Volvo Breach Highlights Need for Securing Auto R&D DataNext-Gen Security Measures Essential for Auto Manufacturers, Some Experts Say
On Dec. 10, Swedish automobile manufacturer Volvo Cars said that one of its repositories had been illegally accessed by a third party and that threat actors had stolen a "limited amount" of the company's research and development property during the intrusion.
The Volvo data breach is the latest cyberattack targeted at the automotive industry. Auto manufacturers are not only staving off traditional forms of cyberattacks such as ransomware, but are also facing threats arising from telematics and connected vehicle components. Scale, geolocation and massive volumes of data generated from millions of endpoints add to the complexity.
Recent Cyberattacks in the Automotive Sector
Research shows that over 200 cybersecurity incidents were reported in 2020, and this year has also seen its fair share of cyberattacks.
In February, U.S. automobile major Kia Motors was hit by a ransomware attack by the DoppelPaymer gang. According to a report by Bleeping Computer, the incident was a double-extortion attack, with a ransomware gang demanding $20 million for the decryptor key in addition to its assurance that it wouldn't leak the data.
Following the incident, Kia Motors suffered a "nationwide IT outage" that affected its mobile apps, phone services, payment systems, user-facing websites and internal supply chain apps.
In June, the personal information of 3.3 million customers - including the sensitive data of 90,000 Volkswagen and Audi customers - was exposed after an unauthorized third-party access. Investigations revealed that the data was left unsecured for 21 months.
In October, German auto component supplier Eberspächer Group was forced to send its workforce on paid leave after a targeted cyberattack crippled its IT systems, according to a report by news platform The Record.
While most of the earlier attacks either threw a company's operations off track or affected the firm's supply chain, the cyberattack on Volvo Cars specifically targeted the firm's research data.
The incident opens up questions about the cyber resiliency of automotive companies, especially around securing intellectual property.
Securing R&D Data
"Protecting key assets, such as research data, is especially critical in a high-intensity market like automotive. Manufacturers must continue to look at how they treat, store and share data to protect these assets," Chris Clark, solutions architect in automotive software and security at automotive tech company Synopsys Inc., tells Information Security Media Group.
Pauline Losson, cyber operations director at French digital risk protection firm CybelAngel and former security analyst at France's Department of Defense, identifies two major risks related to R&D data or intellectual property that is compromised through ransomware or data theft: "One risk is to see the R&D being shared with competitors, which may ruin years of research investment. Another one happens if the bad guys are willing to use this information to launch another attack," she tells ISMG.
Losson says that a deeper knowledge of the cars' software may give hackers the tools to target the cars themselves and customers at the end of the chain.
Most data breach incidents are a result of R&D data being left on an unprotected cloud bucket, or drive, or a Network-Attached Storage device, she says. The origin, in most cases, is a third or fourth party that was negligent.
To protect the intellectual property of automotive or auto component manufacturers, William Telles, chief information security officer of Autoglass Brazil, says that companies must continue to evolve access controls to prevent both unauthorized access and legitimate access, while also taking behavioral changes into account. It is not enough to shield the environment with technologies that restrict access from suspicious countries or IPs, he says.
"The big problem arises when a legitimate identity is stolen and used in a malicious way." To prevent this, Telles says, organizations must perfect identity and access management as the first step in protecting R&D data.
Supply Chain Complexity
Losson says the length and complexity of the automotive industry's supply chain is the industry's main weakness, and CISOs must work with other departments - procurement, product, marketing and logistics - to better assess their partners in terms of information security.
Clark says, "Software is at the core of innovation, and the recent wave of ransomware and supply chain attacks have demonstrated that compromised software can have a devastating impact on an organization."
Echoing the Biden administration's cybersecurity executive order, Harshini Carey, information security strategist and consultant at cybersecurity firm Trustwave, says that maintaining a list of software inventory and assets goes a long way in being able to secure intellectual property in automotive companies.
Next-Gen Security Measures
Some automotive security experts say that the advent of telematics and connected devices in the automotive sector has increased the attack surface, and so traditional IT protection methods, such as penetration testing, software life cycle management and establishing security operations centers are simply not enough.
"The drive to reduce 200 platforms that must be supported to 20 or fewer is an ever-increasing need, as is the focus on designing an in-house SOC and next-generation in-vehicle networks," Clark says.
The automotive SOC, or ASOC, has been in development for a few years. Operating an ASOC is vastly different from running a traditional IT SOC. As automotive and aviation cybersecurity firm Argus says: "Running an ASOC process efficiently needs constant improvement and expansion of the automotive use case library."
This means auto manufacturers will have to continually add new data feeds and create new detection rules. And ASOCs face increased challenges from scale and geolocations and the need to manage millions of endpoints, each generating massive volumes of data. These are problems that traditional IT SOCs do not face.
Snatch Ransomware Group Responsible for Volvo Breach?
While publications such as Bleeping Computer and AutoEvolution reported that the Snatch ransomware group had claimed responsibility for the attack on Volvo Cars, the Swedish car maker tells ISMG that it hasn't contacted or been contacted by the hacker group.
"We are aware that an organization called Snatch has claimed responsibility for the property theft Volvo Cars is investigating. Volvo Cars is not in contact with the third party," says Merhawit Habte, global public relations, Volvo Cars.
She says that the company is working with third-party specialists, and the investigation of the breach is underway. The company declined to share its findings of how hackers accessed its intellectual property and how much of the R&D data was stolen.