Upstream Security’s 2020 Automotive Cybersecurity Report shares in-depth insights and statistics gleaned from analyzing 367 publicly reported automotive cyber incidents spanning the past decade, highlighting vulnerabilities and insights identified during 2019.
Automotive-related cybersecurity incidents surge
“With the rapid rise of attacks on the automotive industry, OEMs and smart mobility providers need extensive visibility and clarity into the threat landscape, helping them design the proper security architecture spanning their vehicles and cloud environments,” said Oded Yarkoni, Upstream Security’s VP of Marketing. “Our annual automotive cybersecurity report shows that the threats faced by the entire industry are real and increasingly more prevalent.”
Upstream’s 2020 Automotive Cybersecurity Report introduces some of the key findings of the AutoThreat Intelligence research team for 2019 as well as solutions used by the industry going forward:
Connected vehicles are already taking over: 330 million vehicles are already connected, and top car brands in the US market have stated that only connected vehicles will be sold by 2020. This fact alone exponentially increases the potential damage of each attack. A wide-scale attack could potentially disrupt an entire city and even lead to catastrophic loss of lives.
The number of automotive cybersecurity incidents has increased dramatically: Since 2016, the number of annual incidents has increased by 605%, with incidents more than doubling in the last year alone.
Most incidents are carried out by criminals: 57% of incidents in 2019 were carried out by cybercriminals to disrupt businesses, steal property, and demanding ransom. Only 38% were the result of researchers with the goal of warning companies and consumers of discovered vulnerabilities.
A third of all incidents involved keyless entry attacks: The top three attack vectors over the past ten years were keyless entry systems (30%), backend servers (27%), and mobile apps (13%).
Everyone is affected, from automotive companies to consumers: over the past ten years, every type of company in the smart mobility system was affected. This includes OEMs, fleets, telematics, and after-market service providers, and ride-sharing services along with consumers who have had their property and private information were stolen.
A third of incidents resulted in car theft and break-ins: The top three impacts of incidents over the past ten years were car thefts/break-ins (31%), control over car systems (27%), and data/privacy breaches (23%).
The vast majority of incidents in 2019 involved remote attacks: 82% of incidents in 2019 involved short and long-range remote attacks, which do not require physical access to the vehicle and can be carried out from anywhere in the world.
Awareness is increasing: More automotive vulnerabilities are being listed, with 66 CVEs listed to date. The use of bug bounty programs, which has been popular in enterprise infosec, is on the rise as more automotive companies adopt it as a way to discover vulnerabilities. These programs offer compensation to researchers (white hat hackers) who discover and report vulnerabilities to the owner company. Additionally, government officials and consumers are demanding regulations and laws to protect them against cybercrime in the automotive space.
The industry is adopting a multilayered security approach: This involves new regulations and standards, security by design, in-vehicle and cloud-based automotive cybersecurity solutions, and expanding SOCs to VSOCs (Vehicle Security Operations Centers) for early detection and rapid remediation.
The realization is beginning to dawn on the aviation sector that, yes, it could. In the Maersk attack, the business was hit, not the vessels. But as security researcher Chris Kubeka reported last month, cybersecurity risks in aviation extend to planes in the air.
Modern aircraft are “flying data centers” that “travel around the globe,” but the aviation industry poorly understands how to protect passengers from cybersecurity risk, according to a new report from the Atlantic Council on aviation cybersecurity.
Now, without fully understanding the risk, without the technical expertise to mitigate that risk, and without sufficient financial or regulatory incentives to do so, the industry is stumbling into the future, and hoping nothing bad happens while they figure things out.
If the aviation industry seems unprepared to meet this challenge, the new report offers insight into what’s holding it back.
Risks and rewards of going digital
The aviation industry has leapfrogged ahead of security to reap the efficiency gains to be had from rapid digitization, and is now looking over its shoulder realizing security issues can come back to bite it at any moment, with consequences ranging from disruption of land-based systems, to malware infections of aircraft, or even — at the extremely unlikely end of the spectrum — a class break that affects hundreds or thousands of aircraft all at once.
A Luddite might say leaving analog behind was a mistake. But the efficiency gains from the shift to digital should not be underestimated, Pete Cooper, an aviation cybersecurity expert at the Atlantic Council, tells CSO, pointing out that aircraft safety has improved with more granular data collection. “For example, if data from a system means that you service it based off its actual operating life and not arbitrary dates/times, it can drastically reduce engineering downtime,” he says. “Additionally, if that system data suddenly shows a high rate of wear (for example), then it means that it can be brought in early for checking based on condition.”
Increased data collection also leads to more efficient flight paths, reduced flight times, lower fuel usage and CO2 emissions, and so forth, he points out.
The flip side of that coin, however, is the risk of a catastrophic cybersecurity incident. Unlike analog safety issues, such as a part wearing out or a flawed procedure that leads to pilot error, security issues, like the software they corrupt, scale. It only takes a single vulnerability for another Petya or NotPetya to happen.
Safety vs. security
Flying remains one of the safest ways to travel, and that’s due in large part to continuous efforts to improve air safety. Cultural norms in aviation have rewarded and incentivized a whistleblowing culture, where the lowliest mechanic can throw a red flag and stop a jet from taking off if he notices a potential safety issue.
Contrast that with the often-fraught issue of reporting security vulnerabilities, where shame and finger-pointing and buck passing are the norm. The report highlights the problem, writing, “Across much of the cybersecurity landscape, there arguably remains a stigma about discussing cybersecurity vulnerabilities and challenges that go beyond managing sensitive vulnerabilities.”
A wormable exploit or a backdoored software update — like the backdoored MeDoc software update that started the Petya worm — could cause safety issues at scale. It’s unclear that the aviation industry’s traditional safety thinking is sufficient to meet this challenge.
For instance, the report calls out the need for greater information sharing on aviation cybersecurity threats, acknowledging the risk of a Maersk-like scenario and observing rather drily that “other sectors have seen the scale and costs from a single vulnerability and ‘wormable’ exploit. Given the criticality of the sector, combined with disruptions that could scale rapidly, there remains much to do to understand the aviation-cybersecurity landscape.”
The report also calls out the growing awareness that good-faith security researchers are needed but figuring out how to deal with them is causing some consternation in the industry. “There was strong agreement that good-faith researchers were a positive thing for the aviation industry, but perspectives on guidance, legal clarity, and ease of vulnerability disclosure all remain unclear or difficult to navigate,” the report notes.
In the meantime, fasten your seatbelt and stow your tray table. We may be in for some turbulence before we get where we all want to go.
From disrupting elections to targeted ransomware to privacy regulations to deepfakes and malevolent AI, 141 cybersecurity predictions for 2020 did not exhaust the subject so here are additional 42 from senior cybersecurity executives.
42 Cybersecurity Predictions For 2020
GETTY
“2019 saw the cybersecurity industry start to explore AI-based solutions. In the coming months, cybercriminals will start to do the same, integrating AI and machine learning into their malware programs to bypass and infiltrate targeted systems. Current cybersecurity measures rely on ‘detection and response,’ but as attackers begin to leverage AI to bypass existing solutions, companies will be left at a significant disadvantage against these seemingly undetectable campaigns. We could see AI-based malware become prominent in day-to-day attacks”—Guy Caspi, CEO, Deep Instinct
“In 2020, we’ll see an increasing number of cybercriminals use AI to scale their attacks. AI will open the door to mutating malware based on attackers using genetic algorithms that are capable of learning, increasing their chances of success. What’s particularly concerning is that these mutations often bypass traditional anti-virus solutions by altering their signature or structure along the way, meaning the malicious payload is free to wreak havoc on systems”—Maty Siman, Founder and CTO, Checkmarx
“In 2020, at least one company will come forward announcing a detection made by AI/ML, really championing the use of AI and ML for this purpose. As the use of AI/ML evolves, we will see these tools for what they are, new methods to complement industry cyber-defense, and not the magical silver bullets they are currently perceived as”—Stephen Jou, CTO, Interset, a Micro Focus Company
“In 2020, we will see the most significant implementation of AI to date, with this technology being used to not only proactively monitor and fight advanced threats, but also secure users in zero trust environments as they share critical information across countless endpoints in the IoT. It’s no longer about siloed threat prevention and endpoint management, but rather dynamic (frictionless) solutions that combine these offerings to remove human error from the equation, while simultaneously learning, adapting and empowering end users to be productive, safe and collaborative”—Charles Eagan, CTO, BlackBerry
PROMOTED
“At least three US States will declare states of emergency due to waves of ransomware in 2020. Ransomware, which carried a price tag of over $10 billion this year in attacks, will continue to plague state and municipal agencies lacking appropriate skills, controls, and ransomware countermeasures. If that isn’t worrisome enough, we predicts there’s a 20 percent chance this could escalate to a national level”—Jon Oltsik, Senior Principal Analyst and Fellow, Enterprise Strategy Group (ESG)
“Ransomware will continue to both dominate headlines and cause havoc in 2020. The complexity of the attacks and the packaging of Ransomware-as-a-Service will continue to increase, while organizations grapple with both prevention and implementing practices to respond appropriately. Responses by organizations will be split between those who recover from backups, and those with more limited options who opt to pay the ransom”—Danny Allan, Vice President of Product Strategy, Veeam
“Over the coming years, the rate at which the cybersecurity industry experiments with and adopts new techniques from the scientific machine learning community will continue to increase, allowing systems to make semi- or even fully-autonomous decisions in defending information systems and their users. These new defense techniques will be crucial, as it’s likely that cybercriminals will begin executing ‘wetware’ attacks by combining automated content generation and manual human effort to personalize attacks against targets, and evade the current generation of defenses”—Joe Levy, CTO, Sophos
“While privacy rights related to personal data have been top of mind recently, there is one area where consumers are becoming more lenient with sharing their data—their safety. The physical and cyber security markets are seeing more and more use cases for AI-based threat intelligence and security solutions that become more intelligent with more access to data. Organizations must prioritize education around data sharing, and teach their employees how data can be used to enhance safety and optimize the balance between machine learning and humans in 2020”—Imad Mouline, CTO, Everbridge
“AI-driven decision making isn’t going anywhere. We observe the way it works, but we don’t fully understand why. This brings up a whole new form of vulnerability, because if it’s suddenly mis-trained, there is no way to test it. Cybercriminals can develop an information advantage because they don’t care or comply with privacy regulations. In 2020, the hardest to detect operations will be the ones that are doing the best job of learning from AI”—Michael Tiffany, Co-Founder and President, White Ops
“Threat actors will increase the use of AI to analyze defense mechanisms and simulate behavioral patterns, bypassing security controls and leveraging analytics and machine learning to hack into organizations. Threat actors, many of which will be state-sponsored, will increase their use and sophistication of AI algorithms to analyze organizations’ defense mechanisms and tailor attacks to specific weak areas. We’ll also see bad actors accessing the data streams of organizations and using the data to further orchestrate more complex attacks”—Dr. Torsten George, Cybersecurity Evangelist, Centrify
“As we see more instances of AI in 2020 and a continued development of facial recognition technologies, we will begin to see government entities declaring privacy regulations on what data businesses can and cannot use. Next year, we will see which governments will allow this level of technology within municipalities and discuss the cyber vulnerabilities associated with this type of use case”—Chris Downie, CEO, Flexential
“Deepfakes will take center-stage in the 2020 election as real identity becomes harder to verify. This technology will be used to generate false videos of political candidates being made to say or do almost anything, and these videos can be produced in near real-time. That risk is further amplified by how quickly video content is spread on social media networks, and it typically takes some time for companies to remove deepfake content from their platforms. The methods and sophistication at which false information can be spread is continuing to grow, and voters will need to remain wary of where and how they get information”—Stephen Ritter, CTO, Mitek
“AI bots and deepfakes will challenge the very definition of fair and open elections, one of the pillars of any democracy. The technology is so widely available, difficult to detect and powerful, that its use by all parties with a vested interest in the outcome of the 2020 U.S. Presidential election is a given”—Chad Steelberg, CEO and Chairman, Veritone
“One huge concern regarding deepfakes in 2020 is their potential in blackmail, and especially sextortion, that are ‘leveled-up’ with AI deepfakes that make fake videos of anyone. If a sextortion campaign were to threaten to release a deepfake image or video of someone, it would likely be much more successful than the average campaign that doesn’t have doctored materials. In 2020, we’ll see regulatory bodies realize the need to update revenge porn laws to include deepfake images and videos”—Ashlee Benge, Threat Researcher, ZeroFOX
“In the last election, foreign actors did a pretty good job of interfering through low-key, under-the-radar social. To make the American populace lose confidence you don’t have to hack a hard target, but you could make it look like you did or you’re trying. You don’t have to take out voting booths to spread misinformation about taking out voting booths. Expect news stories, propaganda, and stunts specifically designed to shake the public’s confidence”—Joan Pepin, CSO, Auth0
“In 2020, cyber warfare will continue to be used as an instrument of foreign policy. Cyberweapons are increasingly being used in geopolitical conflicts, often in conjunction with traditional kinetic weapons. Since 85 percent of the US’s critical infrastructure is owned by the private sector—and the DoD and FBI have neither the resources nor the legal standing to defend civilian assets before they’re attacked—enterprises will need to significantly boost their cyber defenses and perhaps even their offensive capabilities to protect themselves from nation-state attacks”—Phil Neray, VP of Industrial Cybersecurity, CyberX
“The balkanization of the internet is going to drive big business model innovation in software. To avoid subjecting themselves to government subpoenas, companies will start making creative use of boundaries to split where they store their data and where they store their encryption keys. In 2020, companies will start using country borders as an unexpected regulatory safeguard to provide customers with better data security”—Max Wessel, Chief Innovation Officer, SAP
“Data is more valuable today than gold and it’s more than just CEOs and CMOs who are realizing this; malicious cybercriminals are too. As we start a new decade, organizations will need to put more focus on discovering where all of their data lives, determining whether it’s sensitive and how to best secure it. New compliance standards like the California Consumer Privacy Act (CCPA) are creating an opportunity for organizations to develop good data management policies that allow them to better protect themselves from data breaches”—Peter Duthie, Co-CEO & Chief Architect, Ground Labs
“A global standard for cybersecurity is expected to become a top priority across industries, as businesses make bigger strides toward securing their Operational Technology systems against increased cyber threats”—Mirel Sehic, Global Director of Cybersecurity, Honeywell Building Solutions
“Supply chain attacks will increase in 2020, making protecting and managing the supply chain essential to operational survival. More organizations are moving their supply chain to the cloud and bringing on smaller, niche organizations, to support specialized skills which will broaden the potential vulnerabilities and management challenges. Companies must have solutions in place that give them full visibility into their supply chain network, and tools that allow them to identify and respond to threats swiftly”—Munya Kanaventi, Senior Director of Information Security, Everbridge
“2020 will be the year we realize that current cyber security methodologies are no longer sufficient to protect data. Billions upon billions of sensitive records were stolen in 2019 and the public will penalize organizations that don’t take real steps to protect their data”—Brad Schoening, Principal Architect, Privitar
“We’ll see the number of 5G attacks grow in 2020 with the net augmentation of connected devices. The main threat here is in how the hackers can abuse a connected device and find a flaw to access a linked account or vice versa. To protect attacks through connected devices, an important step/action is to make sure each account linked to an object is ultra-secured”—Guillaume Bourcy, Sr. Director of Data Solutions, TeleSign
“With online shopping showing no signs of slowing down, fraudsters are moving away from in-store fraud and instead continuing to prioritize card-not-present (CNP) fraud—which is expected to balloon at a compound annual rate of 14% through 2023, costing retailers $130 billion. In 2020, we will also see increased attacks related to omnichannel shopping, as merchants now need to manage fraud across a growing number of devices, and it’s easier than ever for criminals to extend stolen credentials across channels”—KC Fox, SVP Technology Services, Radial
“Cybersecurity is eclipsing operational efficiency as the central concern for IT organizations in healthcare, due to complex and vulnerable ‘business associate’ relationships among industry entities, many of whom are struggling to manage their own polyglot technical infrastructures built around ancient legacy systems”—Frank Ingari, President, Tandigm Health
“There are two major trends emerging. The first is the concept of CASE (connected, autonomous, shared, electric). As technologies such as 5G lead to increased connectivity alongside advances in proprietary and open source software (e.g., Automotive Grade Linux), we’ll see targets move beyond the vehicle. Malicious actors will leverage new, evolving attack vectors in backend systems, mobile apps, infrastructure and services relating to automotive technologies”—Dennis Kengo Oka, Senior Solution Architect, Synopsys
“In addition to an increase in ransomware and business email compromise, in 2020 we will also begin to witness an increase in API extortion. Many businesses offering SaaS and IT solutions have multiple open APIs, which puts them at risk. We now need to profile and identify the baseline normalities to API gateways, so that we can work to detect abnormalities and potential pathways for attackers. As security professionals, we need to continue to lead our companies in increasing our security posture, actively working to become more resilient by putting concrete practices in place as we see APIs start to come under attack”—Sharon Reynolds, Chief Information Security Officer, Omnitracs
“In 2020, we will see a rise in attacks across productivity and mobility platforms, following a year in which businesses were laser focused on simplifying the end-user experience, creating rapid communication and automating mundane tasks. With this focus, they failed to acknowledge the security implications of these new tools and attackers have begun to leverage these same benefits to access and hide in plain sight. As such, we can expect to see malicious actors continue to do so in the new year”—Joshua Douglas, Vice President, Threat Intelligence, Mimecast
“With the continued move to deploy smart technology throughout our cities with lighting, traffic control, mobility solutions, fire and safety operations, smart cities will become an even bigger target in 2020. Expect to see more cyberattacks (think ransomware and malware) against them, which will greatly disrupt the smart technology and how these cities operate. This could potentially have serious impacts on day-to-day life and could even bring city life to a screeching halt”—Deral Heiland, IoT Research Lead, Rapid7
“Smart cities will look to embedded cybersecurity in the coming year. Malicious actors can disrupt and paralyze smart devices with Remote Code Execution, altering their well-planned, fine-tuned operations. Infrastructure disruptions, direct liability and ransomware are just a few of the potential outcomes of losing control over these software defined systems. Attacks can go far beyond ransomware attempts. They can disable utilities, schools, and shopping centers, and take down an entire power grid”—Assaf Harel, Co-founder and Chief Scientist, Karamba Security
“In 2020, healthcare organizations (HCOs) will take the following steps to mitigate rising security concerns:(1)gravitate towards more security standards, including HITRUST, and require additional levels of controls and certifications from all systems connected to their organizations; (2)more closely monitor user behavior and activity to maintain control; (3) slow some of the innovation and development they desire next year in order to adhere to a more conservative risk profile”—Robin Cavanaugh, CTO, GetWellNetwork
“There is an increasing demand by consumers to control their data, not only in terms of opting in to the use of their data but, more specifically, what their data can be used for by an organization. The ability to select which services or analytics are relevant and then specifying which data sets can be leveraged by the individual consumer will be a significant differentiator for organizations able to provide this level of choice”—Neil Correa, Cyber Strategist, Micro Focus
“We have already learned that using the same password for everything and ones containing extremely personal information is not a good idea. But what about the randomly generated ones that websites now provide for us? Just because the site is suggesting a ‘verified’ safe password with random symbols and letters combined doesn’t ensure complete protection from cyber hackers who in the near future could configure these algorithms and start the next wave of password hacks”—Rajesh Ganesan, VP, ManageEngine
“In 2020, the combination of the lack of security talent and the increasing level of sophistication in the techniques employed by hackers and cybercriminals will finally jumpstart a refresh cycle in the SIEM and SOC space. Next year, companies will double down on their use of security analytics and automation to help understaffed and alert-fatigued security teams protect mission critical systems and sensitive customer data. We will also see a wave of innovation that focuses entirely on moving SecOps teams from a reactive posture to a proactive posture when it comes to cybersecurity”—Greg Martin, VP and GM, Security Business Unit, Sumo Logic
“Breaches and hacks continued to dominate the headlines in 2019; however, following the theft of user data, 2020 will be the year of account takeover. With cyberattacks and data breaches now commonplace, account takeover attacks will be on the rise”—Geoff Huang, VP Product Marketing, Sift
“As automation increases across the IIoT network, the need to support legacy infrastructure will create more challenges in maintaining trusted environments. We’re likely to have more than 75 billion connected devices accessing the internet by 2025, creating insatiable power demands and security vulnerabilities. From an industry and provider perspective, the focus will be on preventing outages to ensure 99.9999% uptime while securing networks. It’s a growing challenge, and one that will continue to accelerate through 2020”—Michael Regelski, SVP and CTO, Electrical Sector, Eaton
“As organizations allocate more budget to data security, boards of directors will demand that those investments serve a double duty—improving the security of information assets and driving the business by enhancing user productivity or reducing spending on legal and compliance operations. They will require specific metrics and regular reporting to prove that these goals are being achieved”—Ilia Sotnikov, VP of Product Management, Netwrix
“We will see an increase in the number of M&A deals in 2020 and security needs to be a key component of any M&A strategy. Companies need to learn from the headaches faced by Marriott in 2018 when it acquired Starwood and inherited a breach of guest data. If companies lack solutions that provide adequate visibility into their own systems as well as those of the companies that they are acquiring, we will see similar breaches take place in 2020”—Anurag Kahol, Co-Founder and CTO, Bitglass
”As enterprises continue to adopt cloud services across multiple cloud service providers in 2020, we will see a slew of data breaches caused by misconfigurations. Due to the pressure to go big and go fast, developers often bypass security in the name of innovation. All too often this leads to data exposure on a massive scale”—Chris DeRamus, Co-Founder and CTO, DivvyCloud
“5G, AI, LMR + LTE and UAS will be the biggest movers and shakers in public safety. In 2020, smart states will replace smart cities, and anything that can be connected will be connected. If there is no cellular/broadband connectivity, Private LTE networks will fill that coverage gap. Cloud and edge computing, along with 5G will enable AI technology and machine learning”—Estee Woods, Director, Public Sector and Public Safety Marketing, Cradlepoint
“GDPR and CCPA (California Consumer Privacy Act) are just the tip of the iceberg with regards to the protection and consumer control of consumer data. Over the course of the next decade, consumer control of personal data can be expected to increase dramatically as governments and regulators drive new privacy legislation. In time, these regulatory actions will likely lead to complete consumer control of personal data and opportunities for consumers to directly monetize their data or directly exchange data for goods and services”—Buno Pati. CEO, Infoworks
“IT security has always been a priority, but OT security will require the same level of attention. OT security involves protecting manufacturing robots, refinery equipment, nuclear reactors, power substations and the like from intruders. There are large differences between OT and IT security breaches, and OT needs to improve its approach”—Richard Beeson, CTO, OSIsoft
“The build, test, and deploy component of DevOps will become a top priority in 2020. There is a growing emphasis on one pillar of the DevOps process—building, testing, and deploying, and what can be done to optimize this critical component of software development. The answer lies in continuous integration and continuous delivery. CI/CD is a process and mentality change whereby moving faster and testing smaller, more atomic units you end up building a much better, higher quality application. Test now, test often, and automate anything that developers need to do more than twice”—Jim Rose, CEO, CircleCI
