On May 26, Propulsion Québec, the cluster for electric and intelligent transportation, organized an event dedicated to cybersecurity and safety in transportation. The event brought together 17 experts and 150 participants. Among them, François Couderc, Head of Business Development – Security and Cybersecurity Segment at Thales, recalled the essential elements that make up a cyberattack and shared several best practices.
Vehicles are evolving rapidly to become autonomous, connected, electric, shared and now present a larger attack surface. In 2020, more than 200 cybersecurity incidents in the vehicle industry were reported. According to Forbes, all suppliers and manufacturers have suffered attacks to date.
Who are the perpetrators of cyberattacks?
- Individuals who, even with few resources, can have a significant impact;
- Organizations (criminal, terrorist, ideological) that are becoming increasingly structured and powerful;
- States whose financial means and expertise can lead to targeted and large-scale attacks;
What are the objectives of cyberattacks?
- Destabilize: interruption or reduction of services, traffic accident.
- Financial gain: theft of vehicles, goods, intellectual property, ransomware.
- Modify: performance, gain access to services not included.
These attacks often undermine trust in the company, affecting everything from its reputation to its stock market valuation.
The transport and vehicle sector is a prime target for hackers, because of:
- value: transport of valuable, rare goods or people;
- accessibility of information: attack techniques are catalogued and available, for good or bad intentions;
- growing vulnerability: systems have evolved and become increasingly numerous and therefore easier to compromise.
How to increase the resilience of equipment?
There are numerous entry points! Nowadays, it is possible to compromise an emergency braking system, to penetrate vehicles during maintenance or an update. Charging infrastructures must not be overlooked; they too must be secured!
When facing ransomware, the golden rule should always be not to pay the ransom because that money helps strengthen malicious organizations. To be able to refuse, measures must be taken well before attacks occur.
In cybersecurity, resilience is planned in advance.
Here are some best practices to follow:
- Have your organization, processes and equipment assessed.Rely on experts in comprehensive cybersecurityand not only IT.
- Rely on solid standards: the ISO/SAE 21434 standard, which will be released soon, is dedicated to road vehicles and cybersecurity engineering. From governance through design to decommissioning,learn more about this standard which will take effect in 2022.
To ensure the future of the vehicle industry, it is essential that cybersecurity requirements be an integral part of requests for proposals. Finally, the debate must be opened: do not keep an attack secret, stay up to date on security, and work together to better protect ourselves!
