Well before a highly publicized Jeep hack last year raised C-suite and board-level concern over the cybersecurity of connected cars, my firm was contracted by a prominent automaker to perform a confidential “ethical hacking” exercise. We staged a nation-state style attack of the enterprise, and after many weeks of work with a large team, achieved complete control such that we would have been able to interfere with corporate and manufacturing networks and interactions with the vehicles.
Welcome to the cyber criminal’s new territory: the expanding and dynamically changing “attack surface” of the connected car, that is, the totality of the potential points of unauthorized entry. The good news is that hacking in this space requires very advanced skills and significant funding, so your average “script kiddie” won’t be taking over connected cars any time soon. The bad news is that well-funded and skilled adversaries are seen to be turning their attention to car companies and cars, having already hit most other industries. Now, even as the auto industry works to better understand car hacks, it can take three immediate steps to mitigate them (and the physical danger to their customers): understand the attack surface, continually assess the threat actors, and take a holistic approach to cyber governance.