Malware, ransomware, viruses, denial-of-service attacks – these threats can leave a business reeling as it struggles to recover. Others might not recover at all, but that hasn’t stopped most industries from treating cybersecurity as an afterthought. Unfortunately, this is how it has been handled since the first hackers emerged. It’s only when a company is hit that other players start to react, often scrambling to enhance their security in the hope that their business isn’t the next target.
Autonomous vehicles mark the first time that strategy has changed, with OEMs of all shapes and sizes looking to prevent the worst from happening rather than reacting. They understand that an automotive hack is about more than data or dollars and cents – it is about the safety of occupants and all those around the vehicle.
Automotive OEMs are striving to build security in at the very foundation of the vehicle to get ahead of any potential issues. They want it built into the intellectual property (IP) to ensure that semi and fully autonomous cars are safe and protected from security threats.
While it might be easy for other industries to disregard cybersecurity until it becomes a problem, automakers know they cannot do the same. The safety risks are far too significant, both to the occupants and future success of autonomous vehicles. Even ransomware is an enormous threat. If hackers found a way to ground a fleet, they could disrupt an entire ecosystem of ride-hailing or package delivery vehicles without putting any lives in danger. An attack of that level would be economically devastating whether the targeted enterprise agreed to pay the ransom or not.
Thus, OEMs are fully aware that they cannot allow the cars of tomorrow – not even connected, human-driven automobiles – to enter showrooms without cybersecurity. They comprehend the need to develop protective measures, whether hardware or software-related, long before the vehicles enter production. In short, cybersecurity must be engineered into the core of the vehicles from day one.
OEMs and their technology suppliers are exploring ways to implement cybersecurity. This exercise starts with studying all the potential threats to the vehicle and its occupants, then preparing for known weaknesses in technologies and products while building plans for unknown ones.
Hackers will always target the lowest-hanging fruit available. If the steering, braking and accelerating components are well guarded, they’ll simply look for another way in. Between the infotainment console, a variety of ports (OBDII, USB, USB Type-C, etc.), and a slow rollout of connectivity features, it’s not hard to imagine how and where a cyberattack might unfold. But that’s precisely why it is so important for those connections to be completely separated from any of the system-critical features. It’s not just the driving mechanisms that should be considered – every component must be shielded from the mere possibility of a malicious act.
While OEMs explore cybersecurity, they can’t implement it entirely on their own. That’s why a growing number of manufacturers, suppliers and even insurers are turning to firms that specialize in mitigating cyber threats.
In October, Upstream Security announced that it had raised $30 million in a Series B from several prominent investors, including Hyundai, Volvo Group, Renault Venture Capital and Nationwide Insurance. GuardKnox raised $21 million in a Series A last June while Karamba Security raised $10 million in 2018, bringing its total haul to $27 million.
These are just a handful of the firms that have cropped up to protect the future of mobility. Each offers a different strategy for safeguarding connected and/or driverless cars, but the goal remains the same: to ensure that outsiders can’t get through.
Cybersecurity has become a prime topic at conferences all over the world, but it has also inspired several additional events that are specifically focused on preventing cyber threats. The discussion involves academia: given the complexity of automotive architectures, universities are working with the industry to define the systems that will best protect cars with their millions of lines of code and the growing number of electronic control units (ECUs). In order to stay ahead of the cyber threats of tomorrow, the next generation of workers will need to learn today about cybersecurity risks.
Awareness is the first step. Solutions are the key to actually preventing a security breach. In issuing Federal guidance for automated vehicles, the U.S. Department of Transportation urged the industry to adopt a “strong security and functional testing of the technology, people, and processes.” The DoT also recommended a flexible security program that can assess and manage risk, adding that response plans should be “aligned with emergency management and recovery protocols shared across all industry sectors.”
But how do we get there? There are several prospective standards being discussed, but the most prominent is ISO 26262. Designed for functional safety, this standard includes the classification of multiple Automotive Safety Integrity Levels (ASIL). They aren’t legally mandated, but they provide an important guide in determining the severity and probability of potential hazards, which is essential to developing vehicles that are smarter, safer and much more efficient.
Self-driving cars are in development and the automotive industry, with the help of its suppliers, is integrating the lessons learned on cybersecurity in other consumer markets. OEMs know better than any other that they cannot wait for hackers to strike – they must work hard to protect their vehicles today. Their early dedication is more than talk and empty promises; many have already put their money where their mouth is by investing in technology that will ensure road safety remains a top priority. It’s a strategy that auto suppliers understand as well, and is one that other industries could learn from to initiate their own cyber protections.