If you know about threat modeling, then you know it can help protect applications and cloud infrastructure from security threats. If you’re really up on threat modeling, then you also know it can be used to help protect connected devices, so-called internet-of-things (IoT).
Theoretically, any device or system of devices exposed to the internet can be protected by threat modeling. The most common IoT devices include industrial controllers, smart devices, sensors, fire alarms and CCTV cameras. A new and growing category of IoT devices is medical sensors.
But there is another new and growing systems of IoT devices that you may not have considered: automobiles. It’s not an over exaggeration to say that today, automobiles are computers on wheels. And those computers are connected to the internet.
There is an estimated 1,400 semiconductor chips in a typical automobile today and many of them are microprocessors or microcontrollers, which are part of the car’s network. That’s a lot of IoT devices and a very large attack surface.
Is the Auto Industry Ready?
With such a large attack surface, it should come as no surprise that cyber-attacks on automobiles are on the rise. Half of all auto cyberattacks in history occurred in 2021 alone — up nearly 140% from 2020. This raises the important question, is the auto industry ready? And unfortunately, today, the answer is no.
This trend will likely grow as cybercrime and automotive vulnerabilities rise. The auto industry could see a wave of cyberattacks in 2023, causing significant damage if it doesn’t adapt to new security needs. Self-driving vehicle sales could reach 1 million units by 2025 and skyrocket after, so these risks will grow quickly.
Automakers also face risks from connected manufacturing processes. This trend has emerged in other sectors that have embraced IT/OT convergence. Their attack surfaces will increase as car manufacturers likewise implement these systems.
What Can be Done?
Securing automobiles must be done on three different fronts. First is securing the connected cars themselves. The National Highway Traffic Safety Administration (NHTSA) outlines several protection methods for connected cars.
Next is securing the manufacturing process. That includes everything from securing OT (operational technology) systems, to encrypting and segmenting the IoT devices used in the manufacturing process.
Finally, the supply chain must also be secured. It’s not good enough for a car manufacturer to lock down their systems. All of their suppliers must also be locked down. Manufacturers must take a holistic approach to their security.
New Approaches are Required
So, what’s the answer to the connected car threat? From HelpNetSecurity, “Investing in cybersecurity in the design stage, versus after breaches, will ultimately prove less expensive and more effective in terms of avoiding or mitigating serious crimes involving money, vehicle and identity theft from compromised personal data by the world’s most savvy and ambitious business criminals.”
In other words, automobiles have to join the rest of the cybersecurity ecosystem and become “secure by design”. And what’s the best way to do that? Threat modeling.
Whether it’s the car, the manufacturer or the supply chain, threat modeling takes the holistic view required to lock down today’s automobiles. And a good way to get started threat modeling is with ThreatModeler.