- Connected vehicle. Vehicles on the road are vulnerable to hacking, both of the vehicles themselves and of the back-end IT systems to which they connect. The challenge of securing vehicles and back end is increasingly important because of the growing computing power of vehicles. In the future, there will also be many more vehicle-to-vehicle and vehicle-to-hub communications. There is already plenty of discussion of these ideas in the media, arousing concern among consumers. The idea that you could be driving along in the outside lane of a motorway when someone takes over your car is not pleasant.
- Manufacturing plant. Hackers can attack a manufacturing plant that is assembling cars or producing parts for cars. The increased tendency for manufacturing systems to be connected to enterprise systems and the internet creates more opportunities for attack. Legacy hardware and software that was not designed for the internet is particularly vulnerable. Attacks come from anywhere in the world and from a wide range of adversaries including terrorists and nation states bent on sabotage. With the manufacturing plant made up of intelligent, connected machines, a hacker can target any point and then reach other points in the plant. These attacks can cause huge damage.
- Enterprise IT. The security of enterprise IT systems is as much an issue for automotive companies as for any other organization. But in addition to their solutions in back-office areas like finance and HR, automotive companies face the risks that arise from connecting to vehicles and manufacturing systems, and must operate back-end systems to carry out services required by connected vehicles (map services, for example). Any form of outsourcing adds an additional dimension to the security challenge, and so does hosting of services in the cloud. Again, a hacker who penetrates general IT systems can probably use them as a platform to access the manufacturing operation, and maybe the vehicle itself. Enterprise IT systems are also especially vulnerable to insider attacks.
Failure to observe good cyber risk and privacy governance practices have very tangible...