What Are the Potential Consequences of Cyberattacks on OEMs?

The automotive industry has drastically changed in the past decade becoming increasingly software driven. However, higher reliance on software comes hand in hand with a higher risk of cyberattacks. This is because a more complicated system backend has more potential entryways malicious hackers can exploit. A cyberattack on an OEM can have dire consequences that may affect sensitive company and customer data, disrupt supply chain operations, and tamper with vehicles produced by the OEM. This blog will explore some of the potential consequences of cyberattacks against OEMs.

Data Breaches

One of the biggest cyber threats to an OEM is a data breach. If an OEM’s system is attacked and a data breach occurs, the stored data could be stolen, compromised, or deleted, leading to various adverse effects on both the customers and the OEM.

During a data breach, malicious hackers can steal confidential customer data, such as personal identification numbers (PINs), social security numbers, medical records, and more. This valuable information can either be leaked or posted on the dark web for purchase. In any case, if the customers’ confidential data is exposed, malicious actors can use it to commit fraud, phishing, or an infinite number of other criminal activities. Not all data breaches are targeted toward retrieving customer data. Sometimes cyber criminals may want to access sensitive company information and steal trade secrets or intellectual property. Some breaches are purely destructive, with hackers accessing confidential data only to destroy it. 

Data breaches are extremely dangerous as they not only compromise data but also lead to a loss of customer trust in the OEM. On top of that, OEMs may face legal consequences or be fined for negligent cybersecurity practices that can end up costing a fortune.

Sometimes a breach into a company’s system may not be limited to stealing sensitive data. Malicious hackers may encrypt the data and request a ransom in exchange for a decryptor. Ransomware is designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyber attackers place organizations in a position where paying the ransom is the easiest way to regain access to their files.

In 2021, Kia Motors America allegedly suffered a ransomware attack, where the hackers requested $20 million to decrypt files and not leak confidential data. During the alleged ransomware attack, the OEM’s portals suffered a system outage. This resulted in the disruption of services where customers and dealerships across the country were unable to access their data. While financial damages were never disclosed, this incident ended up damaging the OEM’s reputation.

A cyberattack on an OEM can cause significant harm to customer data, leading to financial loss, legal consequences, and loss of customer trust. As such, it is crucial for OEMs to invest in robust cybersecurity measures to protect themselves and their customers from potential cyberattacks.

Supply Chain Disruptions

Software plays a critical role in making sure the automotive sector’s supply chain operates efficiently and effectively. A cyberattack on an OEM, or any other company within the supply chain, could disrupt the production of components that are critical to the supply chain. This could lead to delays in operations, holding up the delivery of final products down the supply chain. Delays in the supply chain will ultimately slow down the rollout of vehicles to customers. If this happens, not only does the OEM suffer financial losses, but the company’s reputation will also take a major hit. A similar incident happened in 2022, when a supplier of Toyota suffered a cyberattack. As a result, the OEM had to halt production which ended up slashing production outputs by a third.

The effects of a cyberattack on the supply chain can be disastrous, therefore industry regulations like WP29 and ISO/SAE 21434 hold OEMs accountable for enforcing cybersecurity practices. Meaning that OEMs are obligated to make sure that cybersecurity measures are implemented across every company in the supply chain. This includes monitoring and auditing cybersecurity throughout the supply chain to demonstrate enforcement of the regulations at all times.

OEMs need to encourage cybersecurity measures at the base of all IT operations within the company and throughout the supply chain. Implementing cybersecurity measures is not limited to installing sophisticated cybersecurity software. It also includes utilizing encryption and authentication, as well as educating employees on cybersecurity practices that need to be honored in day-to-day operations.

Vehicle System Disruptions

While supply chain disruptions and data breaches have negative consequences on operations, finances, and company image, a cyberattack on a vehicle can escalate into a life-and-death situation.

Modern vehicles run on around 100 million lines of code which enable many advanced features beloved by customers. Unfortunately, hackers can exploit vulnerabilities in complex vehicle software to gain unauthorized access to in-vehicle systems. We have seen reports of hackers breaking into vehicles using car infotainment systems, key fobs, or Wi-Fi dongles. But hackers can also gain access to a car by attacking the OEM’s server. Hackers can inject malware into a company’s server, which can then spread to the vehicle’s systems via over-the-air software updates or other connections. The malware can then allow them to take control of the vehicle’s functions or steal data.

If the OEM system has remote access capabilities, through cellular or Wi-Fi connections, hackers can attempt to exploit vulnerabilities in these connections to gain access to the vehicle’s systems. This can allow them to remotely control the vehicle’s functions, such as acceleration, braking, and steering. If malicious hackers get access to vehicle control this can wreak havoc on the roads and put millions of lives in danger.

Companies must secure in-vehicle systems and conduct regular security assessments to mitigate the risks of vehicle-targeted cyberattacks. The automotive industry can collaborate with cybersecurity experts to stay on top of vehicle cybersecurity regulations and best practices. This can help the industry get access to effective solutions that address emerging cybersecurity risks. For instance, AutoCrypt IVS specializes in securing in-vehicle systems by protecting the vehicle from external attacks, monitoring communications within the vehicle, and responding to any abnormal activities.

The increasing reliance on software in the automotive industry has created new cybersecurity risks. To address these risks OEMs have to prioritize cybersecurity within the company, across the supply chain, and in every vehicle on the road by developing a comprehensive cybersecurity framework. Ensuring cybersecurity should come in multiple levels. First, OEMs must secure internal IT systems and operations. On the second level, OEMs will need to secure the supply chain and encrypt all communications between partner companies. And lastly, employ in-vehicle security measures that will make sure that vehicles are protected against internal and/or external threats.

The Changing Automotive E/E Architecture and What it Means for the Supply Chain

Computer on Wheels: The Software-Oriented Car

The E/E architecture of the car is changing dramatically. As the common saying “computer on wheels” suggests, automotive technologies are now divided into two streams: the “wheels” and the “computer”. The “wheels” represent the hardware, the good old engines and hydraulics that keep the car rolling, while the “computer” represents the software programs that give instructions to the hardware on what to do. Cars are literally becoming computers, where software programs utilize hardware resources to deliver results.

This is not to say that hardware is no longer important. Of course, the core of the vehicle still lies in its hardware, which serves as an ultimate indicator of its performance. However, as OEMs continue to introduce software-enabled features from adaptive cruising to hands-free voice command, the average car buyer is caring less and less about horsepower and torque, but more about tech features and carbon footprint. As a result, most of the innovations and breakthroughs in the automotive industry today occur on the software end, guided by four major industry trends: connectivity, electrification, automation, and mobility-as-a-service (MaaS).

Likewise, the more consumers demand these features, the more OEMs must focus on improving them. This cycle has not only brought significant changes to the car manufacturing process but has forced the OEMs and Tier 1 suppliers to redefine their roles and responsibilities, leading to a ripple effect down the entire supply chain.

In this article, we will look at some major changes and trends with regard to vehicle architecture.

Centralization of the E/E Architecture

Up until recently, Tier 1 suppliers have been responsible for both hardware and software. They supply OEMs with complete vehicular parts integrated by the necessary software, while software firms mostly acted as Tier 2 suppliers who served their technologies to the Tier 1 suppliers. This architecture worked because when electronic systems were first brought into cars, they were simple programs that served as add-ons to the existing hardware. Each of these systems were built into an electronic control unit (ECU), which would then get integrated into the hardware. Individual ECUs have very low computing power such that every ECU is designed to control only one part of the hardware. Take the remote key fob for example: the ECU that manages the door lock system receives the signal, then instructs the door on what to do.

However, as more and more sophisticated add-on features were built into the car, the traditional architecture has become very costly and inefficient. Drivers today expect their smart keys to not only control the door lock system, but also allow them to remotely switch on the car, adjust the climate, and even give the car instructions for self-parking. This means that the smart key features alone require up to a dozen of ECUs each in charge of a single function.

To support even more complex features like the adaptive driving assistance system (ADAS), which requires the cooperation of many cameras and sensors, a typical car today can contain up to a hundred ECUs. Clearly, this scattered vehicle architecture is becoming increasingly expensive and unsustainable because there is simply not enough space in a car to accommodate hundreds of ECUs and wires.

This has led to a major change in the electrical and electronic (E/E) architecture of the car. Instead of having an entirely distributed model, with every ECU serving a particular function, the industry is moving towards a centralized E/E architecture. OEMs are starting to group all ECUs by their domains of service in a process called domain consolidation. For instance, all ECUs and sensors with regards to the powertrain are grouped into one domain, while all these with respect to the infotainment system are grouped into another domain. The entire domain is then controlled by the domain controller, which consolidates all the functions within that domain to ensure optimized system performance. Lastly, a gateway collects all information from the domain controllers and communicates such information with external parties when necessary.

This centralized E/E architecture is expected to significantly reduce the number of wires and increase the overall computing power of the vehicle. Expected to become the predominant vehicle architecture by the mid-2020s, this new model will help OEMs reduce manufacturing costs and free up room for more software features to further enhance the capabilities of autonomous vehicles, contributing to a seamless driving experience.

Segregation of Hardware and Software

The increased complexity of software-enabled features has led to another change: the separation of hardware and software in the car manufacturing process. As the E/E architecture becomes centralized, it is no longer efficient to build hardware parts with individual software programs attached. Manufacturers now need to build more complete software programs that oversee a whole domain of functions. As a result, it becomes more efficient to segregate the manufacturing process of hardware and software components.

Therefore, instead of having a single piece of software added onto every hardware element, both the hardware and the software are treated as core components in the architecture. Additionally, with the increased sophistication of software technologies, software components need to be developed on specialized and segregated platforms from the hardware.

Soon after, the industry may reach a point where a few software programs take control of all the functions of the hardware, just like how a single operating system controls all the hardware of a computer.

What it Means for the Supply Chain

For many decades, the automotive supply chain operated like a tier system. The OEMs were at the top of the pyramid, after which Tier 1 suppliers like Magna, Bosch, and Continental supplied completed parts to the OEMs. Raw materials were provided by Tier 2 suppliers. With a sudden surge in software needs throughout the past two decades, software firms joined the supply chain at Tier 2. These firms provided middleware and software development kits for every hardware component and sold them to the Tier 1 suppliers so that they could integrate them into the hardware. Many of the Tier 1 suppliers also set up their own software divisions or acquired software firms to enhance their power.

Today, most Tier 1 suppliers are responsible for integrating software functions into hardware parts, after which the finalized parts are sold to the OEMs. In other words, Tier 1 suppliers oversee the software integration process, while OEMs have the power of determining which parts to use.

However, the current model is facing another disruption. As the E/E architecture gradually becomes centralized, software programs are clearly becoming more crucial to the car. At the same time, the segregation of hardware and software means that more specialized software providers will emerge in the market. The role of the OEMs will be to consolidate the software platforms into their vehicle hardware. Currently, most software components are non-differentiated, meaning that they could be installed across different vehicles. As the centralization process continues, a significant portion of software will be differentiated, which means that they would need to be programmed specifically for individual car models. As such, it is crucial for OEMs to work closely with the software suppliers because once a software platform is fixed, the entire system would need to be built on that platform. Once a software platform is locked up, it becomes very expensive for the OEM to switch to other alternatives.

Clearly, these changes will likely disrupt the tier system and flatten the automotive supply chain so that suppliers of hardware, software, and semiconductors, along with OEMs, play equally important roles. Instead of having one supplier working on top of the other, horizontal collaboration is more important than ever. Eventually, the automotive market could look very similar to the PC and smartphone markets, where hardware manufacturers consolidate components provided by semiconductor firms and software companies.

AUTOCRYPT and Its Role in the Automotive Supply Chain

An automotive cybersecurity vendor, AUTOCRYPT is taking a crucial role in the software end of the vehicle manufacturing process. As an end-to-end solution provider that covers every dimension of security from in-vehicle and V2X, to EV charging and fleet management, AUTOCRYPT is actively working with OEMs and infrastructure developers to build a strong foundation for connected mobility by offering a complete cybersecurity ecosystem.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.