Motor industry faces growing threat of cybersecurity attacks
As today’s cars become increasingly connected, they are easier targets for hackers
In the summer of 2015, the motor industry was rocked by a series of high-profile car hacks that remotely unlocked car doors, turned on windscreen wipers, interfered with steering and even stopped a Jeep Cherokee in its tracks on the highway.
The industry already knew that any device with an internet connection could be hacked and that as cars became increasingly connected they could easily become a prime target. Despite this, many car makers were slow to secure their vehicles and the audacity of the Jeep hackers – who reportedly spent three years developing their technique – caught people on the hop and led to the recall of 1.4 million vehicles in the United States.
This incident, which auto analyst IHS Markit estimates cost Fiat Chrysler $45.5 million (€37 million), exposed a major vulnerability and underlined the extent to which the auto industry was trailing consumer electronics when it came to security.
The Jeep hack was high profile, but as IHS points out, most major car makers including Ford, General Motors, Toyota and VW have had vehicles hacked in one way or another. Even high-tech newcomers such as Tesla are not immune.
In 2016, a team of Chinese researchers were able to breach the security of the Tesla Model S and take remote control of the brakes, door locks, infotainment screen and other features from 12 miles away. The hackers’ target was the car’s controller area network – the cluster of connected computers present inside almost all cars today – which operates everything from the lights to the electric windows. Tesla fixed the weak spot with an over-the-air software update and is one of the most pro-active manufacturers when it comes to encouraging hackers to find flaws. It even rewards them with cash for doing so.
“When cars are more connected, criminal hackers have a bigger reach,” explains Alexander Kocher, president and managing director of embedded software solutions company Elektrobit. “They can gain full access to the car and even manipulate fleets, which can potentially do much more damage. For example, it would be possible to stop an entire fleet on the road. Criminals could hold vehicles hostage and ask for ransom or manipulate the vehicle to cause a fatality.”
The summer of 2015 was a wake-up call for the industry that resulted in a brisk upsurge in activity within the automotive cybersecurity sector. Despite big growth in the last two years, however, this industry is still in its infancy and there are potentially lucrative pickings for companies that can get in on the ground floor. In particular, there is scope for innovators who can fill the gaps in the cybersecurity jigsaw.
It’s a complex field not least because it spans software, hardware, data, networks and the cloud. Cost containment is an issue as is how to integrate solutions, such as layered encryption, into existing architectures. There are also issues around controlling the sub supply chain, safeguarding the connected car loop and ensuring that a hacked vehicle can continue to function.
The push to secure connected vehicles has led to an unprecedented level of inter-manufacturer co-operation and partnerships with legacy suppliers as well as a flurry of big acquisitions by the major players. Further down the food chain numerous cyber-savvy and IT start-ups have been snapped up by larger suppliers. Leading the charge in terms of cybersecurity innovation is Israel, which has an estimated 50 young companies working in the area across different industries, with more to come.
Colin Bird, a senior automotive technology analyst at IHS Markit in the US, estimates that revenues in the sector “will crest over $30 million at the end of 2017, but will balloon to more than $2 billion by 2024. About 90 per cent of the dots remain to be joined so there is huge opportunity. Out of a potential market of 100 per cent, fulfilment is currently 4 to 5 per cent,” he says.
Automotive cybersecurity is primarily focused on three main markets: North America, western Europe and Japan. Those positioned to reap the rewards of the anticipated boom unsurprisingly include leading automotive suppliers such as Bosch, Harman and Continental as well as Honeywell and the multinational networking company, Cisco. Thereafter, it’s largely open season and Bird describes the sector as “still very much the Wild West”.
Krishna Jayaraman, an automotive connectivity specialist at analyst Frost & Sullivan, estimates automotive companies spend three to seven per cent of their IT budgets on security, but says this is going to grow dramatically.
The process is already under way. In 2015-2016, Harman spent over $1 billion buying TowerSec, Red Bend software and Symphony Teleca while Continental bought Israeli-owned cybersecurity company, Argus, for a reported $400 million in
The push to secure connected vehicles has led to an unprecedented level of inter-manufacturer co-operation and partnerships with legacy suppliers as well as a flurry of big acquisitions by the major players. PHOTOGRAPH: ISTOCK
The Jeep hack also prodded action from legislators who realised they needed to take a position on where they believe the responsibility for security lies, especially when things go wrong. As a result, laws and position papers are coming thick and fast, with the EU’s cybersecurity agency reportedly looking at issuing certificates to connected cars similar to those used in other critical areas such as food safety.
Legislators seem to be taking the view that the buck stops with the industry and more particularly with its senior executives. As of August last year the UK government’s stated position was that cybersecurity should be owned, governed and promoted at board level. “We are already seeing initiatives whereby the top management of the companies delivering these cybersecurity programmes will be personally liable,” says Elektrobit’s Kocher.
In an effort to get ahead of the hackers, the auto industry set up the Automotive Information Sharing and Analysis Center in 2015. Its role is to identify and track potential cyber threats.
That said, Kocher admits, “we recognise that having 100 per cent cybersecurity is not a reality”. What Kocher wants to see, however, is a situation where hacks can be contained as quickly
as possible. “There are different technologies available such as intrusion detection software and anomaly detection,” he says.
“Then you need technology that can analyse this information very quickly to try to protect the vehicle from the attack and also fix the leak wherever it is. The target is to stop a hack is within hours when you have a well-designed system.”
It would be possible to stop an entire fleet on the road. Criminals could hold vehicles hostage and ask for ransom or manipulate the vehicle to cause a fatality