《2023全球汽车行业网络安全报告》解读

1.前言

    Upstream的研究人员分析了关键的汽车风险和漏洞，并发布了一份安全报告《2023全球汽车行业网络安全报告》

Upstream’s 2023 Global Automotive Cybersecurity Report

    阿里·卡梅伦是一名内容营销人员，专注于网络安全和B2B SaaS领域。除了为Tripwire的“安全状态”博客撰稿外，她还为Okta、Salesforce和微软等品牌撰稿。阿里以不同寻常的方式进入了内容世界，她的职业生涯始于普华永道(PwC)的管理顾问职位，在那里，她对将复杂的概念变得容易理解产生了兴趣。她将这种兴趣与对讲故事的热情融合在一起，这种结合非常适合在网络安全领域写作。

    阿里·卡梅伦对《2023全球汽车行业网络安全报告》做了一些分析和解读。

A Look at The 2023 Global Automotive Cybersecurity Report | Tripwire

    下面我们就来看看她解读的内容。

2.正文

    近年来，随着数字化、智能化和网络化技术的日趋成型，汽车行业的新一轮产业变革已经到来。然而，这种变革也为网络安全风险打开了大门。近日，研究机构Upstream发布了《2023年全球汽车行业网络安全报告》，报告数据显示：在过去5年中，全球汽车行业因为网络化攻击造成的损失超过5000亿美元，而近70%的汽车安全威胁都是由远距离的网络攻击行为引发。研究人员表示：汽车制造企业需要重新思考未来保障车辆安全的策略，从整体车联网平台安全的角度寻找解决方案，而不是传统以车辆为中心的安全模型。

    在本次报告中，研究人员探讨了当前汽车行业面临的主要安全威胁态势，以及如何有效应对这些威胁挑战的方法和建议。以下就是本次报告研究中的五个关键发现。

英文原文：

  *  From its inception, the automotive industry has been shaped by innovation and disruption. In recent years, these transformations have taken shape in rapid digitization, ever-growing Electric Vehicle (EV) infrastructure, and advanced connectivity. These shifts have redirected the automotive industry, meeting and surpassing customer expectations for what vehicles should accomplish. However, they have also opened the door to cybersecurity concerns — and the last year has shown just how much of an impact these threats can have.*

•    Recently, Upstream published their 2023 Global Automotive Cybersecurity Report. In it, they explored the cybersecurity threats that plague the automotive industry, as well as the things the sector can do to protect itself as these threats continue to evolve. Here’s a closer look at five important findings in this comprehensive document.*
  

发现1：新的攻击面大量出现

    随着汽车行业变得更加智能化和数字化，汽车企业因此拓展出更多的商业服务模式，这给了网络攻击者更多的攻击面和攻击载体。报告数据显示，2022年网络攻击者最常使用的载体分别是远程信息处理和应用服务（35%）、远程无钥匙进入系统（18%）、电子控制单元（14%）、车载智能应用API（12%）、车载信息娱乐系统（8%）、车载移动应用程序（6%）和电动汽车充电系统及设施（4%）。

    研究人员提醒，一些新兴攻击载体的恶意利用趋势已经形成，相关企业和消费者需要给予足够的重视，具体包括：

1、车辆订阅服务：一些订阅式的车辆服务功能方便了消费者的日常使用，但这些服务通常都会要求司机提供个人身份信息（PII）以实名验证，这无疑为身份窃取和假冒相关的攻击敞开了大门；

2、第三方汽车移动应用程序：这些应用程序旨在增强驾驶员的体验，但是同样会需要驾驶员的PII和车辆行驶数据等信息，这对非法攻击者会很有吸引力；

3、电动汽车充电网络及设备：电动汽车需要定期进行电池充电，这个过程增加了被攻击的可能性，也扩大了汽车行业的风险暴露面。所有电动汽车利益相关者都应该从保障充电网络安全的角度做更多的事情；

4、新的车辆管理和保险模式：随着智能汽车中大量遥测工具的使用，促进了企业管理和相关保险服务的发展，这些遥测数据会涉及司机的驾驶行为和使用情况等，一旦相关的监控设备被侵入，其后果将非常严重；

5、智能移动API：在2022年，汽车API攻击的数量增加了380%，占事件总数的12%。随着这项技术的使用不断增加，与API相关的风险也在增加。

    这种向新载体的转变意味着汽车公司需要采取一种更专注于技术和IT的网络安全方法，而不是以汽车为中心的安全模型。

英文原文：

•    As the automotive industry becomes more connected and digitized — and automotive companies open new revenue streams as a result — the attack vectors are evolving beyond traditional stakeholders. According to the report, the top cyberattack vectors in 2022 were telematics and application servers (35%), remote keyless entry systems (18%), electronic control units (14%), automotive and smart mobility APIs (12%), infotainment systems (8%), mobile applications (6%), and EV charging infrastructure (4%).*
  

•    Looking a little closer, some of the emerging attack vectors include:*
  

• ***Vehicle subscription services: *Subscription services for in-car features, for example, require drivers to share Personally Identifiable Information (PII) with their provider, opening the door to identity- and authentication-related attacks.
• Third-party automotive mobile apps: These apps are designed to enhance the driver’s experience and often require information like the driver’s PII and sensitive vehicle data that’s appealing to bad actors.
• EV charging networks and infrastructure: Rapid growth in the EV landscape has increased the potential for attacks via charging ports. This is prompting all EV stakeholders to do more from a cybersecurity standpoint.
• Fleet management: The Internet of Things (IoT) has allowed for fleet management software that leverages data collected from vehicle fleets. Connected fleet infrastructure has many advantages, but also creates multiple attack vectors for attackers that could impact multiple fleet vehicles simultaneously.
• ***New insurance models: *Insurance is evolving with the use of telemetric data that focuses on driver behavior and usage. This often requires real-time monitoring with devices installed in the vehicle — devices that can be compromised by attackers infiltrating the insurance company’s network.
• Smart mobility APIs: In 2022, the number of automotive API attacks grew by 380%. As the use of this technology continues to increase, so do the risks associated with APIs.

•    This shift to new vectors means that automotive companies need to take an approach to cybersecurity that’s more focused on technology and IT, and less on vehicle-centric security models.*
  

发现2：汽车网络攻击手法复杂化

    随着汽车行业的不断变化和发展，非法攻击者的攻击手法也在随之进化。研究表明，针对汽车行业的网络攻击正变得更加精细，以获得更好的攻击效果。

    报告数据显示，几乎所有的汽车攻击威胁（97%）都是远程进行的，而有70%的远程攻击是在远距离实施的。攻击者不需要在车辆附近，只要能够连接到车辆的网络系统，就可以发起攻击。

    此外，攻击者也在不断改进他们的攻击方法。例如，当犯罪分子获得某款汽车关键的数字基础设施信息，就会以此向汽车制造商勒索高额赎金，同时还可能非法出售隐私数据。在此过程中，很有可能会出现影响整个供应链的大规模数据泄露、拒绝服务（DoS）攻击和生产中断。这一问题在2022年已经表现的非常突出，而随着汽车数字化程度的进一步提升，Upstream预计针对汽车行业的攻击在未来几年将变得更加普遍。

英文原文：

    As the automotive industry continues to change and grow, so does cybercrime. In fact, cyberattacks are becoming even more refined to match the evolution in the industry.

    For starters, nearly all attacks (97%) are being conducted remotely, and 70% of remote attacks are perpetrated at long range, i.e., not near the vehicle, that rely on network connectivity.

    Bad actors are also refining their approach to ransomware, which occurs when a criminal has access to key digital infrastructure and holds it ransom for a high dollar amount. They often manifest as massive data breaches, denial of service, and production shutdowns that impact the entire supply chain. In a time where supply chain issues are already rampant, this is particularly problematic.

    As vehicles become more connected to everything, Upstream expects attacks that leverage these connections to become much more prevalent in the coming years.

发现3：汽车网络攻击的负面影响巨大

    一旦成为汽车网络攻击活动的受害者，汽车制造企业会在多个方面受到严重的负面影响。本次报告数据显示，汽车行业的网络攻击活动，对受害企业造成的危害主要包括：数据/隐私泄露、服务/业务中断、车辆失窃、非法控制车辆、实施欺诈、地址跟踪、政策违规等。

    由于车辆销售和服务的需要，汽车制造商可以获取到大量的个人信息和车辆使用数据，以及与汽车服务业务相关的其他敏感信息。一旦丢失这些数据，企业将面临灾难性的法律违规后果，会受到严厉的监管处罚。

    同时，汽车制造企业从网络攻击中恢复的成本极其昂贵，不仅需要修补被攻击的区域，还要进行彻底的安全风险审计，以确保没有其他类似的安全漏洞。这也可能会损害客户的对企业信任；

    目前，无钥匙启动汽车是一项非常便利的功能，但也让盗窃变得越来越普遍，这让供应商陷入了亟需补救的尴尬境地。此外，很多智能汽车在行驶中，一旦被攻击者非法操控，将会造成严重的安全事故，甚至危害到驾驶者的人身安全。

英文原文：

Businesses that are victims to cyberattacks can be negatively impacted in a number of ways:

• ***Data and privacy breaches: *Automotive providers have access to a wealth of personal and usage data, as well as sensitive information related to their business. Losing this data can be catastrophic.
• ***Financial and reputational impact: *Recovering from a cyberattack is expensive, as it requires patching the vulnerable areas and conducting thorough audits to make sure there aren’t any others. It also potentially compromises customer trust.
• Vehicle thefts and break-ins: Keyless car thefts are becoming increasingly common, and cyber incidents are one driving factor. This puts providers in an awkward position they need to remedy.

发现4：企业要跟上监管政策的调整和变化

    目前，汽车行业的监管机构已经开始意识到，汽车、基础设施和消费者隐私面临的网络安全风险。他们正在开始制定新的法规，以应对这些风险。在此背景下，汽车行业网络安全保护的范围和措施将会不断提升。一些新的行业标准正在陆续颁布并实施，这些新安全标准更加强调了在汽车全生命周期的每个阶段，实施高标准网络安全实践的重要性。除了在行业内实施更好的网络安全实践外，这些新法规和指南还提供了统一的术语、方法、目标和范围，以使整个汽车行业在网络安全防护目标上达成一致。

英文原文：

•    The regulatory space is shifting to expand the scope of cybersecurity protection and measures. Industry standards like WP.29 and ISO/SAW 21434 now emphasize the importance of having high standards for cybersecurity practices and analysis at every stage of a product’s lifecycle.*
  

•    Beyond enforcing better practices for cybersecurity in the sector, these regulations and guidelines also provide uniform terminology, methodology, targets, and scope for the entire industry to get on the same page.*
  

•    In addition, as the industry responds to government targets for electrical infrastructure and smart mobility, legislators and regulatory bodies are becoming more aware of cybersecurity risks to vehicles, infrastructure, and consumer privacy. They are also starting to work on new regulations to address these risks. This will continue to be the case with the ongoing emergence and development of autonomous vehicles.*
  

发现5：保障汽车安全是每个人的责任

    如今，汽车行业的网络攻击不仅仅局限于汽车生产商。供应链中的每个组件和环节都可能会受威胁。这些攻击不只是为了经济利益，还会危及公共安全和关键信息基础设施安全。因此，从智能汽车基础设施制造商到智能汽车服务提供商，以及所有汽车制造领域的利益相关者，都需要采取行动来保护汽车使用的安全和消费者利益。只有这样，汽车行业才能继续快速且安全地进行数字化转型。

    虽然汽车行业在网络安全方面面临巨大的挑战，但也有各种积极的措施正在制定并实施，以提升车辆系统的安全弹性。各大汽车厂商正在调整策略，以适应威胁并保护用户和数据。报告研究人员也同时指出，在2023年，汽车行业生态系统内的安全合作将会增加，从而加速整个行业的整体保护。

英文原文：

•    Today, cyberattacks in the automotive industry aren’t solely limited to vehicle producers. Every component of the supply chain and supplementary features is vulnerable to these threats. These attacks aren't just targeting data for financial gain, but also to compromise public safety and infrastructure. From EV infrastructure suppliers, to smart mobility services providers, and everywhere in between, all automotive stakeholders need to take direct action to protect their assets and their customers. Only then will the industry be able to continue its digital transformation at a rapid and safe pace.*
  

•    While there are ongoing concerns for the automotive industry when it comes to cybersecurity, there are also various steps being taken to become more resilient. As stakeholders adopt new security software, improve their auditing capabilities, and leverage new regulations, they are setting themselves up to evolve with the threats and protect their users and data. In fact, according to the report, 2023 will see increased collaboration within the automotive ecosystem, accelerating holistic protections across the industry.*
  

3. 最后

    《2023年全球汽车行业网络安全报告》里较为清晰的讲述了最新的5大关键发现，对我们分析汽车安全有指导意义。