Let’s put it bluntly, the commercial vehicle cybersecurity landscape has significant financial and other “advantages” for hackers to make them a prime target, evidenced by the increased frequency of cyberattacks on fleets:
• Trucks are part of the commercial vehicle group transporting daily tens of billions of US dollars of goods between various locations. The tremendous value of their goods can provide huge commercial motivation for hackers to attack these vehicles, which will cause considerable financial and legal damages.
• Damage to mission-critical or military equipment transported by trucks can put a country at risk when affected by an attack by politically motivated individuals or organizations.
Annually, passenger vehicles account for 60% of the total worldwide sales while commercial vehicles account for the remaining 40%. However, we should consider additional factors:
• All commercial vehicles travel by far longer distances per year than passenger vehicles
• The lifespan of a commercial vehicle is longer than a passenger vehicle
• When involved in an accident (caused by a cyber-attack for example), the number of casualties and damage to property can be considerably much higher due to its higher mass compared to a passenger vehicle
• Many commercial vehicles are part of national critical infrastructure, especially during times of crisis and military conflict, making them more critical than passenger vehicles
So, it is logical to say that the risk level from commercial vehicles is considerably higher than passenger vehicles, making them prime targets for professional or even nation-state attackers.
Fortunately, there are fewer professional hackers than the young hacker playing around who can already get into all-electric cars. But given the stakes, things may change one day.
A few technical notes:
• The commercial in-vehicle network is SAE J1939 protocol based. This is a 7-layers standard protocol, common to all the commercial vehicles widely used in the industry. Therefore, any vulnerability detected in the protocol can be exploited across all the vehicle types by all original car manufacturers (OEMs). This is contrary to the passenger vehicles where each OEM has its own proprietary CANbus (Car Area Network) implementation which differs even within one OEM’s vehicle types. Therefore, detecting a successful attack vector in one passenger vehicle type most likely does not make it useful for preventing attacks other vehicle types.
• SAE J1939 used a 29-bit extended addressing proprietary format. The current implementation does not offer any means to authenticate the origin of the message, its integrity, freshness or provide privacy. Any ECU can send any message ID. This means that attacks such as denial of service (DOS) using request overload for example, impersonation by using a fake message ID, MITM (Man In The Middle), tampering with the messages or similar are easily launched.
• Once the transition to the automotive Ethernet will be completed, the situation for both private and commercial vehicles will be the same. This increased threat is magnified as its new code containing many bugs, resulting in many vulnerabilities. There are already cars that are fitted in part with Ethernet, and this will increase in the coming years.
• The ECUs (Electronic Control Unit) of commercial vehicles are often interchangeable among vehicles from different OEMs. This means that a vulnerability is detected on an ECU, it can be used to attack many vehicles from all manufacturers that use the same ECU. This is certainly not yet the case with passenger vehicles in which there is a practice to have custom-built ECUs for each make and model.
• Software written for many ECUs does not enjoy a very high level of security making them prone to attacks such as BoF (Buffer overFlow), in addition to many other vulnerabilities found in the code. For example, the attacker could send malformed RTS (Request to Send) messages with a different data length which might result in a ECU crash. Another example is that with only 255 possible nodes, an attacker might spoof all source address exhausting the connection pool of an ECU resulting in a DoS (Denial of Service) situation. Other vulnerabilities can be found in the TP (Transport Protocol) such as sending a BAM (Broadcast Announce Message) or PTP (Peer To Peer) TP messages with a sequence number of 0 that result in BoF.
• Industry trends including SDV (Software-Defined Vehicles), electrification and EVs (Electric Vehicles), connected vehicles, autonomous vehicles, CAD (Connected Automated Driving), cooperative driving (e.g. trucks platooning) and C-ITS (Cooperative Intelligent Transportation System) require lots of software code in the vehicle. This means much larger attack surfaces and risks to the
vehicles.
• Many fleet and car owners add aftermarket devices such as EDR (Electronic Data Recorder) or ELD (Electronic Logging Device). Since these devices connect to the in-vehicle network without passing cybersecurity certification by the OEM, they can be used as a vehicle of attack of commercial vehicles. This phenomenon does not occur with passenger vehicles in which adding aftermarket devices is not very common.
• The viral effect, mainly with agriculture equipment, occurs since there are many exchanging parts that are connected to different vehicles one daily basis. For example, in a semi or full trailer, the truck may pull different trailer every day. Equally a tractor, mining equipment or a combine may be fitted with different mounts, drawbar-towed tool chain, tiller, etc. In this case, if a tractor was infected with a malware, it can infect all the attachments it is connected to, each day a new one. Those in turn can infect the other tractors to which they are attached the next day and so on. This kind of behavior does not exist with the passenger vehicles.
• Other common attack surfaces, mainly remote wireless is common to the commercial and passenger vehicles such as telematics, connected gateway, Wi-Fi, Bluetooth, TPMS (Tire Pressure Measurement Systems), OBD-II (On-Board Diagnostics), USB, key fobs, V2X (Vehicle to everything, etc.
• The automotive industry is quite unique in the sense that an attacker can buy a vehicle and try to attack it as much as it wants until success without being detected. This is quite different than other industries such as ICS/SCADA (Industrial Control Systems/Supervisory Control And Data Acquisition), banking, etc. in which it is practically impossible to duplicate the target system.
• The attackers can be the usual suspects such as criminals, terrorists, hostile governments, etc. but also the car/fleet owner for purposes such as chip tunning or usage of clone ECUs. When this is exercised on commercial vehicles, the potential damage is much greater than with passenger vehicles.
Not all is lost and employing proper security controls can greatly improve the situation:
• SAE J1939-91 network security parts A, B and C are still WIP (Work in Progress) but the existing drafts show a good approach and practical methodology to address cybersecurity threats.
• Cybersecurity certification for vehicle type approval such as UNR 155 as of mid-2024 for all new vehicle types, GB/T and other regulations in progress dictate following a rigid process and implementing proper controls. This can be achieved by complying with the ISO/SAE 21434 standard. This means, for example, the implementation of a CSMS (Cyber Security Management System) in the organization.
• OEMs and Tier 1s that lack the internal resources can use products and services from professional players in the market to implement the V-Model including architecture, validation, penetration testing and more.
• Following a strict SecSDLC (Secure Software Development System) with high level of process and code complying with A-SPICE (Automotive Software Performance Improvement and Capability dEtermination) is key.
• Implementing end-to-end security measures including V-XDR (Vehicle eXtended Detection and Response) systems a.k.a. IDPS (Intrusion Detection and Prevention System) for the network and the hosts. Qualified security domains and other information would be conveyed to the SIEM (Security Information and Event Management) system at the V-SOC (Vehicle Security Operations Center) for monitoring and performing analysis and forensics.
• Performing continuous vulnerabilities management for presenting evidence of risk
management at the vehicle type approval and all along the vehicle lifecycle.
To summarize, protecting commercial vehicles is much more complex than protecting passenger vehicles. To provide the necessary security level, OEMs and Tier 1s, need to follow proper procedures and implement the required means to provide the market with reliable, safe and security vehicles.