Cyber crime in the automotive sector remains a highly topical issue in 2022. Although modern vehicles are still used to transport people and objects, the technology in the background has revolutionized. What rolls along the roads millions of times a day could confidently be described as mobile mainframes that work quite independently and lead a lively life of their own in the background, while the person behind the wheel thinks they have everything under control themselves. Studies show that half of the vehicles in the EU will already have connectivity by 2025, and by 2030 this proportion will already be 78%. In the U.S., the projected figures for the share of connected cars are even higher: 72% in 2025, and as high as 96% by 2030.
The Internet of Things makes vehicles vulnerable to attack by cybercriminals
Software Defined Products as well as autonomous and smart technologies in vehicles such as telematics, V2X communication and infotainment are virtually invitations for hackers to attack, and they require a comprehensive Cyber Security Management System (CSMS) as envisaged by the EU. As of July 2022, the new cybersecurity regulation is mandatory for all new vehicle types in the European Union. From mid-2024, the use of a certified CSMS will be mandatory for every vehicle type at the time of type approval.
And that’s sorely needed, because 4G and 5G connectivity make it possible to access connected cars remotely even with little basic knowledge. All it takes is a bit of information from the darknet, where you can also buy the relevant software for hacker attacks, and manipulate a game console, as hackers in the UK have done. At least five cars worth a total of 210,000 euros, captured with a Game Boy, are a great temptation. Unfortunately, digital security understanding is often still in its infancy for networked ecosystems. Our interview with our CEO, Dr. Michael Müller on Cyber Security Management Systems clarifies and answers important questions about CSMS and the new UNECE (Economic Commission for Europe) regulations for the automotive industry.
Europe’s largest car dealer hacked
Hackers in Switzerland put Europe’s largest car dealer out of business earlier this year. The Emil Frey Group watched as its website, online service and telephone system collapsed. A turnover of around ten billion euros and an operational size of 22,000 employees seemed a worthwhile incentive for cyber criminals to target the Digital Automotive Award-winning family business. With the slogan “We buy your car,” the Frey Group wanted to achieve a market share in online sales of 20 percent of total sales by 2025. The German market was to take the lead in this. The criminal cyber scene is just waiting for such ambitious plans. Destroying is their main concern, and taking what they can financially in the process is their ultimate goal.
The annual damage caused by cyber crime is immense for the German economy
As the IT industry association Bitkom recently calculated, the German economy alone suffers annual damage amounting to 223 billion euros or, put another way, six percent of Germany’s gross domestic product in 2021. According to a study by the association, nine out of ten companies as well as government agencies and banks are affected by data theft, espionage and sabotage; in Germany alone, just under 50% of companies were victims of a cyber attack at least once in 2022.
Companies should not pay a ransom
Blackmail via the use of so-called ransomware plays a leading role in this. And according to a recent study by the security service provider Sophos, 42 percent of the companies affected are playing along. 253,160 euros is the average ransom paid in an extortion case. The possibility of insuring against ransom demands certainly contributes to faster compliance. On top of that, the whole thing is tax-deductible. But what appears to be a quick fix for entrepreneurs by necessity is rejected by security officials, such as the German Federal Criminal Police Office (BKA).
Organized cyber crime becomes a geostrategic risk
The BKA expressly advises against paying ransoms and points out that affected files and programs are often not decrypted and released again by the extortionists despite payment. That is why 22 IT experts have now appealed to federal politicians. They see highly organized crime behind ransomware and describe ransomware as a geostrategic risk whose roots must be nipped in the bud. The IT specialists’ demand is: no more insurance against cyber-attacks, no more tax write-offs and, above all, no more accepting ransomware demands.
Magility Cyber Security and Cyber Crime
At least since the adoption of the UNECE, CSMS are mission critical – without CSMS, no vehicle approvals and without approvals, OEMs are left out in the cold. At Magility, we have long focused on the problem of cyber crime in the automotive sector. Years ago, we developed a Cyber Security Management System (CSMS) for the automotive industry, which is continuously updated and integrates all UN regulations (UNECE WP.29) and standards such as ISO/SAE 21434 and ISO/AWI 24089.
A CSMS forms the basis for automotive cyber security and is based on a uniform standard. Cyber security is now anchored not only at the project level but also at the organizational level and defines a procedural framework. This means that not only vehicles are protected against attacks, but also the entire digital ecosystem of the company.
Only recently, we spun off Magility Cyber Security GmbH to give this important topic its own space. Magility Cyber Security GmbH (MCS) is now your competent partner for the holistic implementation of CSMS and Software Update Management System (SUMS). The cyber security experts at MCS will be happy to advise your company and accompany you in the implementation of a CSMS and, if required, a SUMS in your company across all process stages along the supply chain and throughout the entire life cycle of the vehicle. For more information, please contact our magility cyber security experts.