Blog postDashboard in Kibana represents received vehicle ecosystem data that are enriched with context information for VSOC analysts

Imagine getting into your car, ready for your morning commute, only to find your dashboard flashing with an alert you have never seen before: “Remote access detected.” What would you do next?

In a world where connected cars are becoming the norm, the risks associated with cyberattacks on vehicles are growing. We have all heard about hackers accessing personal information from smartphones or corporate data breaches. Still, vehicles are a prime target, as recent reports from Upstream Security show. Cars are no longer just machines with engines that transport one from A to B; they are mobile computers connected to the world, and like any computer, they are vulnerable to cyber threats.

But here’s the big question: What is being done to protect them?

What is a Vehicle Security Operations Center (VSOC)?

At its core, a Vehicle Security Operations Center (VSOC) is like a 24/7 security guard for your car’s digital systems. It continuously monitors vehicle activity to detect, analyze, and respond to suspicious behavior—just like an IT SOC protects data centers or office networks from cyber threats.

But what does that really mean for drivers and car manufacturers?

For drivers, it is about feeling safe knowing that their car’s data—and, by extension, their personal safety—are protected from external threats. For manufacturers, the priority is safeguarding their vehicles against ever-more-advanced cyberattacks. The thought of an entire fleet being remotely compromised, potentially causing severe accidents or massive data breaches, represents a worst-case scenario they are determined to prevent.

The ever-growing threat: why now?

You might think, “But are car hacks really that common?”

Yes, and they are on the rise. According to recent reports, automotive cyberattacks have spiked by 225% in the last three years. With over 70 million connected vehicles on the road, this number is only expected to grow. Upstream Security reports that there will be 775 million connected cars globally by 2030. If the industry does not act now, the risk of cyberattacks in the automotive industry will further increase. And since no IT systems can be protected 100%, we need capabilities to detect anomalies and react to them accordingly.

That’s where the VSOC comes in to protect.

How exactly does the SELFY VSOC work?

You may ask, “What exactly does the SELFY VSOC monitor, and how does it respond to threats?”

Here is a quick overview:

  1. Data collection: The SELFY VSOC gathers data from the vehicle and the vehicle ecosystem. Every connected feature and SELFY tool, whether the Audit Box, the Road-Side Unit, or the Software Over the Air system, sends real-time information to the VSOC.
  2. Threat detection: The collected data is normalized to generate a generalized understanding of the collected data. Algorithms analyze the data for abnormal behavior. Think of it as spotting a needle in a haystack. Still, normalization and these algorithms are developed to find even the slightest hint of an anomaly.
  3. Incident response: Once a threat is detected, the VSOC can act by alerting different entities (e.g., the manufacturer) or remotely disabling specific vehicle functions to prevent the threat from spreading.

Now, you may wonder, “What kind of incidents could we expect?” Hackers might try to:

  • Manipulate braking and steering systems.
  • Steal personal data.
  • Access car fleets to disrupt services in logistics or public transportation.
  • Attack the vehicle ecosystem to disrupt public transportation.

Without a proper response mechanism, such attacks could lead to devastating consequences, including accidents, financial losses, and significant reputational damage.

How does a VSOC help?

How does this affect you? Why should one invest in a VSOC?

One example is Tesla, frequently cited as a negative example in various discussions. However, the company has made significant investments in cybersecurity, including running its version of a VSOC. Tesla recognizes that a single breach could damage its reputation and compromise customer safety. If an automaker cannot guarantee the security of its vehicles, it risks losing both trust and business.

Not to mention, there is the legal angle. In 2021, the United Nations introduced new regulations (UNECE WP.29) that mandate cybersecurity measures in vehicles for markets like Europe and Japan. These regulations require automakers to implement robust cybersecurity measures. Such measures can result in using VSOCs to protect their fleet from cyber threats. Automakers failing to comply risk being unable to sell their cars in these regions.

But isn’t this expensive?

Sounds great,” you say, “But won’t all this technology cost a fortune?”

Yes, it requires investment, but consider the alternative. A successful cyberattack could cost a company millions of dollars in recalls, repairs, and lawsuits—not to mention the damage to its reputation.

As a result, the SELFY VSOC is fully built with open-source components and published as an open-source project. We continuously improve its capabilities and features throughout the project.

The SELFY VSOC

As indicated, we have published the SELFY VSOC on GitHub. It consists of the ELK stack for log normalization, search capabilities, and the presentation of logs (i.e., through dashboards).

Dashboard in Kibana represents received vehicle ecosystem data that are enriched with context information for VSOC analysts

We further introduce a REST API for collecting and transmitting data from the vehicle ecosystem (i.e., the SELFY toolbox).

Extensive Locust tests of the VSOC REST API.

As the brain of the SELFY toolbox, we exchange information with nearly every tool. In the SELFY VSOC, implement detection capabilities and actions defined by relevant use cases. One use case is the attack of a Roadside Unit (RSU). An RSU can then transmit malicious information (e.g., “There is no vehicle behind the next street crossing”). Such false information can be devastating for the safety of road participants.

Authors: Dr. Kevin Mayer and Tina Volkersdorfer (Technische Hochschule Ingolstadt, Germany)