AUTONOMOUS AND REMOTE CONTROLLED/ACCESS TECHNOLOGY
As a pioneer in the field of automotive security, in 2015 IOActive was the first company to successfully launch a remote attack on a vehicle through its telematics unit (Security Experts Hack into Moving Car and Seize Control, Remote Exploitation of an Unaltered Passenger Vehicle).
For the past 5 years, IOActive has been focused on understanding Autonomous and Remote-Controlled/Access technologies and their inherent vulnerabilities and possible impacts to Functional Safety. IOActive consultants assume the posture of real-world attackers, attempting to bypass existing security controls and gain access to connected systems or services, or to the vehicle itself.
Transportation technology is evolving significantly, with enhanced autonomous functions revolutionizing automobiles, commercial trucks, agriculture equipment. AI and Machine Learning (AI/ML) are fundamentally transforming Autonomous Vehicles by enabling them to understand road conditions, identify objects, predict traffic flow, make real-time decisions, and predict potential hazards, paving the way for partial and fully autonomous driving. IOActive delivers a suite of services that cover every facet of AI and ML security offerings which are built on proven methodologies (i.e. Threat Modeling/Architecture Review, AL/ML code review/Vulnerability Assessment, Application/Device Penetration Testing, and AI Infrastructure Security, for more information. https://ioactive.com/service/ai-security-services/. As vehicles have become connected, this connectivity provides significant benefits and presents significant cybersecurity risks and vulnerabilities.
Two other emerging vehicle technologies that are now prevalent in today’s connected world are Telematics (i.e. automobiles, commercial trucks, agriculture/mining vehicles, and sea cranes) and Electric Vehicle Supply Equipment (EVSEs) and both have remote cloud infrastructures which increases the cybersecurity risks for attacks and vulnerabilities, such as: weak/unencrypted communications, over-the-air (OTA) firmware attacks, insecure APIs, and weak/vulnerable cloud services.
For over a decade, IOActive has been a pioneer in Transportation cybersecurity research, with a proven track record and experience in conducting penetration and security assessments on autonomous vehicles and remote-controlled assets, such as:
| Automobiles – ADAS (Level 2 and 3), Robotaxis, Telematics | Commercial Trucks – Autonomous Trucks |
| Electric Vehicles – EVSEs | Agriculture – Autonomous Agriculture Vehicles and Autonomous On-Road/Off-Highway Vehicles (OHV) |
| Autonomous shuttles – Personal Rapid Transit (PRT) vehicles | Rail/Transit – Positive Train Control (PTC) |
| Aircraft – Drones and UAVs | Mining – Autonomous Haulage Systems (AHS) |
| Locomotives – Remote-Controlled Locomotives | Maritime – Remote Operated Vessels (ROV) and Remote Operations Centers (ROCs) |
A core focus of our transportation cybersecurity research program has been to help industry stakeholders with empirical vulnerability data to make risk-informed decisions about threats to cyber-physical systems. The following table summarizes our experience and provides examples of our recent Autonomous and Remote-Controlled/Remote Access projects conducted by IOActive over the past 5 years:
IOACTIVE TRANSPORTATION CYBERSECURITY RESEARCH
IOActive is the leading transportation cybersecurity firm, investing heavily in primary research and working with OEMs, suppliers, and academia to understand the risks, threats, and business impacts facing the transportation industry. IOActive leverages this body of research to provide clients with deeper assessments and superior guidance to leverage innovative new technologies while developing safer and more secure data, vehicles, and infrastructure. IOActive has published several research papers and articles regarding the Transportation Sectors and samples and links are below:
TRANSPORTATION CYBERSECURITY COMPLIANCE REGULATIONS/STANDARDS
Transportation cybersecurity compliance refers to the measures taken by transportation providers to ensure their systems and data are protected from cyber threats, while also adhering to regulatory and industry standards. This includes implementing security controls, reporting incidents, and conducting vulnerability assessment. Transportation organizations must comply with cybersecurity rules and regulations set by agencies like the TSA, DHS, UNECE, ISO/SAE, EU Commission, FAA, EASA, Coast Guard, International Association of Classification Societies (IACS) and IEC. The table below describes for each transportation sector the applicable Cybersecurity Standards, Risk Assessment Methodologies, Information Sharing and Analysis Center (ISACs), and Communications Protocols.
IOACTIVE CYBERSECURITY SERVICES
To help protect your business from today’s increasingly complex and sophisticated cybersecurity risks, IOActive offers a full range of cybersecurity services, including penetration testing, full-scale assessments, secure development lifecycle support, red team and purple team engagements, AI/ML security services, supply chain integrity, code reviews, security training, and security advisory services. Learn more about our offerings at https://ioactive.com/services.
To learn more about IOActive’s Connected Vehicle Cybersecurity Services, click here.