Automotive Cybersecurity

‍

Cybersecurity threats are top of mind for many in the automotive industry. The high-profile attack on Eagers Ltd that put them into a trading halt in December is making OEM and dealership stakeholders extremely nervous.

These nerves are a good thing.

The threat is real, it needs to be taken seriously, and if you are nervous about it, you are probably also pro-active about it which lessens the chance of you being on the receiving end. Note that I said “lessens” the chance. With the tools available to threat actors, social engineering, and the complexity of today’s IT environments, organisations are encouraged to take the view that they just need to make their houses more difficult to break into than the neighbours. Making it impervious to attacks is something that even mega-corporations such as banking institutions and the military have been unable to achieve.

Since the cyber incident with Eagers, many of our customers have contacted us to ask how they can avoid the same fate. Short of hiring cyber specialists who can do a full review and hardening of your systems and IT environment, there are a few basic steps that can be taken to make you less susceptible than the business next door. Protection starts with understanding that cybercriminals operate on a similar principle to a standard business – maximising ROI. The time invested in accessing a system vs the value of the data taken or locked out from the business directly affects the profit (ransom) on their investment (time).

The greatest protection you can offer your business is to ensure that anything of value, requires significant time and dedication to access, making other targets more appealing. Technology still needs to be the enabler, and when it comes to how far you can go, the answer is forever. But there is a sensible limit. Protections can make technology more difficult to break through, but also remove convenience for you as a business. Determine your risk profile, and set a sensible limit. In short, your security should be aligned with your business to allow it to be protected but not overburdened.

Here’s where to start:

Basics of protection:

Patching of systems (making sure you are running the latest operating system updates from your suppliers, across all machines).
Backup data that is not provided by a professional cloud-based provider.
Introduce multi-factor authentication (MFA) for sensitive data.
Password security levels – segment data access by role or seniority and introduce regular password update policies.
Staff training – best practice data & technology processes, spotting scams/phishing/man-in-the-middle type attacks, and policing remote access to company IT.

Taking it further:

Data retention planning: beyond the DMS system, what data do you store on-site? Where do you store it and what is the value of that data to the business? Are you only housing data that adds value to the business?
Draw up & circulate a simple data breach response plan (Australian Information Commissioner guide here: CLICK HERE).
Engage a cyber specialist company to undertake a security review of your systems and propose tiered-level upgrade and support options.
Implement an Endpoint Detection and Response solution (EDR) and stress the importance of not just detecting a Threat Actor, but also what action will you take when you detect it.
Given many of the attacks are ransomware, it’s worth considering investing in a full disaster recovery site that has snapshot capability so, in the event of a ransomware attack, you can roll back to a point in time before the files were locked. Amazon Elastic Disaster Recovery is a good example of this type of capability and is available for production data via Titan or directly from AWS at https://aws.amazon.com/disaster-recovery/

I understand “Investment” in cyber defence can feel like a sunk cost and when budgets are tight, the temptation to invest in margin assets rather than defence is high. But, as with other forms of insurance, there is a level appropriate for every business and those businesses with a consistent approach to improvement will be the toughest prospects for the criminals to target.

The recent breaches within the automotive industry are a stark reminder of the potential cyber-attacks have to cause enormous disruption and cost to an organisation. We should all use it as a valuable reminder to ensure data security is a business priority in the new year.

May you all have a safe, enjoyable, and prosperous 2024.

Ian

_Bio:_{Ian has spent the last 20 years between Australia and the US in senior IT and CIO/ CTO roles across large-scale global businesses. Much of this time has been providing cybersecurity enterprise solutions for customers such as the Pentagon, US Military, Microsoft, British Telecom, Amex, and American Airlines.
‍}

Further Resources:

Ransomware Action Plan (homeaffairs.gov.au)

Cybersecurity Standards – Standards Australia

Cyber Security Principles | Cyber.gov.au

Guidelines for System Hardening | Cyber.gov.au

Watch out for threats | Cyber.gov.au

‍