How Cyber Immunity Will Change the Auto Industry

Today, cars are no longer simply vehicles but entire networks on wheels, and they need robust security measures to prevent hacking. Our solution can help with this
Andrey Fadin
Product Manager

Distant Hijacking and Smartphone Cars

In 2015, cybersecurity experts Charlie Miller and Chris Valasek demonstrated the vulnerability of modern vehicles to hacking by remotely taking control of a Jeep Cherokee on a busy highway. This event highlighted the growing risks associated with the digital transformation of cars, which now effectively remind network-connected smartphones.

At that time, Miller and Valasek spent three long years developing software to exploit the Jeep’s vulnerabilities. While by 2023, it took just a couple of months for information security specialists to discover numerous vulnerabilities across vehicles from various manufacturers, including Kia, BMW, Ferrari, and more. These known vulnerabilities allow hackers to remotely start engines, access personal data, and even disable critical functions like brakes, posing severe risks to drivers.

Vehicle Cyber-Attack Dynamics and Targets

As of 2023, there are 192 million connected cars globally, and the number of automotive cyber incidents has risen by 50% between 2019 and 2023. In 2023 alone, 295 incidents were reported, with the majority being remote attacks. The focus of these attacks often includes vehicle software vulnerabilities, diagnostic software, and tools for manipulating vehicle Electronic Control Units (ECUs).

These attacks have tangible consequences, such as disrupting business processes, leaking personal data, and leading to financial losses. For example, Toyota faced an $8 million extortion demand from hackers after a successful breach. These incidents not only damage reputations but also endanger the lives of drivers and passengers.

Regulatory Framework and New Approaches to Security

For a long time, the automotive industry lacked a regulatory framework to enforce cybersecurity. However, standards like ISO/SAE 21434, ISO 24089, and UN Technical Regulations 155 and 156 now require that new vehicle systems be secure by design. This approach integrates cybersecurity mechanisms at the early stages of system development, integrating security on par with usability and cost-efficiency.

Modern vehicles may have over a hundred ECUs managing various functions, but this number is expected to decrease as ECUs evolve into mini-servers running multiple applications. In response to these changes, the AUTOSAR Adaptive standard was developed by an international automotive consortium to address the needs of next-generation ECUs.

Kaspersky is safeguarding the future of car security

Kaspersky, in partnership with German companies, has developed a secure by design ECU prototype for Advanced Driver Assistance Systems (ADAS). Kaspersky developed the AUTOSAR Adaptive software layer based on KasperskyOS, while its partners handled the hardware platform and ADAS software development. This design is based on the AUTOSAR Adaptive standard and incorporates KasperskyOS, a microkernel operating system designed for secure, cyberimmune systems. KasperskyOS supports secure communication between vehicle ECUs, smartphones, and cloud services, protecting vehicles from hacking and ensuring safe over-the-air updates.

The KasperskyOS operating system, consisting of a microkernel and the Kaspersky Security System subsystem, provides standard security and enables the development of Cyber Immune solutions. Most potential attacks on a Cyber Immune system are ineffective — it continues to perform critical functions even in an aggressive environment and does not allow an attacker to develop an attack. Importantly, Cyber Immune solutions do not need additional security features — the system already includes all the necessary features.

Having gained experience in this project, we went further and developed the Kaspersky Automotive Secure Gateway (KASG) which acts as a firewall between trusted and untrusted segments of a vehicle’s internal network. It supports various interfaces, including CAN/CAN-FD, Ethernet, and cellular networks, and ensures that vehicle data is securely transmitted and monitored.

The solution received the Best Innovation Award at the World Internet Conference, an annual event organised by the Cyberspace Administration of China, featuring Alibaba Group, Tencent, and Zhijiang Lab.

Cyberimmunity and the Future of the Automotive Market

The global trend towards connected cars is accelerating. Juniper predicts that between 2023 and 2027, the number of connected vehicles will almost double, from 192 million to 367 million units. The rise of connected cars has triggered fundamental changes in the automotive industry, leading to new business models such as smart mobility and car-as-a-service platforms. To support these innovations, functions like online diagnostics and over-the-air software updates have become critical. However, carmakers remain cautious about fully embracing these features due to the potential risks of remote attacks.

Kaspersky’s groundbreaking Cyber Immune approach paves the way for designing inherently secure vehicles, built with security at their core. By minimizing the amount of trusted code that requires rigorous testing, the overall cost of vehicle ownership could be reduced in the long run, despite potential initial increases in vehicle prices.

Conclusion

The automotive industry is on the brink of a cybersecurity revolution, driven by the growing number of connected and autonomous vehicles. Kaspersky’s cyberimmune solutions, built on principles like Secure by Design and supported by new regulatory frameworks, are set to play a crucial role in ensuring the safety and reliability of future automotive systems.

Distant Hijacking and Smartphone Cars

In 2015, cybersecurity experts Charlie Miller and Chris Valasek demonstrated the vulnerability of modern vehicles to hacking by remotely taking control of a Jeep Cherokee on a busy highway. This event highlighted the growing risks associated with the digital transformation of cars, which now effectively remind network-connected smartphones.

At that time, Miller and Valasek spent three long years developing software to exploit the Jeep’s vulnerabilities. While by 2023, it took just a couple of months for information security specialists to discover numerous vulnerabilities across vehicles from various manufacturers, including Kia, BMW, Ferrari, and more. These known vulnerabilities allow hackers to remotely start engines, access personal data, and even disable critical functions like brakes, posing severe risks to drivers.

Vehicle Cyber-Attack Dynamics and Targets

As of 2023, there are 192 million connected cars globally, and the number of automotive cyber incidents has risen by 50% between 2019 and 2023. In 2023 alone, 295 incidents were reported, with the majority being remote attacks. The focus of these attacks often includes vehicle software vulnerabilities, diagnostic software, and tools for manipulating vehicle Electronic Control Units (ECUs).

These attacks have tangible consequences, such as disrupting business processes, leaking personal data, and leading to financial losses. For example, Toyota faced an $8 million extortion demand from hackers after a successful breach. These incidents not only damage reputations but also endanger the lives of drivers and passengers.

Regulatory Framework and New Approaches to Security

For a long time, the automotive industry lacked a regulatory framework to enforce cybersecurity. However, standards like ISO/SAE 21434, ISO 24089, and UN Technical Regulations 155 and 156 now require that new vehicle systems be secure by design. This approach integrates cybersecurity mechanisms at the early stages of system development, integrating security on par with usability and cost-efficiency.

Modern vehicles may have over a hundred ECUs managing various functions, but this number is expected to decrease as ECUs evolve into mini-servers running multiple applications. In response to these changes, the AUTOSAR Adaptive standard was developed by an international automotive consortium to address the needs of next-generation ECUs.

Kaspersky is safeguarding the future of car security

Kaspersky, in partnership with German companies, has developed a secure by design ECU prototype for Advanced Driver Assistance Systems (ADAS). Kaspersky developed the AUTOSAR Adaptive software layer based on KasperskyOS, while its partners handled the hardware platform and ADAS software development. This design is based on the AUTOSAR Adaptive standard and incorporates KasperskyOS, a microkernel operating system designed for secure, cyberimmune systems. KasperskyOS supports secure communication between vehicle ECUs, smartphones, and cloud services, protecting vehicles from hacking and ensuring safe over-the-air updates.

The KasperskyOS operating system, consisting of a microkernel and the Kaspersky Security System subsystem, provides standard security and enables the development of Cyber Immune solutions. Most potential attacks on a Cyber Immune system are ineffective — it continues to perform critical functions even in an aggressive environment and does not allow an attacker to develop an attack. Importantly, Cyber Immune solutions do not need additional security features — the system already includes all the necessary features.

Having gained experience in this project, we went further and developed the Kaspersky Automotive Secure Gateway (KASG) which acts as a firewall between trusted and untrusted segments of a vehicle’s internal network. It supports various interfaces, including CAN/CAN-FD, Ethernet, and cellular networks, and ensures that vehicle data is securely transmitted and monitored.

The solution received the Best Innovation Award at the World Internet Conference, an annual event organised by the Cyberspace Administration of China, featuring Alibaba Group, Tencent, and Zhijiang Lab.

Cyberimmunity and the Future of the Automotive Market

The global trend towards connected cars is accelerating. Juniper predicts that between 2023 and 2027, the number of connected vehicles will almost double, from 192 million to 367 million units. The rise of connected cars has triggered fundamental changes in the automotive industry, leading to new business models such as smart mobility and car-as-a-service platforms. To support these innovations, functions like online diagnostics and over-the-air software updates have become critical. However, carmakers remain cautious about fully embracing these features due to the potential risks of remote attacks.

Kaspersky’s groundbreaking Cyber Immune approach paves the way for designing inherently secure vehicles, built with security at their core. By minimizing the amount of trusted code that requires rigorous testing, the overall cost of vehicle ownership could be reduced in the long run, despite potential initial increases in vehicle prices.

Conclusion

The automotive industry is on the brink of a cybersecurity revolution, driven by the growing number of connected and autonomous vehicles. Kaspersky’s cyberimmune solutions, built on principles like Secure by Design and supported by new regulatory frameworks, are set to play a crucial role in ensuring the safety and reliability of future automotive systems.