Nine out of 10 cyberattacks launched at automotive manufacturers are not aimed at the original equipment manufacturers (OEMs) themselves, but at other companies in their supply chains, according to a study from cybersecurity software and service provider VicOne.
That trend means that third-party suppliers—including logistics providers, service providers, and companies engaged in the production of components, accessories or parts—have emerged as a growing focus of attacks, the company said in its “VicOne Automotive Cyberthreat Landscape Report 2023.”
One reason for rising attacks is the increasing complexity of vehicles and their integration of connectivity, automation, and advanced driver assistance systems (ADAS). Most of the security issues were found on chipsets or systems-on-chip (SoCs), followed by vulnerabilities in third-party management applications and in-vehicle infotainment (IVI) systems, the report said.
One problem in preventing such cyber attacks is the regulatory vacuum concerning vehicle data, the report said. However, VicOne said that a new United Nations cyber security policy known as UN R155 will mandate safety conditions for newly manufactured cars beginning in July, 2024.
But in the meantime, auto industry losses are growing from cyberattacks such as ransomware and exposure of leaked data or personally identifiable information (PII), as well as costs associated with system downtime.
“Alarmingly, over 90% of these attacks were not aimed at OEMs themselves but rather at other entities in the supply chain,” the report said. “Attackers often find it difficult to penetrate well-protected companies, so they target less vigilant firms instead. But OEMs are affected all the same, because of the supply chain disruptions. Consequently, defending systems against cyberattacks is no longer just about securing an individual firm; it is about strengthening the entire supply chain.”
