Most of auto industry, including vehicles themselves, vulnerable to hacking

As cyber threats increase, automakers and regulators are scrambling to safeguard an automotive industry as interconnected as the vehicles being produced.

A wave of thefts of luxury vehicles in Ontario shows that hackers are finding openings. In Ottawa, nearly one of every four stolen vehicles is a Lexus or high-end Toyota, taken by thieves who hack the vehicles and then drive those vehicles to Montreal for shipment across the world, say police. The thefts have prompted increases in security.

But while those thefts get attention, security experts warn that much of the industry’s exposure lies below the surface.

“People need to be aware that it’s possible to hack a vehicle, to hack the infrastructure, to hack manufacturers and their supply chains — that’s all possible to do right now, today,” said François Couderc, a Quebec City based cybersecurity specialist with the defence contractor Thales Group.

Companies are reluctant to say they’ve been hacked, fearing repeat attacks and customer and shareholder anxiety, Couderc said.

However, nearly one-third of suppliers responding to a survey by KPMG and the Automotive Parts Manufacturers’ Association (APMA) reported suffering a cyber breach in the past year. Phishing attacks — in which an employee clicks on an email link that spreads malware throughout a poorly secured network — are an easy way in.

“Given the move to people working remotely, given the move to working in the cloud, this didn’t surprise me,” John Heaton, a partner in KPMG’s cybersecurity practice, told Automotive News Canada.

More concerning, Heaton said, was a finding that just 32 per cent of respondents have an enterprise-wide cyber strategy. In an intertwined industry with its vast range of entry points, trouble can spread fast.


“It’s a global market,” Heaton said. “You source globally, and you’ve got a supply chain that is quite transparent. The [automaker] shares with the Tier 1, who shares with the Tier 2 … but that sharing of data and that [vehicle] product, which is ultimately a moving computer, creates a lot of places to attack.”

A “Closing the Cybergap” plan issued in February by…