Yes, the enterprise should be concerned about criminal hackers attacking corporate fleets. Black hat hackers are attracted to vehicles as automotive systems use and share a growing wealth of personal and enterprise data. Cyber thugs will find many points of entry into connected cars and the sensitive internal systems, components, and information inside.
To close those vulnerabilities, cybersecurity professionals should look to automotive cybersecurity companies and vehicle manufacturers for appropriate tools and approaches, and best practices for applying those products and technologies.
Leverage these technical tips for keeping your people and your data safe in vulnerable corporate vehicles.
Assume that in-car Wi-Fi/Bluetooth/USB and other in-vehicle communications channels and connections are hostile.
While attacks on connected cars can target any connected system, says Patrick Dennis, CEO, Guidance Software, and a graduate of RIT, the principle targets include the following lengthy list of safety and entertainment features:
Adaptive Cruise Control systems (ACC), Forward Collision Warning Plus systems (FCW+), Lane Departure Warning systems (LDW+), Park Assist Systems (PAM), Passive Anti-Theft Systems (PATS), Tire Pressure Monitoring Systems (TPMS), Remote Keyless Entry/Start Systems (RKE), HVAC Systems (Air Conditioning & heating systems), Bluetooth Connectivity, Radio Data Systems, Wi-Fi Connectivity (encryption) and open ports, Cellular connectivity, CAN Bus Connectivity, USB connectivity, D-BUS Services, and GPS.
When a criminal hacker or group gains control of one or more of these systems, it makes the system(s) and data packets hostile to other in-vehicle and extra-vehicular systems as well as to your data, and to people in and near the vehicle. By first assuming that these systems are hostile, you can protect each system against infiltration or betrayal by neighboring systems.
Use a zero trust security model to protect data and employees.
A zero trust security model will begin to protect data that passes through or lives in vehicles whether that information touches endpoints, or systems and databases internal to the enterprise that manage vehicles as enterprise systems or assets. Criminal hackers can most certainly attack vehicle systems to get cars and trucks to attack your employees, and zero trust will mitigate much of this, as well.
Zero trust requires least privilege and least access, enforced by Role Based Access Controls and technologies that limit permissions on some systems and deny access altogether on others. Least privilege means removing administrative computer credentials and any other information system privileges that go beyond the minimum necessary for the automotive system, external system or technology, or user to do the job at hand. “Using a model of least privileges will help ensure that if a component is attacked and tampered with the impact to overall vehicle security is low,” says Justin Elze, Principal Security Consultant, OSCP, C|EH, CPTE, CCA, ACSP, TRUSTEDSEC, LLC.
Use these practical technical steps to implement zero trust in connected vehicles
Cybersecurity professionals can ensure secure access for enterprise fleets by insisting that vehicles use access control technologies and approaches that have worked well for other enterprise networks and systems. These technologies and approaches can include HTTPS and other secure protocols and encryption, secure login credentials, private access keys, managed access rights, and segmenting less secure communications channels away from critical safety and data systems.
Cybersecurity pros can ensure least privilege on vehicles where manufacturers implement low-overhead credentialing and authentication systems with revocable permissions, develop time-windowed access control systems, harden gateway (network-bridging) modules to resist leaking information to or from sensitive networks, and encrypt communications occurring in-vehicle behind the gateway module (on all internal, private networks), says Joshua Siegel, postdoctoral researcher at MIT, instructor at MIT’s IoT Bootcamp, and the founder of the automotive connectivity platform CarKnow.
Least privilege must apply to access to the connected car and access to technologies that control the connected car. “Compute clouds that interact with connected fleets are veritable honeypots, providing a single target harboring the information for a large fleet of vehicles; a compromised cloud-based server likely has administrative actuation privileges for its connected fleet,” says Siegel.
Source Reference By : WindowsITPro