Confronting Cybersecurity Risks in Connected Vehicles

With the continued proliferation of global business technology, most utility fleet managers are familiar with common digital security protocols like multifactor authentication, data protection policies and training to avoid phishing attacks.

However, it’s not just laptops, tablets and cellphones that fleets need to be concerned with. Since connected vehicles are essentially computers on wheels, cybersecurity measures are a must-have to safeguard their drivers and the utility’s data.

But what exactly are the risks? And what specific actions can fleets take to beef up security for their connected vehicles? UFP spoke with cybersecurity specialists at the National Laboratory of the Rockies (formerly the National Renewable Energy Laboratory) to get their take.      

Digital and Physical Threats
A cyberattack on a connected vehicle doesn’t just pose digital risks; it potentially threatens the driver’s physical safety, too. Hackers may gain access to personally identifiable information and vehicle location data. They could also remotely disable or take command of the vehicle. Consider these past events:

• In 2010, a disgruntled employee used access to GPS tracking apps to remotely disable starters on hundreds of vehicles.
• Researchers in 2015 were able to remotely access a telematics device, gaining control over the vehicle’s steering, brakes and transmission.
• Hackers compromised telematics APIs and fleet management systems across 16 vehicle manufacturers in 2023.
• In 2024, misconfigured cloud storage exposed precise location histories and owner contact details for hundreds of thousands of vehicles.

Ryan Cryar, a cybersecurity and resilience researcher at the National Laboratory of the Rockies (www.nlr.gov), explained that “[a]s devices become more interconnected, the potential attack surface may expand and become more complex, complicating cyber risk management. While these trends in digital technology offer many benefits, they also introduce new risks that need to be fully understood and managed.”

Utility fleet leaders, he continued, “should be aware of the potential cyber risks within their hardware and software supply chains and fully understand and document the digital connections necessary for fleet management.”

A Good Starting Point
The need for connected vehicle cybersecurity is clear, but what’s the best starting point for utility organizations?

Sarah Hipel, electric vehicle cybersecurity strategist at the National Laboratory of the Rockies, recommended basic first steps, such as developing a documented cybersecurity plan, implementing role-based access controls and multifactor authentication, and incorporating cybersecurity clauses into vendor contracts.

Once those items are handled, Hipel said, “you can shift to focusing on more mature aspects of cybersecurity governance or other compensatory mitigations to address priority risks, including developing and practicing incident response playbooks.”

Hipel also suggested the following actions.

Apply the principles of zero trust and least privilege. By default, do not trust anyone inside or outside of the organization; verify explicitly. Grant users, applications and systems only the minimum permissions needed to perform their specific tasks – nothing more. Build defenses under the assumption that attackers are already present or a breach is imminent.

Deploy encryption technology, including digital signatures. These tools safeguard communications across the connected vehicle ecosystem.

Configure strict remote-access control mechanisms. Do this wherever systems connect to external networks.

Validate that only authorized users, devices and services have remote connection permissions. All connections must be made via approved methods.

“For telematics-based connected vehicles, fleet managers should be mindful of the scope of connectivity by implementing strict policies for approving and monitoring vehicle connections and access to those connections,” Hipel said.

Beyond that, she continued, utilities “should also ensure they have the proper risk management practices in place according to their organization’s mission, and ensure they have incident response plans in place.”

Driver Training and Operational Security
Because drivers play a key role in connected vehicle cybersecurity efforts, a portion of their training should consist of in-person exercises that explore real-world scenarios. The goal is to help them understand the signs of potential cyberattacks, plus effective response methods for any that prove successful.

“Ultimately, developing a strong culture that emphasizes the importance of security, including how to identify suspicious behavior and phishing, can go a long way toward buying down risk for fleet managers,” Cryar said.

He recommended implementing operational security that strongly protects both data in motion (i.e., data that is actively moved from one place to another, such as sent emails) and data at rest (files saved to your laptop’s hard drive, for example).

Further, fully securing and carefully controlling passwords, keys and other critical access mechanisms is a necessary best practice for utility fleets. And don’t forget about physical security essentials, like limiting or blocking physical connection points on company devices or incorporating tamper-evident seals.

Lastly, consider tasking drivers with periodic inspections of connected vehicles, checking them for tampering and unauthorized devices. Inspections should also confirm proper installation of software and firmware updates intended to fix security vulnerabilities.

Conclusion
Developing, implementing and refining cybersecurity protocols may feel daunting, but rest assured that utility fleet managers can successfully execute these projects, one step at a time. Multifactor authentication, cybersecurity training and strong access control policies are highly effective and achievable in the near term, according to Cryar.

“Focus on the fundamentals of cybersecurity and get the basics right,” he said. “The lowest-hanging fruits of cybersecurity practices have the greatest impact.”

About the Author: Shelley Mika is the owner of Mika Ink, an Omaha, Nebraska-based branding and marketing communications agency. She has been writing about the fleet industry since 2006.