New Delhi: India’s electric vehicle (EV) market is at an inflexion point. EVs accounted for about 5% of total vehicle sales between October 2022 and September 2023—and could reach more than 40% penetration by 2030 owing to the government’s Electric Mobility Promotion Scheme, incentivising people to buy EVs. While this is a great step towards achieving India’s net zero goals, the ever-present cybersecurity threat must be considered as this system is built out.
A recent study found that in 2023, the number of large-scale incidents potentially impacting thousands or even millions of mobility assets increased by x2.5. Additionally, 95% of cyberattacks are executed remotely and 85% are long-range, indicating the need for robust security mechanisms to be built into electric vehicles and the corresponding infrastructure such as charging stations.
Given EVs’ interconnected nature and reliance on local power grids, a new set of risks is created for drivers, companies and infrastructure. This makes it critical for all organisations within the EV ecosystem to adopt a preventive security approach to get ahead of threat actors and deliver secure vehicles and infrastructure.
What could possibly go wrong?
EVs present enticing targets for malicious actors seeking unauthorised access or control. EV systems such as navigation and optimal route planning rely on WiFi and cellular networks to provide real-time updates. If threat actors compromise these networks, they can access key systems that put drivers at serious risk or create massive disruptions. For example, if malicious actors gain control of the vehicle’s primary operating system, they could at a minimum “brick” the vehicle, or in a worst-case scenario, disable software-controlled braking or steering systems.
A study by HSB found that globally, 44% businesses fear that malware would damage or destroy their vehicles’ data, software, or operating systems. More than half (56%) are somewhat or very concerned about their vehicles being immobilised, and their safety compromised (54%).
Most vehicle components are manufactured outside the final assembly plant by third-party manufacturers. This extends risk beyond the assembly plant to all manufacturing facilities and the plants of all supply chain partners. These risks include the introduction of malicious code into the vehicle components by a bad actor. The illicitly modified components would then be assembled into vehicles without anybody knowing the difference. A study by AT&T found that 61% of organisations are in the ideation, research, planning, and proof-of-concept stages when it comes to integrating security of edge devices.
The increasing EV adoption in India has also given rise to the demand for EV service equipment like charging stations, which are quickly cropping up across the country. Charging stations record information such as the vehicle owner’s credit card data, Vehicle Identification Numbers (VIN) and information tied to drivers’ EV application profiles. Such vulnerable charging stations offer a potential path to exfiltrate data that could compromise driver accounts. This is perhaps why only 21% of automotive industry executives across the world, believe that customers will trust OEMs to safeguard their data
Public charging stations use local power grids. Attackers could compromise charging stations and move laterally to infect car systems with advanced persistent threats (APTs) that lie in wait until cars are plugged in. Another attack vector would be lateral movement to other charging stations, preventing EV owners from charging their vehicles on a massive scale, a very disruptive action. Another example would be to use charging stations as a way to manipulate the grid itself, disrupting power supplies.
How do we fix this problem?
EV vendors, servicing organisations and owners in the EV ecosystem need security solutions that address device code integrity, user access and overall operational security. user logins and access. Intersections (e.g., APIs), be they device to device such as EV to charging station, vehicle to cloud, or charging station to the cloud must be investigated for vulnerabilities and secured.
Critically within vehicles, there exists an implicit trust relationship between the various components – essentially the ABS system trusts the Infotainment system just because they are both inside the same vehicle. This model may have been acceptable before hyper-connectivity existed, but in today’s rapidly evolving environment, it is quite dangerous. Something like the Infotainment system should at least be isolated from critical safety components, similar to what’s done in commercial IT networks today. By reducing the number of intersections at all positions of the interconnected EV universe, for users, it’s possible to limit the overall attack surface.
EV manufacturers bear the responsibility to secure the vehicles being manufactured. EVs are essentially computers on wheels, many of which are embedded in hardware systems. The result is the perfect setup for firmware failures if manufacturers don’t take the time to ensure proper system isolation and the integrity of system firmware.
Full visibility and continuous monitoring: To mitigate OT and IoT risks, manufacturers need full visibility into all the operational assets that control sourcing, fabrication and assembly processes. Deep knowledge of all types of devices in the OT network, including patch levels, firmware versions and backplane information, is essential. EV manufacturers must account for dormant devices not communicating regularly over the network. This is done with on-premises device monitoring.
We need to consider the extended support infrastructure as well. As mentioned earlier, devices such as EV charging systems are entry points for malicious activity. These devices, which may be considered “IoT in nature, must be secured and monitored. Vulnerabilities must be assessed and mitigated, and the devices monitored to ensure no malicious activities emanate from them.
Prioritised remediation: To ensure vulnerabilities are remediated promptly, the monitoring of the extended EV infrastructure must perform risk prioritisation such that the biggest risks are identified quickly. Doing so requires a unified Exposure Management solution that can monitor risks on different types of technologies such as on-prem, cloud, OT and IoT and from one place. In other words, complete and continuous visibility from a single perspective is essential.
Prevention is better than reaction: Preventive security solutions like exposure management identify policy violations, anomalous behaviours and vulnerabilities allowing for preventative actions to be taken. This allows organisations in the ecosystem, to set and fine-tune detection methods so they are optimised for their environment. Exposure management also provides organisations with context-rich alerts, so they can quickly respond and mitigate threats impacting operations and safety.
As the connected vehicle ecosystem becomes more complex and introduces large-scale cyber risks, EV organisations must take a multidimensional approach to cybersecurity. The approach must consider all potential ways an attacker could compromise the integrity of the overall EV ecosystem – not just a single view. Disparate organisations must also cooperatively share data and act collaboratively. Only then can we ensure a highly reliable and very safe EV infrastructure.
