26–27 September 2017

Tokyo, Japan


Is automotive cybersecurity actually an opportunity disguised as a threat?

Within a remarkably short time, cybersecurity has become one of the biggest pain-points for automotive companies today. Recent high-profile zero-day attacks (and the ensuing media frenzy) have left OEMs and suppliers around the world in a state of fear and uncertainty over their capacity to defend against increasingly sophisticated cyber threats.

They are right to be worried. But while it’s vitally important to be well protected against attacks, it could really pay dividends to look at automotive cybersecurity from a different angle. In fact, handle it right and security represents an opportunity for OEMs, suppliers and connected service providers alike to add extra value to their products and services. Think about it:

  • automotive companies that can assure their customers and stakeholders that their products are functionally safe and their information properly protected are more trustworthy in the eye of industry partners and the vehicle-buying public;
  • better cybersecurity leads to more robust software overall, meaning fewer recalls and lower costs from IT failures;
  • visible compliance with privacy regulations will serve to strengthen the integrity of OEM’s brand reputations.

Automotive companies cannot escape the technological and market forces that are pushing them to transition from being manufacturers of largely self-contained mechanical devices, to providers of connected, IT-driven products and services. By embracing this change; by investing in cyber-resilient product development and business processes and especially by putting information security front-and-centre, OEM’s have the chance to take the growing threat of vehicle cyber crime and turn it into a genuine competitive advantage.

The ones who succeed will set themselves apart from their competitors and earn a new kind of trust from a new generation of consumers whose values were forged more in the information age than the industrial age.


I’m sorry, you want to order how many USB sticks?

A week or so ago, we decided to order some USB sticks to give away as gifts. My colleague found a company that sells promotional merchandise and requested a quote. It turns out USB sticks with your logo printed on them cost about €4 each if you only order a few hundred. The very next day, to help us decide, we received a FedEx package from the company, containing no fewer than 40 samples of different USB sticks in all shapes and sizes, together with some rather excellent sweets.

“Wow” I thought. “USB sticks must be REALLY cheap”.

Good news for Fiat Chrysler who just ordered 1.4 million of them to send to customers, so they can install software patches in the wake of the much-publicised Jeep hack by Wired Magazine. I’m sure this is a perfectly sensible way to deliver the update. It’s cheaper and less hassle than taking the car to the dealership. But I’m not sure it looks great. Maybe it’s just me, but I think that the process of receiving a plastic pen drive in the mail, taking it out to your car and slotting it into the USB port serves to underscore the apparent ease with which software (and therefore malware) can be casually introduced into the deepest levels of your vehicle’s core cyber physical systems.

After you’ve installed the patch, I guess you could keep the USB stick. They’re always handy to have around. I probably have hundreds – each a one a reminder of meeting or show I attended over many years. Presumably this one would be an enduring reminder of the new vehicle you bought which shipped with an inherent security vulnerability so profound that hackers were able to take control of one and literally steer it into a ditch (albeit under very special conditions).

If only they could have deilvered the patch as an Over The Air (OTA) update. Not only does OTA delivery offer maximum convenience, there is surely something to be said for the reassuring discretion it provides. The customer need receive nothing more than a simple email or text saying “our engineers were aware of a potential vulnerability and we have already updated your vehicle to eliminate it”. That’s it. No need to visit a web site and read about it. No USB stick. Just calming reassurance. We’re in control of our sytem and we’ve already fixed the issue.


Do you know where the weakest link is?

Today’s connected automobile contains hundreds of electronic components, modules and systems from numerous suppliers, all of which are running code likely to have been developed (at least in part) by yet more of the external providers that make up the increasingly long and complex automotive software value chain. And it’s this multi-organisational complexity that poses a threat to the cyber security of the modern vehicle, every bit as troubling as any teenage hacker with a grudge.

A typical ECU controlling, say electric power steering, will have thousands of lines of code, and the chances are that only a minority of it will have been written from scratch. Numerous software engineers, probably on more than one continent, will have contributed to the project. There will likely be some legacy code. There will be code re-purposed from other applications. Some specialist parts will be outsourced. And the developers may well have used open source software to solve some of their challenges. With so many sources and so much collaboration involved, ensuring the software integrity of a simple ECU quickly becomes a major headache. Now extrapolate that across an entire vehicle.

For OEMs whose traditional expertise lies in manufacturing largely mechanical products within a closed ecosystem, transitioning to become highly secure IT enterprises is a daunting challenge. But it’s a challenge they and their T1 consolidators need to come to grips with, and fast. If they are going to keep their customers, their reputations and their intellectual property safe, car manufacturers will need to take a leaf out of the books of other sectors like financial services and critical infrastructure, and learn to embed IT security into every layer of their product creation, manufacturing and service operations. This would be tough to do at the best of times. It’s tougher still in an era when most OEMs and infotainment suppliers are already working flat out to add ever more enticing features and functionality to their vehicles in a bid to out-do the competition.

Historically, cyber security has not been a major part of the day-to-day workflow in automotive product development. In many cases, developers may not actually be aware of what they should be doing as individuals to ensure the code they’re writing does not present security issues. Managers throughout the value chain have a lot to do in terms of educating their own personnel about the critical importance of security, and setting clear expectations of the role played by each individual towards releasing products that are watertight.

Thankfully, a host of powerful new tools are emerging, along with many new expert consultancies which promise to help software developers to code and exchange information across enterprises with robust security policies and procedures baked in.

Ultimately though, the buck stops with the automakers themselves. They have the most to lose if their products fall victim to successful cyber attack. And however expensive and sophisticated their vehicles become, they are only ever as secure as their weakest supplier’s code.