Fleets Steer Dangerously Close To Cyberattack Risks

Exploding interest in smart cars and autonomous vehicles isn’t just changing the way the average consumer drives. The fleet management market is slated to see a $28.66 billion market valuation by 2022, driven by the need for greater efficiency, and connected vehicles have become a gateway to sophisticated management and analysis of fleet operations for managers seeking greater control and reduced costs.

But just as the enterprise faces greater exposure to cybersecurity threats as processes are digitized, the interconnectivity and digitization of fleets leaves the door wide open for an attack.

A recent KPMG report warned that the automotive industry may be underestimating this risk.

“Due to the potential platform-wide impact of a cyberattack on a fleet of connected vehicles that share common operating systems, software or hardware, we believe that fleet-wide attacks represent the next big disruptive threat to the automotive industry,” KPMG stated in its “Protecting the fleet … and the car business” report.

According to David M. Uze, president and chief executive officer of fleet security company Trillium Secure, the cyberthreats facing fleets today are diverse.

“Connected fleet vehicles are effectively ‘networked computers on wheels,'” Uze said in a recent interview with PYMNTS. “And as such, they are subject to many of the same cybersecurity risks as an enterprise server or network.”

That threat may come in the form of the remote takeover of a connected vehicle while it is in operation, which threatens everything from the customer data to which the vehicle is exposed, to the cargo and the vehicle themselves, to driver and bystander safety, added Uze.

But even when connected vehicles are not in use, hackers can unlock doors or deactivate alarms to rob a company of cargo in-transit.

The threat is evolving, particularly as connected vehicles are increasingly interconnecting with fleet payments and corporate spend. Companies operating in the fleet payments space are rolling out solutions that connect fleet processes and payments processes.

For instance, Mastercard’s fleet management solution integrates fuel usage and vehicle maintenance data into the payments process. When drivers pay for fuel with a Mastercard fleet card, an IoT-connected vehicle automatically sends data like location, odometer and fuel gauge levels to managers, and its system automatically matches the purchase amount to the amount of fuel required.

Such technologies address issues like overspend, but make data that connected fleet vehicles touch even more attractive to hackers.

These risks are not lost on the automotive industry, according to research from Foley & Lardner LLP released last year. Cybersecurity concerns were cited by 31 percent of survey respondents (which included auto makers, suppliers, technology firms and other industry players) – surpassing even safety concerns and consumer readiness – when asked about the top challenges to the growth of connected cars.

“Given the prevalence of connected car technologies, it’s not surprising that cybersecurity and privacy are top of mind with industry executives,” said Mark Aiello, Foley Automotive industry team co-chair, in a statement in the report.

But whether fleet managers are as aware of this threat is another story.

According to Uze, there is “a lot of work to be done” to improve awareness of this risk; Trillium is in collaboration with automakers, fleet owners and insurers in an effort to educate industry players about the threat, he added.

In Europe, where Trillium plans to open operations later this year, data privacy initiatives like GDPR regulations are forcing fleet industry players to pay attention.

“Prior to GDPR taking effect, most fleet management systems lacked even basic security or made use of authentication only, and not encryption of vehicle data,” said Uze, adding that the cybersecurity market has raised concerns about this security lapse for “decades.”

In the U.S., Trillium is also taking a grassroots approach to raising awareness through its “Hack Across America” tour, announced last month. Uze is in the midst of a six-month drive across the country to publicize the risks of cyberattacks on connected vehicles.

“If you don’t believe a hacker can get into your car remotely using a digital device, you could end up being sadly mistaken,” Uze said in a statement announcing the tour.

Connected vehicles today are essentially “computers on wheels,” he noted, and drivers of all kinds should be aware. But for fleets, with troves of sensitive company and consumer data – including financial and payments information – continuing to get closer to fleet vehicles themselves, organizations may want to think about including fleet managers in the enterprise cybersecurity strategy conversation.

As the risks continue to evolve, Uze said there are a few in particular that fleets should watch out for.

“We’ve seen an increase in what’s known as automotive ransomware attacks, where vehicles are disabled until hackers are paid ransom,” he said. “We expect this trend to continue.”

Further, Uze continued, commercial vehicles are prime cyberattack targets, because each vehicle uses the same hardware and software.

“This means they are excellent targets for fleet-wide attacks,” said Uze. “We anticipate that there will be attempts at fleet-wide ‘zero day‘ attacks in the near future.”