The role of insurance in shaping the future landscape of automotive cybersecurity
With automotive Original Equipment Manufacturers [OEMs] responding to the growing demand for convenience and accessibility from customers, the number of connected devices present within vehicles is rising exponentially.
This, of course, is a positive development from a purely functional perspective, but the expansion of connected ecosystems is creating the risk of vulnerabilities that can be exploited to seize control of vehicles.
Indeed, according to cybersecurity and data management platform Upstream, cyberattacks perpetrated against cars have soared by 225% over the last three years. These attacks vary greatly in nature, but the most common types include data or privacy breaches, as well as thefts or break-ins via a vehicle’s wireless key fob mechanism.
It’s not simply the growing number of devices present within petrol and diesel cars that must be considered. Sophisticated software for advanced driver safety features in electric vehicles [EVs], including emerging braking and collision avoidance, are particularly vulnerable to hacking, while the potential for data breaches when using public charging stations looms large.
With EV sales set to grow by almost 25% in 2024 alone, many more motorists are expected to fall victim to cyberattacks in the coming months and years.
How automotive cyberattacks are impacting insurance
As digital ecosystems within vehicles become more complex and numerous over time, the threat of cyberattacks will continue to grow, as will the number of attack methods that criminals have at their disposal. This will inevitably result in a surge of insurance claims relating to the exploitation of vehicle cybersecurity.
Although a relatively new frontier for auto insurance – with traditional risk considerations revolving around liability and conventional theft – cybersecurity is becoming an increasingly important focus for insurers.
Now, insurers must evaluate how drivers are impacted by in-vehicle device malfunctions, and whether these malfunctions are related to hacking, which can be difficult in itself to determine. If hacking is found to have taken place, however, this then begs the question of who should take responsibility. In other words, should it be the vehicle manufacturer, the technology supplier, or even the user themselves who should be liable?
Irrespective of who’s found to be at fault, it’s likely that we will begin to see insurers writing off vehicles because they don’t trust the parts present within them. This, of course, makes sense if the potential cost of a cyberattack is deemed to be higher than the market value of the vehicle itself. The implication of this could be that, over time, there are many more older cars on the road than new ones.
After all, many people may not want to run the risk of their vehicle getting written off in the event of an attack. In this sense, drivers may determine that sticking with an older car that doesn’t have all the technological bells and whistles that a newer model does is a safer bet from a security viewpoint.
Indeed, there is evidence that this is already starting to take place, with the value of used, recent Range Rover models having plummeted in the UK earlier this year. At the time, it was reported that this had happened in response to the rise of technology-armed criminal gangs targeting luxury SUVs, which had prompted the insurance premiums of many Range Rover owners to rise rapidly. This spooked many would-be buyers, and the used market tanked as a result, greatly depreciating the value of certain newer models.
In the worst-case scenario, owners of three-year-old Range Rover Evoque hybrids saw the average price for their car fall by 33% – or £13,170 – compared to what it had been worth 12 months previously. With new cybersecurity threats constantly emerging, and the technology at thieves’ disposal growing increasingly sophisticated, there’s a good chance that we will see many other vehicle brands by falling vehicle values for similar reasons as time goes by.
What are the challenge for OEMS?
For OEMs, this presents a significant problem.
After all, with manufacturers investing billions into expanding their EV and connected car offerings, the potential threat that cyberattacks – and the high insurance premiums they lead to – poses to new vehicle sales cannot be ignored.
On top of this, OEMs who fail to properly validate what technology goes into their vehicles run a serious risk of litigation in the event that an attack takes place. For example, in 2019, Jeep owners brought a class-action lawsuit against Fiat-Chrysler, claiming that the company knew about, but failed to fix, significant cybersecurity holes in its cars.
Although the lawsuit ultimately failed, it served to illustrate the potential legal threats presented to OEMs who are accused of failing to address – or otherwise wilfully neglecting – cybersecurity vulnerabilities. If they want to be in with the best chance of keeping their vehicles – and, thereby, themselves – safe from attacks, manufacturers must adopt a ‘born secure’ approach to vehicle design.
This effectively means assigning a digital birth certificate to a device – known as a trust anchor – that is inserted into each unit as its rolls off the production line. Trust anchors provide a line of communication between the device itself and external systems, enabling OEMs to prove that all parts present within are legitimate and can therefore be trusted. Via the trust anchor, manufacturers can then remotely assess both a device’s history and its current state following deployment. However, the additional data associated with a device’s identity unlocks the true power of being ‘born secure’.
This can include information such as whether a device has passed a Quality Assurance [QA] test, whether it was sold in region A or region B, and potentially even which customer it belongs to. With the trust anchor, OEMs can them remotely access this data, ensuring that it and other sensitive information is kept secure. As a result, manufacturers can greatly boost customer confidence in the technology, increase usage, and avoid insurance premiums being hiked considerably in response to attacks.
How Trustonic can help automotive OEMs
At Trustonic, we understand that many OEMs will require support in achieving these goals by ensuring that devices are born, and remain, secure throughout their lifetime.
By incorporating our Trusted Execution Environment [TEE] into their devices, manufacturers can separate critical code and data from the less secure parts of their devices, thereby ensuring that security forms an intrinsic part of the design process, instead of being a mere afterthought.
The TEE provides OEMs with a robust foundation to build a wide range of secure applications and services across their device architecture. This supports them in ensuring compliance with both existing and emerging regulations and, in doing so, builds trust among consumers.
The solution has been certified against a Common Criteria protection profile defined by GlobalPlatform to EAL5+, positioning it as the ‘gold standard’ for consumer Internet of Things [IoT] cybersecurity. As the speed with which cyber threats are accelerating – and the insurance landscape is changing in response to them – it’s vital for OEMs to avoid taking a backseat approach to their vehicle cybersecurity.
We have helped countless manufacturers to enhance security and achieve compliance with regulations all around the world, and are constantly looking ahead to what’s coming down the tracks. Therefore, we are perfectly positioned to support OEMs in ensuring that their devices are ‘born secure’, and that their investment in new vehicle technologies isn’t seriously undermined by attacks.