Automotive Connectivity Innovations Require a New Approach to Cybersecurity
By Tim Frasier, President Automotive Electronics Robert Bosch LLC
From the way vehicles are manufactured, to the way they interact with passengers and the road, processes that have remained largely unchanged since the early 1900s will be revolutionized through connectivity. This continued development will have a dramatic positive impact on vehicle safety, helping to prevent accidents and improve the overall customer experience as the industry moves toward fully autonomous driving.
This increasingly connected landscape will come equipped with high-tech challenges, requiring the automotive and IT industries to work together more closely than ever. To minimize cybersecurity risks, mitigate disaster and protect consumers, their privacy and the value chain, organizations will need to adopt a security first approach as they bring the benefits of automotive connectivity to market.
Industry Leading the Way
The widely covered 2014 Jeep Cherokee hack prompted the recall of 1.4 million vehicles, thrusting automotive connectivity under the microscope. It heightened attention and awareness within the industry about the topic of cybersecurity and what was being done to prevent this scenario from becoming an on-the-road reality.
Now, the automotive industry is taking a proactive and much more open approach, forming a new Auto-ISAC (Automotive Information Sharing and Analysis Center) to share what it learns about vehicle cybersecurity risks. This is a major departure in a previously segmented industry where sharing data was considered taboo. In 2016, the group created a series of best practices, covering organizational and technical aspects of automotive cybersecurity–areas that continue to be updated to this day.
"Automotive connectivity is already driving some organizations to take a more collaborative approach via cybersecurity boards that include CIOs, CFOs, IT staffs, OEMs and startups "
NHTSA (National Highway Traffic Safety Administration) has been heavily engaged in this effort, modifying its structure to stay ahead of potential vehicle cybersecurity challenges.
With the industry on high alert, yet moving at high speed toward increasingly connected and autonomous vehicles, the marketplace must deliver and maintain a more robust approach to cybersecurity. Success will take a collaborative viewpoint, one that includes automakers, suppliers, technology manufacturers, and partners focusing on cybersecurity at every step of the manufacturing process and throughout the entire vehicle life cycle.
Creating a Culture of Cybersecurity
In addition to technological solutions that prevent disasters on the highway or in a supply chain, it’s equally important to build a culture of security that permeates the entire organization. This requires leadership awareness and new organizational competencies.
Organizations may also need to consider changes to the structure of the IT department to implement a new level of security. A centralized structure may no longer be the most effective setup. Instead, individuals across departments may need to take on new responsibilities and act independently to play a more active role in cybersecurity. Centralized corporate IT structures typically service internal business needs. As the auto industry migrates to connectivity and cloud computing, customer-facing IT organizations should consider managing backend services, analytics and over-the-air updates.
Automotive connectivity is already driving some organizations to take a more collaborative approach via cybersecurity boards that include CIOs, CFOs, IT staffs, OEMs and startups. Soon, more automotive companies will look to create PSIRTs (Product Security Incident Response Teams), which are already common in the tech industry, to protect customers from vulnerabilities. These teams enable automotive organizations to take a proactive stance by working with the industry through collaboration and disclosure.
A layered approach to cybersecurity, where security concerns are embedded into every step of the manufacturing process, is needed to protect sensitive data and ensure consumer trust. This means adding additional levels of security to business infrastructure and making it much harder for hackers to breach a system. Working in tandem with suppliers and partners is necessary to protect the entire supply chain.
Ethical “white hat” hackers supporting internal efforts will also become more commonplace. Enticed by everything from money to bragging rights, they will help to identify and minimize potential disruptions early in the development process.
Early identification of vulnerabilities is critical as a breach could put the entire supply chain in jeopardy. Consider an attack that introduces false data into a manufacturer’s data systems. Machines could be instructed to halt production, leaving manufacturers unable to produce vehicles.
Should a disruption occur, a layered defense can significantly reduce the attack from spreading. Organizations that adopt this approach will be at a competitive advantage. Those who don’t run the risk of financial losses, decline in productivity and irreparably damaged reputations.
Preparation in an Age of Precaution
Dynamic and complex connected environments will also require embedded security hardware to reduce risk and build trust. Products and processes will need to be designed in an organization that embraces security from the ground up. Security best practices from other domains can be applied to and merged with automotive industry procedures. Models created by companies active in sensors, software and services will be of benefit as connectivity becomes more commonplace.
Automotive businesses that adopt a networked, holistic systems approach will come out ahead as the industry races toward 2020, when Gartner predicts there will be a quarter-billion connected vehicles on the road. With these new opportunities, there will be new challenges and cybersecurity is an inevitable by-product of technology that increasingly connects cars, smart cities and critical infrastructure applications.
Still, the industry outlook for connected and automated vehicles is highly optimistic in terms of safety, convenience, and quality of life. In order to fully realize the potential of an automated world, the industry must be more open, more integrated, and more alert, building on a foundation of tried and true technologies.