Mo­tor in­dus­try faces grow­ing threat of cy­ber­se­cu­rity at­tacks

As to­day’s cars be­come in­creas­ingly con­nected, they are eas­ier tar­gets for hack­ers

The Irish Times - Business - - BUSINESS TECHNOLOGY - Olive Keogh

In the sum­mer of 2015, the mo­tor in­dus­try was rocked by a se­ries of high-pro­file car hacks that re­motely un­locked car doors, turned on wind­screen wipers, in­ter­fered with steer­ing and even stopped a Jeep Chero­kee in its tracks on the high­way.

The in­dus­try al­ready knew that any de­vice with an in­ter­net con­nec­tion could be hacked and that as cars be­came in­creas­ingly con­nected they could eas­ily be­come a prime tar­get. De­spite this, many car mak­ers were slow to se­cure their ve­hi­cles and the au­dac­ity of the Jeep hack­ers – who re­port­edly spent three years de­vel­op­ing their tech­nique – caught peo­ple on the hop and led to the re­call of 1.4 mil­lion ve­hi­cles in the United States.

This in­ci­dent, which auto an­a­lyst IHS Markit es­ti­mates cost Fiat Chrysler $45.5 mil­lion (€37 mil­lion), ex­posed a ma­jor vul­ner­a­bil­ity and un­der­lined the ex­tent to which the auto in­dus­try was trail­ing con­sumer elec­tron­ics when it came to se­cu­rity.

The Jeep hack was high pro­file, but as IHS points out, most ma­jor car mak­ers in­clud­ing Ford, Gen­eral Mo­tors, Toy­ota and VW have had ve­hi­cles hacked in one way or an­other. Even high-tech new­com­ers such as Tesla are not im­mune.

In 2016, a team of Chi­nese re­searchers were able to breach the se­cu­rity of the Tesla Model S and take re­mote control of the brakes, door locks, in­fo­tain­ment screen and other fea­tures from 12 miles away. The hack­ers’ tar­get was the car’s con­troller area net­work – the clus­ter of con­nected com­put­ers present in­side al­most all cars to­day – which op­er­ates ev­ery­thing from the lights to the elec­tric win­dows. Tesla fixed the weak spot with an over-the-air soft­ware up­date and is one of the most pro-ac­tive man­u­fac­tur­ers when it comes to en­cour­ag­ing hack­ers to find flaws. It even re­wards them with cash for do­ing so.

“When cars are more con­nected, crim­i­nal hack­ers have a big­ger reach,” ex­plains Alexander Kocher, pres­i­dent and man­ag­ing di­rec­tor of em­bed­ded soft­ware so­lu­tions com­pany Elek­tro­bit. “They can gain full ac­cess to the car and even ma­nip­u­late fleets, which can po­ten­tially do much more dam­age. For ex­am­ple, it would be pos­si­ble to stop an en­tire fleet on the road. Crim­i­nals could hold ve­hi­cles hostage and ask for ran­som or ma­nip­u­late the ve­hi­cle to cause a fa­tal­ity.”

Wake-up call

The sum­mer of 2015 was a wake-up call for the in­dus­try that re­sulted in a brisk up­surge in ac­tiv­ity within the au­to­mo­tive cy­ber­se­cu­rity sec­tor. De­spite big growth in the last two years, how­ever, this in­dus­try is still in its in­fancy and there are po­ten­tially lu­cra­tive pick­ings for com­pa­nies that can get in on the ground floor. In par­tic­u­lar, there is scope for in­no­va­tors who can fill the gaps in the cy­ber­se­cu­rity jig­saw.

It’s a com­plex field not least be­cause it spans soft­ware, hard­ware, data, net­works and the cloud. Cost con­tain­ment is an is­sue as is how to in­te­grate so­lu­tions, such as lay­ered en­cryp­tion, into ex­ist­ing ar­chi­tec­tures. There are also is­sues around con­trol­ling the sub sup­ply chain, safe­guard­ing the con­nected car loop and en­sur­ing that a hacked ve­hi­cle can con­tinue to func­tion.

The push to se­cure con­nected ve­hi­cles has led to an un­prece­dented level of in­ter-man­u­fac­turer co-oper­a­tion and part­ner­ships with legacy sup­pli­ers as well as a flurry of big ac­qui­si­tions by the ma­jor play­ers. Fur­ther down the food chain nu­mer­ous cy­ber-savvy and IT start-ups have been snapped up by larger sup­pli­ers. Lead­ing the charge in terms of cy­ber­se­cu­rity in­no­va­tion is Is­rael, which has an es­ti­mated 50 young com­pa­nies working in the area across dif­fer­ent in­dus­tries, with more to come.

Colin Bird, a se­nior au­to­mo­tive tech­nol­ogy an­a­lyst at IHS Markit in the US, es­ti­mates that rev­enues in the sec­tor “will crest over $30 mil­lion at the end of 2017, but will bal­loon to more than $2 bil­lion by 2024. About 90 per cent of the dots re­main to be joined so there is huge op­por­tu­nity. Out of a po­ten­tial mar­ket of 100 per cent, ful­fil­ment is cur­rently 4 to 5 per cent,” he says.

Au­to­mo­tive cy­ber­se­cu­rity is pri­mar­ily fo­cused on three main mar­kets: North Amer­ica, western Europe and Ja­pan. Those po­si­tioned to reap the re­wards of the an­tic­i­pated boom un­sur­pris­ingly in­clude lead­ing au­to­mo­tive sup­pli­ers such as Bosch, Har­man and Con­ti­nen­tal as well as Honey­well and the multi­na­tional net­work­ing com­pany, Cisco. There­after, it’s largely open sea­son and Bird de­scribes the sec­tor as “still very much the Wild West”.

Krishna Ja­yara­man, an au­to­mo­tive con­nec­tiv­ity spe­cial­ist at an­a­lyst Frost & Sul­li­van, es­ti­mates au­to­mo­tive com­pa­nies spend three to seven per cent of their IT bud­gets on se­cu­rity, but says this is go­ing to grow dra­mat­i­cally.

The process is al­ready under way. In 2015-2016, Har­man spent over $1 bil­lion buy­ing Tow­erSec, Red Bend soft­ware and Sym­phony Teleca while Con­ti­nen­tal bought Is­raeli-owned cy­ber­se­cu­rity com­pany, Ar­gus, for a re­ported $400 mil­lion in

The push to se­cure con­nected ve­hi­cles has led to an un­prece­dented level of in­ter-man­u­fac­turer co-oper­a­tion and part­ner­ships with legacy sup­pli­ers as well as a flurry of big ac­qui­si­tions by the ma­jor play­ers. PHO­TO­GRAPH: ISTOCK

Novem­ber.

The Jeep hack also prod­ded ac­tion from leg­is­la­tors who re­alised they needed to take a po­si­tion on where they be­lieve the re­spon­si­bil­ity for se­cu­rity lies, es­pe­cially when things go wrong. As a re­sult, laws and po­si­tion pa­pers are com­ing thick and fast, with the EU’s cy­ber­se­cu­rity agency re­port­edly look­ing at is­su­ing cer­tifi­cates to con­nected cars sim­i­lar to those used in other crit­i­cal ar­eas such as food safety.

Board level

Leg­is­la­tors seem to be tak­ing the view that the buck stops with the in­dus­try and more par­tic­u­larly with its se­nior ex­ec­u­tives. As of Au­gust last year the UK gov­ern­ment’s stated po­si­tion was that cy­ber­se­cu­rity should be owned, gov­erned and pro­moted at board level. “We are al­ready see­ing ini­tia­tives whereby the top man­age­ment of the com­pa­nies de­liv­er­ing these cy­ber­se­cu­rity pro­grammes will be per­son­ally li­able,” says Elek­tro­bit’s Kocher.

In an ef­fort to get ahead of the hack­ers, the auto in­dus­try set up the Au­to­mo­tive In­for­ma­tion Shar­ing and Anal­y­sis Cen­ter in 2015. Its role is to iden­tify and track po­ten­tial cy­ber threats.

That said, Kocher ad­mits, “we recog­nise that hav­ing 100 per cent cy­ber­se­cu­rity is not a re­al­ity”. What Kocher wants to see, how­ever, is a sit­u­a­tion where hacks can be con­tained as quickly

as pos­si­ble. “There are dif­fer­ent tech­nolo­gies avail­able such as in­tru­sion de­tec­tion soft­ware and anom­aly de­tec­tion,” he says.

“Then you need tech­nol­ogy that can an­a­lyse this in­for­ma­tion very quickly to try to pro­tect the ve­hi­cle from the at­tack and also fix the leak wher­ever it is. The tar­get is to stop a hack is within hours when you have a well-de­signed sys­tem.”

It would be pos­si­ble to stop an en­tire fleet on the road. Crim­i­nals could hold ve­hi­cles hostage and ask for ran­som or ma­nip­u­late the ve­hi­cle to cause a fa­tal­ity

Newspapers in English

Newspapers from Ireland

© PressReader. All rights reserved.