INDUSTRY

Automotive Cyber Security for Connected Vehicles

Schedule a Demo
Automotive Cyber Security
From the earliest car radios to the latest smart car technologies, the automotive industry is constantly innovating around automobile connectivity. For example, using the latest phone apps, cars can be remotely locked, unlocked and started without having to search for a set of car keys. Or vehicles can report engine fluid levels and driver behavior to manufacturers’ databases. But there’s a catch. This same convenience and flexibility from connected cars can be used by thieves to steal a car, or worse remotely control a vehicle while in motion, or impact the privacy of car owners. All of this can come about because this vehicle connectivity is enabled by APIs. A recent report stated that 84.5% of automotive attacks were carried out remotely.

Automotive Cybersecurity by the Numbers

380%

The number of automotive API attacks has increased by 380%, accounting for 12% of total incidents.

203 million

Over 203 million cars can receive software over-the-air (SOTA) upgrades which communicate via APIs.

15.5 million

Researchers gained access to an automotive telematics company with the ability to send arbitrary commands to an estimated 15.5 million vehicles.

Free API Security Assessment

API Protection for Intelligent Connected Vehicles

The automotive industry, including vehicle makers and makers of vehicle onboard communication services and applications that communicate with one another via GPS receivers and other telematics devices are relying heavily on APIs. Only five years ago, on average a car, included 100 million lines of code. The sheer number of APIs involved in all this code makes them a prime target for attackers. The consequences of a compromised vehicle include:
Injuries and Accidents

Injuries and Accidents

It’s only a matter of time before someone is injured from an exploited and out of control vehicle. Even the ability to remotely open doors can cause driver distraction and accidents.
Standards Violations

Standards Violations

Not meeting standards such as the UNECE R155 or ISO 21434 related to the cyber security of management systems for vehicles can mean legal implications if vehicle systems are compromised due to API exploits related to hosted services, secure software development and unauthorized access.
Liability and Reputation

Liability and Reputation

When it comes to vehicle safety, and cybersecurity, regulators pay close attention. So with API security, manufacturers must ensure their applications are operating in a secure and standard way and implement proper oversight and governance. The liability and reputational damage could seriously impact the bottom line.
Privacy and PII

Privacy and PII

Vehicles carry a lot of personally identifiable information (PII) and vehicle-related PII can lead to myriad types of fraud. API security flaws could allow attackers to access internal dealer portals, query a VIN number and takeover customer accounts remotely. Not only could this give attackers access to PII, but also change ownership of a vehicle.
Disruptions to Automotive Supply Chain

Disruptions to Automotive Supply Chain

A typical vehicle has up to 150 electronic control units (ECU). When it comes to APIs, and the ECU software embedded in millions of vehicles, it can take weeks to correct software flaws. And that can mean huge disruptions to vehicle supply chains.

Limitations of Traditional Solutions to Automotive Cybersecurity

When it comes to APIs used by connected vehicles, the security teams that oversee that connectivity simply lack the visibility and defense capabilities they need to protect the ever-growing risk from APIs and other application connections. Many believe that compliance with industry standards and a “shift-left, DevOps” approach are sufficient solutions to protect their APIs. The problem with these strategies is that they don’t have a way to “know the unknown”, meaning they aren’t able to look for all APIs, including legacy and shadow APIs, and API vulnerabilities without knowing where to look. Even if all APIs are discovered and “known”, attackers can still leverage seemingly legitimate traffic to gain control of a vehicle. Traditional approaches that use WAFs or API gateways depend on easily evadable detection, lack the real-time ability to discern good from bad API activity and are reliant on static, least common denominator protection spread across multiple technology components.

Cequence Secures the Automotive Industry

But there is good news as potential API cyber security events associated with vehicle systems seem to stem from known API risks. Outside of physical security break ins by cracking locks and stealing vehicle records from a glove box, most API vulnerabilities can be associated with the OWASP API Security Top 10 list.
Cequence Security believes in taking a holistic approach to defending against API-related vehicle cybersecurity automotive risk with a market-defining Unified API Protection solution that goes beyond traditional API security that may focus solely on one aspect of the API protection journey. Achieving true peace of mind for comprehensive API attack protection means traveling through six distinct steps associated with the Unified API Protection solution:
Cequence API Protection lifecycle
Outside-in discovery: Viewing an organization’s API attack surface from a threat actor perspective to know the unknown.
Inside-out inventory: Performing a comprehensive API inventory, including all existing APIs and connections.
Compliance monitoring: Keeping APIs in compliance with specifications, standards and regulations such as the OpenAPI Specification and ensuring ongoing API governance.
Threat detection: Continuously scanning for threats, including subtle business logic abuses and malicious activity that has not yet been observed.
Threat prevention: Employing countermeasures such as alerts, real-time blocking and even deception, without the need for added third-party data security tools.
Ongoing API testing: Integrating API protection into development, which shifts API security left within the organization, so risky code doesn’t go live.
Unified API Protection is different from fragmented or incomplete API protection offerings because it’s a methodology designed to account for multiple types of risk, across every phase of the API protection lifecycle.

Why Cequence?

With the Cequence Unified API Protection solution, customers can continue to reap the competitive and business advantages of ubiquitous API connectivity. The Cequence solution results in attack futility, failure, and fatigue for even the most relentless of attackers. It significantly improves visibility and protection while reducing cost, minimizing fraud, business abuse, data losses and non-compliance.
Try It Now
Cequence for Automotive Cyber Security

Get an Attacker’s View
into Your Organization

Free API Security Assessment
Cequence Logo
100 S. Murphy Avenue
Suite 300
Sunnyvale, CA 94086

+1 650 437 6338
Contact Us
Book a Demo
FOLLOW US
Twitter LinkedIn Youtube
PRODUCTS & SERVICES
INDUSTRIES
RESOURCES
SOLUTIONS
PARTNERS
COMPANY
© 2018-2023 Cequence Security, Inc. All rights reserved.
Privacy Policy | Cookie Policy | Responsible Disclosure Policy.