- API Penetration Testing
Cybersecurity Risks in Enterprise Transport

Enterprise Cybersecurity & Connected Cars

During one of the recent cybersecurity conferences, I heard the idea that hacking a connected car can't result in significant business risks. The logic is obvious: the car's cost is insignificant compared to the multi-million worth of corporate assets. Cars, even connected ones, are mass-produced items, so if one is hacked, you just replace it.

I disagree and suggest you walk through this with me.
Walk through
Let's take a look at 5 key economic sectors that use automotive transportation:

  1. Government and defense
  2. Heavy industry
  3. Agriculture
  4. Finances
  5. Transport and logistics

Then we'll identify the models of using connected cars within each industry, define possible threats, and the resulting business impact for each risk scenario.

Connected cars use cases in the corporate business:
  1. Transporting the C-suite executives — all sectors
  2. Transporting classified knowledge holders — government, defense
  3. Transporting valuable personnel — defense, industry, agriculture
  4. Transporting raw materials — industry, agriculture
  5. Transporting finished goods — industry, agriculture
  6. Transporting cash — finance
  7. Transportation services — transport and logistics
Transporting the C-suite executives
Competitors can hack the connected car systems to block top management movements (to disrupt a corporate dispute for an important asset or derail an M&A agreement); a top manager can be killed by tracking a car or using a remote explosive device; a car can serve as a channel to collect and transmit important information (eavesdropping through car's microphone and tracking its movements).

Transporting classified knowledge holders
Transporting the classified information holders fall under the category of top management transportation, the key risk here is eavesdropping on important information.

Transporting valuable personnel
Disrupting transportation of valuable personnel can be a method to compromise production operations or, in extreme cases, to halt the production due to severe losses amidst staff.

Transporting raw materials
Disrupting transportation of raw materials will not only cause significant operational expenses due to the cost of the materials lost but will also halt the production processes. An unforeseen block of normal operations (like the lack of forage for poultry farms or the need to stop the open-hearth Marten furnaces due to lack of charcoal and ore) can not only cause immediate losses but will affect the whole production chain (no eggs and /or chicken meat or no steel for plants).

Transporting finished goods
It will also result in additional expenses required to re-launch the production cycle (buying the new flock, re-igniting the furnaces, etc). This is especially important amidst the COVID-19 pandemic, as even minor disruptions can cause multi-billion losses now, as March 2021 Ever Given obstruction of the Suez canal has demonstrated.

Ready goods delivery not only forms the major part of the company revenues but also provides the financial influx needed to ensure stable business operations. Delays in delivery or lacking goods result in reduced revenues, the need to loan the required funds for significant interest rates, and if we talk about the agricultural sector — this might result in the inability to sell perishable products like dairy or fresh fruits and vegetables.

Transporting cash
Transportation of cash is the obvious target for criminals. Hacking such a connected car can result in both leaking the company's money collection routes and physically disabling the guards and stealing the cash during a heist.

Transportation services
Transportation services depend on the reliable functioning of all car parts. Messing with the connected car systems results in big business problems, as it entails the loss of income, fees for non-delivery according to contract terms, and other hits to the bottom line.
Of course, not all of these risks are prominent already. There are other ways of corporate cyberwarfare, there are some obvious countermeasures on the business level (stockpiling raw goods, for example, etc).

There also can be additional control measures that are not widely known as of yet. Besides, connected car technology is not still the primary target for hackers. However, with each passing year, the volumes of connected cars in traffic will only grow — and the risks will grow along.

While we still can, we must consider a purchase of a connected car as introducing an additional information system into our corporate network. This means the necessity for a standard complex of measures — preliminary risk analysis, forming a set of relevant security controls, and extensively testing it before the system reaches the production stage.

The good side here is that the architecture of connected car systems is relatively simple (far less complicated than ERP or BSS systems, for instance), and the companies that provide penetration testing and cybersecurity analysis services will be happy to provide discounts to get the first commercial projects and customer reviews in the connected car cybersecurity domain.
Alex Bodryk
Cyberlands, Co-founder & managing director