehicle.There are seven primary modes of vehicle connectivity:Within a few years,vehicles will constantly communicate a

258、nd interact with their surroundings through APIs,sensors,cameras,radars,cellular IoT modules,and more enhancing vehicle operation by processing various inputs from the environment.The most profound addition will be the capability of a vehicle to communicate with other vehicles on the road,and receiv

259、e data from external sources such as EV chargers or road infrastructure.Vehicle to InfrastructureWireless exchange of data between the vehicle and road infrastructure to get information about accidents,construction,parking,and more.Data sharing between vehicles,typically including location,to avoid

260、traffic jams and accidents.Communication between vehicles,traffic lights,lane markings,and other forms of the road infrastructure network.Communication between a vehicle and cloud-based backend systems allows the vehicle to process information and commands sent between services and applications.Comm

261、unication between vehicles,infrastructure,and personal mobile devices to inform about the pedestrian environment enabling safety,mobility,and environmental advancements.The exchange of data and information between vehicles and electric devices that directly connect with them.Two-way power flow betwe

262、en vehicles and power grid,which can create major problems across a city or nations transportation grid if exploited.V2IV2vV2NV2CV2PV2DV2GVehicle to VehicleVehicle to NetworkVehicle to CloudVehicle to PedestrianVehicle to Device Vehicle to Grid49 2023 Upstream Security Ltd.All Rights ReservedV2V Veh

263、icle-to-VehicleV2I Vehicle-to-InfrastructureV2N Vehicle-to-NetworkV2C Vehicle-to-CloudV2GVehicle-to-GridV2P Vehicle-to-PedestrianIt is expected that vehicles will interact with the entire environment around them,considering pedestrians and cyclists that may enter their part,traffic conditions ahead,

264、and data from traffic lighting and control systems at intersections.The future of V2X will rely on new wireless communication technologies,such as DSRC and Cellular V2X(C-V2X),which have been in testing for the past few years.C-V2X uses 3GPP standardized 4G LTE or 5G mobile cellular connectivity to

265、exchange messages between vehicles,pedestrians,and wayside traffic control devices such as traffic signals.Though both DSRC and C-V2X enable the future of V2X,C-V2Xs use of Long-Term Evolution(LTE)is considered as a potential game changer for the connected vehicles ecosystem.The ability to use exist

266、ing cellular infrastructure will potentially reduce the efforts required to accelerate adoption,while ensuring high speed communication in high density locations.100 In November 2022,Applied Information received its 10th experimental license from the FCC for testing C-V2X connected vehicle applicati

267、ons in cooperation with the Maine Department of Transportation.Through the experimental licenses,Applied Information is able,in coordination with local and state departments of transportation(DOTs),to test various C-V2X safety applications under a wide variety of roadway conditions from Maine to Haw

268、aii.Examples of C-V2X safety applications in development include those for school zones,school buses,emergency vehicles,rail crossings,pedestrian safety,and unprotected left turn crash avoidance.101 IMPACT OF CYBER ATTACKS ON THE AUTOMOTIVE INDUSTRY04Trust at risk:cyber attacks pose severe reputatio

269、nal repercussions51 2023 Upstream Security Ltd.All Rights ReservedTHE REPUTATIONAL AND FINANCIAL IMPACT OF CYBER ATTACKSThere can be both direct and indirect financial repercussions from automotive cyber attacks,many of which are extremely high.Among the direct costs are recalls,production shutdowns

270、,payments,and stolen vehicles.Indirect damage such as hacked accounts and data breaches,which damage a brands reputation and trust,can ultimately impact revenue.With the connected vehicles market predicted to reach$197 billion by 2030,102 attacks on the automotive industry will continue to have a fa

271、r-reaching impact.A growing number of companies have fallen victim to increasingly sophisticated cyber attacks in recent years.Some attacks may have a noticeable impact on the industry,as recovery can sometimes take months to complete.According to Accenture,the automotive industry will lose$505 bill

272、ion to cybercrime between 2019-2023.103 Source:Accenture Research$305b$347b$505b$642b$753bINSURANCEBANKINGAUTOMOTIVELIFE SCIENCESHIGH TECH$505BILLION52 2023 Upstream Security Ltd.All Rights Reserved2010-2022 impact breakdown,based on 1100+automotive-related cyber incidentsSource:Upstream SecurityPol

273、icy violation 1%Other1%Data/privacy breach31%Service/business disruption23%Vehicle theft and break-ins22%Control vehicle systems 13%Fraud3%Manipulate car systems3%Location tracking3%To demonstrate the impact of attacks,consider this example that highlights not only the financial impact but also the

274、potential for damaged trust.In October 2022,a large car dealership group with more than 200 car dealerships in the UK was attacked by the LockBit hacking group,which demanded$60 million in ransom to decrypt files and not leak them online.104 2023 Upstream Security Ltd.All Rights Reserved53 2023 Upst

275、ream Security Ltd.All Rights ReservedRANSOMWARE ATTACK IMPACT:ENCRYPT FILES AND DEMAND RANSOMSELL DATA ON THE DARK WEBDATA AND PRIVACY BREACHESA companys private data PII,customer lists,billing information,employee information,vendor data,agreements,and even internal trade secrets is among its great

276、est most safeguarded assets.There have been numerous ransomware attacks involving the leak of private business and consumer information.In most ransomware attacks,double extortion is used,which involves encrypting files and demanding a ransom for their release;and maintaining a leak site to threaten

277、 publication and sale of the data on the dark web if the victim refuses to pay.Most notable in 2022 was Black Basta,105 a ransomware group operating as ransomware-as-a-service(RaaS).This group emerged in April 2022 and went on a spree breaching over 89 organizations by October 2022,106 primarily in

278、the US,EU and UK,and across a range of industries,including transportation.Many speculate that Black Basta is a rebrand of the notorious Conti RaaS,used in hundreds of successful attacks in 2021.107 Another example occurred in August 2022,when a UK car dealership with nine franchises and 23 location

279、s suffered a ransomware attack that damaged some core systems beyond repair and demanded substantial payment.The incident resulted in permanent loss of data,and caused significant damage to the companys network infrastructure,compromising personal employee data and other sensitive information.108 54

280、 2023 Upstream Security Ltd.All Rights ReservedVEHICLE THEFTS AND BREAK-INSAs new technologies enable vehicles to be unlocked and started wirelessly,keyless car thefts are becoming increasingly common.Keyless car theft toolkits are sold online along with the tools and technologies needed to manipula

281、te vehicles.Over the past decade,cyber incidents have resulted in a rise in thefts and break-ins of cars.Keyless car theft has become ubiquitous in todays automotive world accounting for more than a quarter of the industrys total number of incidents and is a serious problem in many countries.In 2022

282、,police departments across the world warned of a spike in keyless vehicle thefts:In February,Cheshire UK police warned of a spike in thefts of British OEM vehicles with keyless ignition and issued safety tips to help drivers protect their vehicles.109 In April,Birmingham UK police reported that thef

283、ts,primarily of keyless vehicles,across the area shot up by 36%totaling 12,000 vehicle thefts which averaged over 30 per day and issued a warning to drivers.110 In May,the Ottawa,Canada Police Service warned residents of an increase in car thefts,targeting a specific model of a Japanese OEM in which

284、 21 vehicles were stolen in a span of two weeks.111 In August,police in New Orleans,LA reported a spike in keyless relay attacks,which accounted for almost 1,900 stolen cars in 2022.112 In September,police in Chicopee,MA reported an increase in keyless car thefts in the area and issued recommendatio

285、ns on how keyless car owners can avoid such incidents.113 In October,Greater Manchester UK police issued a warning regarding a specific model of an American OEM in which 8 vehicles were stolen using short-range radio waves in a span of two weeks in late September.11455 2023 Upstream Security Ltd.All

286、 Rights ReservedFINANCIAL IMPACT ON INSURANCE PROVIDERSAutomotive-related cyber threats are beginning to draw the attention of insurance stakeholders,both with respect to the impact on insurance premiums as well as ransomware,and cybersecurity underwriting.The connected SDV has the potential to revo

287、lutionize the insurance industry,introducing many new behavior-based monitoring capabilities that can be leveraged by insurers to better evaluate risks.But,connectivity and software-based features also introduce new cyber risks and safety hazards.With keyless entry systems which have led to an incre

288、ase in vehicle thefts and break-ins even traditional theft risk considerations are evolving.The problem of keyless vehicle thefts and break-ins has become so prevalent that in May 2022,the Insurance Crime Bureau warned of an increase in car thefts through relay attacks.115 In response to this shift

289、in risk,many insurance providers are no longer paying out claims for property lost in keyless attacks,excluding coverage for high-value items in vehicles unless there are clear signs of forced entry.The high number of vehicle thefts gives insurance providers an incentive to understand vehicle theft

290、attack vectors and vulnerabilities.Additionally,underwriters are struggling to assess new cybersecurity risks,including a new type of loss,such as partial or full vehicle bricking due to ransomware.To do so,they must understand the cybersecurity posture of each vehicle make and model,as well as the

291、potential frequency and severity of cyber attacks.REGULATION REALITY CHECK05Building trust in the Smart Mobility ecosystem 57 2023 Upstream Security Ltd.All Rights ReservedPUTTING UNECE WP.29 R155 AND ISO/SAE 21434 INTO PRACTICEAs part of their efforts to create a unified approach to protecting agai

292、nst cyber threats,many automotive OEMs and their suppliers began implementing the WP.29 R155 for Cyber Security Management System(CSMS)and Type Approval,116 WP.29 R156 for Software Update Management System(SUMS),117 as well as the ISO/SAE 21434 Road vehicles Cybersecurity engineering standard.118 In

293、 2022,the US National Highway Traffic Safety Administration(NHTSA)revised its issued best practice guidelines for industry leaders.119 This is the newest release in a series of guidelines that were published in the last several years by the European Union Agency for Cybersecurity(ENISA)120,and membe

294、r trade association Auto-ISAC.121 It is important to note that both R155 and ISO/SAE 21434 avoid outlining specific solutions and exact processes,instead emphasizing the importance of implementing a high standard of cybersecurity analysis.The guidelines outline the process and specify risk analysis

295、and response targets,emphasizing the need to consider life-long cybersecurity threats and vulnerabilities during development,production,and post-production phases.Cybersecurity Management System R155 CSMSR156 SUMSSoftware Update Management SystemCybersecurity management from ideation through post-pr

296、oduction.Cybersecurity measure to ensure safe software updates throughout the vehicle lifecycle.The primary components of regulation WP.29UNECE WP.29 OVERVIEW58 2023 Upstream Security Ltd.All Rights Reserved 2023 Upstream Security Ltd.All Rights ReservedVehicles are regulated under R155122,R156123,o

297、r both,depending on category classification.Vehicle CategoryDefinitionApplicable RegulationL6 Vehicle with four wheels weighing under 350kg(770lb.)whose engine does not exceed 50 cubic cm.and whose maximum speed is designed for 45 km/h(28mph)R155 if equipped with level-3 functionalities and aboveL7V

298、ehicle with four wheels weighing under 400kg(880lb.)and whose continuous rated power does not exceed 15kWR155 if equipped with level-3 functionalities and aboveMA vehicle with at least four wheels and meant to carry passengersR155&R156NAn automobile with at least four wheels meant to carry goodsR155

299、&R156OTrailers that have at least one ECUR155&R156RAgricultural TrailerR156SInterchangeable towed agricultural or forestry equipmentR156TAny motorized,wheeled,or tacked agricultural equipment that has two axles and is meant to travel at speeds greater than 6km/h(3.5mph)R156Vehicles regulated under W

300、P.29Source:UNECE59 2023 Upstream Security Ltd.All Rights ReservedTHE IMPACT OF REGULATION ON THE SMART MOBILITY ECOSYSTEMTogether,these regulations,standards and guidelines are designed to ensure a high level of cybersecurity,resulting in better safety and security for customers,while establishing u

301、niform terminology,guidelines,targets,and scope across the industry.Manufacturers need this flexibility to implement innovative cybersecurity approaches and continuously improve.ISO/SAE 21434,builds on ISO 26262 Road vehicles Functional Safety standard,and requires automotive OEMs and suppliers to i

302、mplement cybersecurity throughout the entire vehicle lifecycle.It focuses on adopting a security from the group up mindset,and establishing engineering requirements for each step of product development and production,as well as the post-production phase.R155 requires OEMs to implement and maintain t

303、hreat analysis and risk assessment(TARA)throughout all stages of the vehicle lifecycle.They must also create processes to address and mitigate future attacks together with their Tier-1 and Tier-2 suppliers.Though the regulation applies to OEMs,the requirement to demonstrate that the CSMS includes th

304、e entire value chain expands the impact of R155 to suppliers.R155 applies to OEMs operating within the 54 countries that participate in the 1958 UNECE Transportation Agreements and Conventions.With R155,OEMs and suppliers are better able to identify and respond to security risks associated with new

305、and emerging vehicle architectures,mobility services,and the connected vehicle ecosystem.These include threats to:Back-end servers related to vehicles in the field Vehicles regarding their communication channels Vehicles regarding their update procedures Vehicles regarding unintended human actions f

306、acilitating a cyber attack Vehicles regarding their external connectivity and connections Vehicle data/codeThe R155 regulation is unique both in its practical approach to automotive cybersecurity,with concrete examples of threats,specified mitigations,as well as its holistic approach,covering proces

307、s and governance,as well as IT,product,OT,and IoT perspectives.60 2023 Upstream Security Ltd.All Rights ReservedIn the regulation,the term processes is emphasized clearly in an intent to provide guidance on cybersecurity structures without mandating low-level technical specifications.Todays automoti

308、ve cyber environment is diverse and dynamic,making rigid technical measures counterproductive.The regulation was intentionally drafted in a technology-neutral way,giving some flexibility to OEMs to decide how to ensure the cybersecurity of their vehicles.2022 proved that decision-making by OEMs at t

309、he global level is moving in the right direction.The UNECE regulations and the ISO/SAE 21434 standard have reached critical mass and are changing the operations around the world.OEMs work closely with suppliers,and cybersecurity companies to support industry-wide compliance and certification efforts

310、,and establish robust cybersecurity governance structures and testing processes.To boost collaboration among OEMs and suppliers,the European Automobile Manufacturers Association(ACEA)and the European Association of Automotive Suppliers(CLEPA)joined forces with Auto-ISAC in October 2022,to create a c

311、entral European hub for information sharing on motor vehicle cybersecurity.12461 2023 Upstream Security Ltd.All Rights ReservedBUILDING LONG TERM TRUST WITH ISO/SAE 21434A key differentiator between the WP.29 regulations and the ISO/SAE 21434 standard is that the ISO/SAE standard provides OEMs and t

312、heir suppliers with a comprehensive process for calculating asset risk,and suggests methods for calculating scores and prioritizing vulnerability urgency.The standard provides a structured cybersecurity framework,establishing cybersecurity as an integral element of engineering throughout the lifecyc

313、le of a vehicle,from the conceptual phase until decommissioning.Additionally,to follow the ISO/SAE 21434 standard and R155 CSMS requirements,OEMs are encouraged to maintain a vSOC to enforce continuous monitoring for over a decade after vehicles roll off the assembly line.With 151 new CVEs discovere

314、d in 2022,it is imperative that stakeholders continuously review and implement mitigation techniques to protect their products against both existing vulnerabilities and undiscovered vulnerabilities that may arise in the future.R155 Cybersecurity Management SystemCybersecurity monitoring throughout v

315、ehicle lifecycleISO/SAE 21434Security by designEngineering requirements for each step of product developmentR155 Threat Analysis&Risk AssessmentRisk assessment and risk score for vulnerabilitiesR155 MonitoringEarly detection based on vehicle logs,and rapid response to incidents R156 Software Update

316、Management SystemContinuous safe updates throughout the vehicle lifecycle ISO/SAE 21434 and WP.29 work together to protect vehicles on a global scale62 2023 Upstream Security Ltd.All Rights ReservedDOES R155 ALIGN WITH IN-FIELD THREATS?Upstreams research team analyzed publicly reported automotive cy

317、ber incidents that occurred in 2022,and correlated them to the seven threat categories presented in Annex 5 of R155.4.3.7 Potential vulnerabilities that could be exploited if not sufficiently protected or hardened4.3.1 Threats regarding back-end servers related to vehicles in the field4.3.2 Threats

318、to vehicles regarding their communication channels4.3.5 Threats to vehicles regarding their external connectivity and connections 4.3.6 Threats to vehicle data/code4.3.3.Threats to vehicles regarding their update procedures 4.3.4 Threats to vehicles regarding unintended human actions facilitating a

319、cyber attack 2022 cyber incidents categorized by R155 threats&vulnerabilities42%31%14%6%3%2%2%Source:Upstream Security63 2023 Upstream Security Ltd.All Rights ReservedTHE REGULATORY LANDSCAPE IS CHANGINGLawmakers and regulators are rethinking regulations and their urgency as the smart mobility ecosy

320、stem evolves and new apps and services are launched.In August 2021,President Biden signed an executive order that set an ambitious target of 50%of EV sales share in the US by 2030.125 In 2022,the Biden Administration followed up with$7.5 billion for EV charging infrastructure through the Bipartisan

321、Infrastructure Law,with the goal to build out the first-ever national network of 500,000 EV chargers.126 In 2022,EU lawmakers127 as well as California regulators128 took“zero emission”even a step further,and approved a ban on new fossil-fuel cars starting 2035.As governments around the world push fo

322、rward this transformation and amid the rapid growth of software-defined vehicles,legislators and regulatory bodies are becoming more aware of cybersecurity risks to vehicles,infrastructure,and consumer privacy and are starting to work on new regulations to address them.This also includes autonomous

323、vehicle regulations.In March 2022,Chinas Ministry of Industry and Information Technology(MIIT)issued its Guidelines for the Construction of the Internet of Vehicles Cybersecurity and Data Security Standard System.129 These new guidelines present a roadmap for protecting Chinas Internet of Vehicles n

324、etwork,focusing on strengthening the standards and technical requirements for connected vehicles and smart mobility.Given the fast adoption of self-driving and growing V2X risks,the guidelines set specific regulatory goals for 2023 and 2025.In the US,the California Public Utilities Commission(CPUC)a

325、warded GMs Cruise a driverless deployment permit,and it officially started charging fares for driverless taxis in San Francisco in June 2022.130 The permit includes restrictions to maximum speed,operating hours and specific areas that do not include any active heavy rail crossings or streets with li

326、ght rail transit.In China,Baidu was granted commercial licenses for fully driverless taxis in two cities Wuhan and Chongqing subject to operating hours restrictions and multiple levels of testing.131 In Japan,the National Police Agency(NPA)announced its plans to incorporate Level 4 autonomous drivin

327、g into traffic law in April 2023.132 The framework for the upcoming legislation was put in place in April 2022,when the Japanese government passed a bill that introduced new rules for next-generation mobility.133 64 2023 Upstream Security Ltd.All Rights ReservedThe updated traffic law will allow the

328、 movement of unmanned vehicles on public roads throughout the country,under a permit from the public safety commission of each Japanese prefecture.It includes certain conditions such as remote monitoring,location verification,and adoption of security measures against cyber attacks.Right to Repair re

329、gulations are evolving as well,which may result in increased safety and cybersecurity risks.In February 2022,US lawmakers introduced two different Right to Repair bills.The Freedom to Repair Act of 2022(H.R.6566134),and the Right to Equitable and Professional Auto Industry Repair(REPAIR)Act(H.R.6570

330、135)to ensure consumers can get vehicles,electronic devices,and agriculture equipment serviced by independent outlets.136 No additional progress has been made on either bill in the last 12 months.In Maine,a coalition of independent auto repair shop owners,employees and others began collecting signat

331、ures for a statewide referendum,with the goal of putting it on the ballot in November 2023.The proposal would require automakers to make wireless repair and diagnostic information available to independent shops in Maine.137 The initiative is similar to one that Massachusetts voters approved in 2020

332、that expanded access to vehicle data,and allowed independent shops to repair increasingly sophisticated automotive technology.138 The Massachusetts law is currently being challenged by OEMs in federal court in an attempt to block it.In October 2022,GM told a federal judge that it cannot comply with

333、the law since it poses safety and cybersecurity risks,sets an impossible timeline,and conflicts with a number of federal laws.139 To avoid violating the law,Subaru and Kia disabled the telematics system and associated features on new cars registered in Massachusetts.140 In Australia,the new Motor Vehicle Information Scheme(MVIS)took effect July 1,2022,requiring OEMs to make service and repair info