Car cybersecurity companies move up a gear in preparation for new era
8 July 2020 - calcalistech
Israeli companies are bracing for new UN regulations that will require cars to be better prepared for hacks and will become mandatory in Europe in the summer of 2022
Two new UN regulations on cybersecurity and software updates in the automotive industry are set to become mandatory in the European Union for all new vehicle types from July 2022, and Israeli companies in the sector are raring to go.
A scenario in which hackers seize control of cars in Israel is still unlikely, but that could change when every new car in the country will arrive with a cellular modem. Just three weeks ago, the manufacturer of Chrysler, Dodge, and Jeep issued a recall for certain models in Israel, explaining there is a possibility hackers may seize control of some of their cars due to a vulnerability uncovered in their radio and multimedia systems. It was probably no coincidence that the models that were recalled were all personal imports as unlike those sold in the country by the official Israeli importer, they included sophisticated sound systems.
How common is hacking in the auto industry? In theory, it is a very common issue, but in practice it isn't. This is more of a future threat, which may be under our nose, but has yet to be realized. According to official figures from cybersecurity organizations, there were 19,200 security breaches uncovered in vehicles last year. A breach means that hackers could have potentially taken control of certain systems in the car. In the best-case scenario this may have allowed them to change radio stations, but in the worst case, they could possibly control the steering wheel and cause an accident. It is important to note though, that no such cases have been confirmed in Israel or anywhere else in the world, apart from companies that hack into car systems as part of organized experiments aimed at building up the vehicle's security system.
However, in Israel auto hacking presents different issues. For one, when there will be a hacking attempt somewhere in the world and the manufacturer reacts by announcing a recall, it could take up to a year until the models sold in Israel will also finally be recalled. Another problem is the type of threats that exist in Israel.
"Hacking of a vehicle in Israel could be far more problematic than in the U.S. or Europe," said a local expert. "Hacking there may well be a ransomware attack, for example seizing control of 10,000 cars belonging to a rental company and asking for a ransom to release them. But the situation is different in Israel. We are in a country in which hackers are trying to attack our water infrastructure, shut down ports and seize control of security facilities to terrorize the public. To be honest it is surprising that they have so far not tried to cause accidents in military cars. It's unclear whether this is a result of their lack of technological capacity or just luck."
According to Ofer Ben-Noon, co-founder and CEO of Argus Cyber Security, Israeli car buyers ironically benefit from the tendency of local car importers to provide only the most basic accessories with their cars. "In Israel, the risk level is lower than the rest of the world because very few cars are currently being sold with a cellular modem," said Ben-Noon. "In the rest of the world, there are currently very few cars being sold without a modem. That will also soon be the case in Israel and then everything will change."
The two new UN Regulations adopted two weeks ago by UNECE's World Forum for Harmonization of Vehicle Regulations, require that measures be implemented across four distinct disciplines: managing vehicle cyber risks; securing vehicles by design to mitigate risks along the value chain; detecting and responding to security incidents across vehicle fleets; providing safe and secure software updates and ensuring vehicle safety is not compromised and introducing a legal basis for so-called "Over-the-Air" (O.T.A.) updates to on-board vehicle software.
According to Ben-Noon, "it is unlikely that people in Israel will need to bring their car to the garage in order to update its software and that the updates will not take long to be completed. However, the updates will need to be done over the air, meaning via the modems."
Naturally, there is a large number of Israeli companies that provide cybersecurity solutions for vehicles that are waiting for the new UN regulations to become mandatory. According to Tamir Bechor, founding partner of car cybersecurity company CyMotive, which is 40% owned by Volkswagen, "it is important to understand that these are mandatory regulations. If Volkswagen will be required to update its hardware to protect it from cyberattacks this update will have to take place in Israel too. The automotive cybersecurity companies are certainly going to benefit from this."
Dvir Reznik, director of product marketing at HARMAN international, an American company that produces, designs and engineers connected products for automakers, said that the new regulations haven't changed the company's development of cybersecurity solutions, but that it has changed the urgency in which the company is operating. "WP.29 defines regulations covering four areas: vehicle safety, environmental protection, energy efficiency and theft-resistance. Among the numerous regulations, two are of particular importance - cybersecurity and software updates (OTA), that will have a major impact on vehicle manufacturers operating in WP.29 member countries, including Germany, Italy, France, South Korea, Japan and others. While the U.S., Canada and Israel are members of the UNECE, they're not members of WP.29, although I'd assume the new regulations will most likely impact local regulators to act, in Israel and elsewhere.
"HARMAN is a trusted partner to global vehicle manufacturers, and our HARMAN OTA Solution (based on the acquisition of Redbend in 2015) has already been selected by more than 40 vehicle brands, deployed to 38 million vehicles," added Reznik. "Our customers have reached out to learn more about WP.29 and its implications to their operations, but naturally I cannot mention names."