Daybreak - Your EV is a computer on wheels and your data is its fuel
Episode Date: August 31, 2023Between 2018 to 2021, incidents related to breach of cybersecurity in the auto industry rose by 228%. In the next few years, this number is only expected to get worse.In India though, it is n...ot much of a concern yet due to the low penetration of EVs so far. But it won't remain that way for long without proper safeguards in place.The Digital Personal Data Protection (DPDP) Act 2023 is a step in the right direction, but it has a long way to go.Tune in.RecommendationOla Electric woke up and chose violenceDaybreak is produced from the newsroom of The Ken, India’s first subscriber-only business news platform. Subscribe for more exclusive, deeply-reported, and analytical business stories.
Transcript
Discussion (0)
Hi, this is Rohan Dharma Kumar.
If you've heard any of the Ken's podcasts, you've probably heard me, my interruptions, my analogies,
and my contrarian takes on most topics.
And you might rightly be wondering why am I interrupting this episode too.
It's for a special announcement.
For the last few months, I and Sita Ramon Ganeshan, my colleague and the Ken's deputy editor,
have been working on an ambitious new podcast.
It's called Intermission.
We want to tell the secret sauce stories of India's greatest companies.
Stories of how they were born, how they fought to survive, how they build their organizations and culture,
how they manage to innovate and thrive over decades, and most importantly, how they're poised today.
To do that, Sita and I have been reading books, poring over reports, going through financial statements,
digging up archives, and talking to dozens of people.
And if that wasn't enough, we also decided to throw in video into the mix.
Yes, you heard that right.
Intermission has also had to find its footing in the world of multi-camera shoots in professional studios, laborious editing, and extensive post-production.
Sita and I are still reeling from the intensity of our first studio recording.
Intermission launches on March 23rd.
To get alert, as soon as we release our first video.
episode, please follow intermission on Spotify and Apple Podcast or subscribe to the Ken's YouTube channel.
You can find all of the links at the ken.com slash I am.
With that, back to your episode.
Do you remember this incident from a few years ago?
It was 2019, I think.
A 19-year-old security research student managed to access the digital car keys of more than 25 Teslas around the world.
He opened the car's windows, unlocked the doors, and even disabled the car's security mode.
Scary stuff, right?
The idea behind the attack was to highlight the growing concerns about safety and security as the world moves towards electric vehicles.
Modern EVs function through technologies that create massive amounts of data.
A simple example of this is the software that helps these EVs regulate their batteries.
It helps the driver to look for charging stations and control the power flow.
EVs also receive updates through the cloud to automatically improve the operation and performance of the vehicle.
Now, this is of course a global concern.
Cybersecurity related incidents in the automotive industry rose by 225% between 2018 and 2021.
And it is only expected to get worse as more and more people can.
neck to the EV grid. So what is the situation like in India? Evie penetration in India is as low
as 1% across all kinds of EVs right now. Naturally, the number of EVE-related cyber attacks
are not high enough to ring any alarm bells yet, because it can get out of control. Even Union
Transport Minister Netany Gadgari acknowledged this fact in the parliament this year. So is there any
kind of a safeguard EV users have in India?
Welcome to Daybreak, a business podcast from the Ken.
I'm your host, Nickda Sharma, and I don't chase the news cycle.
Instead, thrice a week on Mondays, Wednesdays and Fridays, I will come to you with one
business story that is worth understanding and worth your time.
Today is Friday, the 1st of September.
I want to begin with an incident that occurred in April last year.
In a series of posts on Twitter, Balwan Singh, a man from
Gohati said that his son had met with an accident a few weeks earlier. The son had recently bought
an Ola electric scooter and Singh blamed the scooter for the accident. He wrote about it in detail.
He said that his son was driving the scooter and when a speedbreaker came on the way, he tried to
slow down. But instead, the scooter accelerated and that is how he crashed. The tweet also had a bunch
of photos that showed how bad the injuries were. He had to go through multiple
surgeries. So how did Ola Electric respond to this whole thing? He said that they took the scooter away,
but they did not tell him much else. A few days later, Singh went on to Twitter again,
and he demanded Ola Electric to share what they had found in their internal investigation.
He even asked for all the data logs which were recorded by all the telemetry in Ola Electric
scooter. Almost a week later, Ola Electric finally responded, and their response was far from
what you'd expect. Let me read out a small portion of it for you. We did a thorough investigation
of the accident and the data clearly shows that the rider was over-speeding throughout the night
and that he braked in panic thereby losing control of the vehicle. There is nothing wrong
with the vehicle. Our operating system tracks various vehicle sensor data which we receive real
time in our cloud. The below graph shows speed data for this incident for a 30-minute
duration till the accident time.
I'm sorry, I cannot show you the graph, but you get the point.
Okay, so now, if Ola had real proof of this, fair enough,
they shared the report with Singh, just like he'd asked for, right?
Except they shared it with the whole wide world, not just Singh.
It was released in public.
And the problem with this move, like my colleague Praveen, noted in his newsletter the nut graph, was this.
Ola could have been like, hey, we looked at the data and we did not find a problem.
It could have ended there.
Instead, they got into a room with a bunch of content writers, lawyers and a visual designer
to publicly make the case in RGB color that their customer was an irresponsible maniac.
The statement obviously raised questions about data collection, privacy, hypermode and
even Ola Electric's data visualization decisions.
Coming up next, let us try and get a better sense of how EVs are susceptible to cyber attacks.
My colleague Nathan Nade spoke to Ashish Ullas, a cyber security research fellow at cloud security,
and he told him that it is only natural.
Because, in his own words, EVs are bound to be more data-driven than today's transport
because they have a more complex system, the battery monitoring system or BMS operating it.
What Ullas was basically saying was that your EV is not just a vehicle.
It is a computer on wheels and like all computers,
its life force is data.
Data that can be collected, sometimes without your awareness, and it can be exploited.
He explained it to us with a great example.
Imagine a dot board.
The dots are cyber attacks.
The size of an attack surface is directly dependent on two factors, connectivity and data linkages.
So the more connectivity and linkages your EVE has, the bigger the size of the dot board,
which means the greater the chance of a hit or a cyber attack.
So now comes the big question.
What are the systems in place to protect us against this?
Stay tuned to find out.
The answer, at least partially for now,
lies in the Digital Personal Data Protection Act of 2023 or the DPDP Act.
It may not be perfect right now,
but at least it has some features in place that offer us protection.
The act changes important things in the dynamic between the
EV and its users. Under Section 13, the data principle, which is the EVE user, has the right to
approach the Data Protection Board. If they're not satisfied, then they can approach the telecom
dispute settlement and appellate tribunal. And depending on the nature, type and extent of
the data breach, companies or data fiduciaries can be fineduaries can be fined as much as 250 cro
but if the complaint is found to be false or frivolous, the data principle or the individual
user can also be fined as much as $10,000.
Nathan spoke to Pratik Wagere, the policy director at Internet Freedom Foundation, who told
us how before the DPP Act there was no clear framework for resolving such grievances.
But Amin Johor, who works with Widdhi Center for Legal Policy, pointed us to something that
we should remember about this act.
He said that even though the Act is in effect right now, institutions like the Data Protection Board are yet to be created.
Plus, rules under the law, which will actually make it effective, need to be framed.
The whole process is expected to be complete in the next year or year and a half.
Meanwhile, companies like Ola Electric can appoint data protection officers and get in line with this act.
Daybreak is produced from the Newsroom of the Ken, India's first subscriber.
focused business news platform.
What you're listening to is just a small sample of our subscriber-only offerings.
A full subscription unlocks daily long-form feature stories, newsletters,
subscriber-only apps and podcast extras.
Head to the ken.com and click on the red subscribe button on the top of the website.
I am Snitha Sharma, your host, and today's episode was edited by my colleague Rajiv Sien.