How auto supplier Harman learned to fight cyber carjackers
When researchers remotely hacked a Jeep Cherokee in 2015, slowing it to a crawl in the middle of a US highway, the portal the hackers used was an infotainment system made by supplier Harman International. Harman, now part of Samsung Electronics, has since developed its own cybersecurity product, and bought Israel-based cybersecurity company TowerSec for $70 million to help it overhaul manufacturing processes and scrutinize third-party supplier software.
The expensive efforts have prevented another public breach and helped it become a key player in automotive cybersecurity, but they show the strain suppliers and automakers face in dealing with this new dimension of automotive technology. “At the end of the day, automotive is a very competitive business with small margins. If a competitor wants to eat the cost to win the business, you have to do the same thing,” said Geoffrey Wood, Harman’s director of cybersecurity business development, who joined the company in late 2016.
The automotive cybersecurity market has seen exponential growth. While global revenue was at around $16 million in 2017, it is expected to reach $2.3 billion in 2025, according to IHS Markit, driven by Harman, Garrett Motion Inc, German suppliers Continental AG, Robert Bosch and a range of smaller U.S. and Israeli companies. Securing cars from hackers is a complex task for these companies. Modern vehicles run on 100 million lines of code, are equipped with hundreds of different technologies and can have up to 150 electronic control units using various operating systems.
Unlike consumer electronics, cars can stay in use for decades, long after operating systems and component software cease being supported through updates that patch vulnerabilities - a challenge the industry is still grappling with. Automotive cybersecurity requirements now number in the hundreds of pages from just a page five years ago, according to interviews with a dozen automotive cybersecurity professionals.
For its 2024 vehicles under development at BMW AG, for example, suppliers are required to ensure that driving system control units have no direct connection to customers’ internet-connected devices, said Michael Gruffke, head of security system functions at BMW, which sources parts from Harman. Small auto suppliers with thin profit margins are often the weakest link for hacks, said Rotem Bar, a cybersecurity professional until recently at Israeli company CyMotive which has partnered with German automaker Volkswagen AG.
But automakers typically still hand off testing and ensuring the security of data systems to their subcontractors, industry experts said. “It’s really shifting the burden onto the suppliers because the automaker is not able to test and verify everything along the supply chain,” said Dennis Kengo Oka, senior solutions architect at Synopsys Inc, who conducts research on automotive cybersecurity.
At BMW, more than 70 percent of the components in its vehicles are manufactured by suppliers. “We therefore must expect our partners to take responsibility for implementing cybersecurity in respective deliveries,” the automaker said in a statement. General Motors said in a statement that it handles “a significant amount of work” related to security and testing without passing the expense to its supply chain partners. Ford Motor Co and Fiat Chrysler did not respond to requests for comment. Volkswagen and Daimler AG declined to comment.
Harman saw its Jeep hack experience as a viable business opportunity: The supplier today sells cybersecurity software that allows automakers to monitor their fleets and provide over-the-air software updates.