Thinking about the security challenges of the connected car paradigm will often conjure up the spy movie or thriller scenario of an attacker provoking a crash by accessing the systems of a car transporting a high-ranking politician or business magnate. The more mundane reality, however, is that most cybercriminals are primarily interested in monetizing their activities, not in creating mayhem.

For this reason, the largest security threat from connected car is almost certainly information theft. Personally identifiable information (PII) will be stored on some systems, while payment card industry (PCI) information will traverse the airwaves as consumers buy digital content for onboard entertainment, book hotel rooms, or prepay for parking at their destination, for instance. All this data has a ready market on the dark web.

There will also be the potential for ransomware attacks, just as happens now with personal computers: a hacker could paralyze your car, then demand a bitcoin payment to release it. However, as you are liable to be stuck somewhere away from home, with a phone but not necessarily a laptop, getting the money from you might itself prove something of a challenge, at least in the short term (though this may change if cryptocurrency use becomes more widespread). Far better, for this mode of attack, to go after fleet owners.

This is where the threats to connected bus and truck come in. Companies operating fleets of such vehicles can ill afford to have them all rendered inactive, and are therefore more likely to pay the ransom, particularly if it is priced low enough for them to write it off as an operating cost. Remember that in the public transport scenario, fleet operators will often be subject to service level agreements with local governments, making them even keener to resume normal service as quickly as possible.

Clearly, this will also raise questions of whether such costs can be covered by cyber insurance. Fleet operators will certainly have to demonstrate that they have all the requisite security measures in place if they are to make a claim. They may also need to demonstrate, for instance, that whatever exploit they fell victim to was the result of something that no amount of security measures could have foreseen if the insurer is to pay out for it.

Connected truck, meanwhile, might also be subject to a terror scenario, where an attacker might be more interested in creating havoc than in making money from their exploits. Trucks are responsible for transporting a huge proportion of food supplies, and even in countries with a major rail network, the last leg of fulfillment between the depot and the grocery or supermarket is almost always carried out by road.

There is therefore the potential for significant disruption to food distribution. If trucks could be stuck at their depot or, worse still, brought to a standstill on roads and highways, it would not take long for emergency services to be called in.

All the above points to a need for vehicle manufacturers, component makers, and service providers, such as the mobile network operators providing the connectivity, to deliver security remotely to protect vehicles from cyberattacks. Security facilities will be deployed locally, whether on the vehicle's control area network (CAN) bus or in its electronic control units (ECUs). There will also be a need for central coordination of over-the-air (OTA) updates to onboard firmware, addressing newly detected vulnerabilities and strengthening defenses, and central supervision of alerts from sensors on the vehicles may be able to avert more widespread attacks.