Leveraging Cohort Analysis for Fleet-Wide Anomaly Detection in Automotive Cybersecurity

Dror Dim

Product Manager

December 16, 2024

As connected vehicles increasingly dominate the automotive landscape, cybersecurity risks have expanded from isolated, experimental attacks to large-scale threats targeting entire fleets. The stakes have never been higher for OEMs and their cybersecurity teams. 

To address this evolving challenge, advanced techniques like digital twins, cohort analysis and anomaly detection are proving indispensable for protecting fleets from coordinated, large-scale attacks.

From Standard to Advanced Cohort Analysis

Traditional cohort analysis in the automotive sector typically segments vehicles based on basic attributes such as make, model, and year. While this approach is useful, it falls short of addressing the complexities of modern, fleet-wide threats. To ensure comprehensive cybersecurity coverage, a more nuanced approach is required—one that incorporates dynamic, context-aware cohort definitions.

For example, consider the risk posed by malicious EV charging networks. A compromised charging network could potentially gain unauthorized access to vehicles, extract sensitive data, or even inject malware into vehicle systems. Standard cohort analysis would struggle to detect such threats; however, advanced cohort analysis, enriched with real-time data and context, can.

Leveraging Cyber Threat Intelligence for Cohort Identification

Cyber threat intelligence (CTI) plays a pivotal role in helping cyber teams identify new and emerging cohorts. For instance, intelligence gathered from the deep or dark web can reveal potential threats targeting specific vehicles or systems. These insights enable vSOC (vehicle Security Operations Center) teams to proactively define cohorts of vehicles that may be at risk and establish real-time monitoring protocols to detect and respond to anomalies swiftly.

Real-World Application: Cohort-Driven Anomaly Detection

By leveraging MQTT (Message Queuing Telemetry Transport) data streams, OEMs can profile vehicles based on the charging networks they interact with. Here’s how it works:

  1. Data Enrichment: OEMs collect and analyze MQTT data to identify vehicles connecting to specific charging networks. Enriching this data enables cybersecurity teams to move beyond isolated charging points and understand broader patterns across an entire charging network.
  2. Cohort Creation: Using this enriched data, vSOC teams can create a cohort of vehicles associated with a particular charging network.
  3. Anomaly Detection: Advanced algorithms can then analyze this cohort for anomalies indicative of cyber threats, such as unusual data transfer volumes, repeated failed authentication attempts, or abnormal software behavior.

This approach ensures that OEMs can detect and mitigate risks not only to individual vehicles but also to the broader ecosystem they operate within. Analysis at the single-vehicle level alone would likely be insufficient for identifying patterns or threats that span multiple vehicles or networks, making cohort analysis indispensable for fleet-wide cybersecurity. 

Case Study: Global EV Charging Network Breach

In November 2024, a prominent threat actor exposed approximately 116,000 records of sensitive data from multiple global Charge Point Operators (CPOs). Initially reported as a breach of an American EV OEM’s charging network, further investigation revealed a much broader impact. The compromised data included records from charging stations across the UAE, Australia, Mexico, Puerto Rico, Guyana, Saudi Arabia, Oman, and India.

This incident underscores the importance of advanced cohort analysis. By profiling vehicles and cohorts linked to the affected charging networks, OEMs could have:

  • Detected suspicious activity patterns earlier
  • Isolated vehicles exposed to potential risks
  • Mitigated the impact through timely security patches or firmware updates

Automotive Cybersecurity Requires a Dynamic Approach to Cohort Analysis

The principles of advanced cohort analysis aren’t limited to charging networks. Another key application lies in analyzing Over-the-Air (OTA) update distributions. By creating cohorts based on OTA versions, cybersecurity teams can:

  • Identify vehicles running potentially compromised firmware.
  • Detect anomalies in software behavior across specific cohorts.
  • Prevent widespread vulnerabilities by halting the rollout of suspect updates or quickly patch

As the threat landscape evolves, so must the tools and strategies used to defend against it. Advanced cohort analysis, combined with anomaly detection, equips automotive cybersecurity teams with the insights needed to protect fleets from increasingly sophisticated attacks. Whether it’s profiling vehicles by their charging networks or OTA versions, the ability to dynamically define and analyze cohorts is critical for maintaining the integrity and safety of connected vehicle ecosystems.

Newsletter Icon

The 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Behind the Wheel of a Data Breach: The Power of Contextual API Security for Connected Vehicles

In late December 2024, one of largest global OEMs became the center of attention due to a significant data breach impacting over 800,000 customers across…

Read more

Proactive Detection of After-sales Vehicle Quality Defects: Insights from Recent Recalls

Recent recalls in the automotive industry underscore the importance of connected vehicle data in identifying and addressing potential safety issues before they escalate. OEMs can…

Read more

Redefining Quality in the Connected Vehicle Era: Upstream and Gary Silberg Join Forces

We are excited to announce another great industry thought leader joining our journey. Gary Silberg, an automotive executive and former Global Head of Automotive at…

Read more

Leveraging Cohort Analysis for Fleet-Wide Anomaly Detection in Automotive Cybersecurity

As connected vehicles increasingly dominate the automotive landscape, cybersecurity risks have expanded from isolated, experimental attacks to large-scale threats targeting entire fleets. The stakes have…

Read more
Skip to content