Nobody wants to be THAT company. The one holding the hot potato. The one responsible or liable for the first death tied to a cybersecurity attack on the automotive industry.
Much like the recent accidents involving Tesla and Uber, it’s akin to being the 2008 Detroit Lions: Your brand has been the first besmirched by the ultimate losing season. The difference between the automotive hack and the NFL winless seasons would be the liability, recalls and plummeting sales, which could seriously cripple the automotive manufacturer.
A KPMG study suggests 80% of customers wouldn’t buy a vehicle from a compromised automotive OEM.
And thus, engineers around the globe are adding new layers of cybersecurity to future designs. Instead of just locking the front door and putting up a perimeter fence, they are doing the equivalent of installing hallway cameras and a video monitoring room: Intrusion Detection & Protection Software (IDPS) and Automotive Security Operations Centers (ASOC), respectively.
These will monitor the fleet for abnormalities, report back any messages with the internal networks that are suspicious, suggest actionable steps to mitigate or thwart the attackers, and then assist with reflashing the software across the globe to protect against those new threats.
But all this new software, process and costs bring up several big – strike that – enormous questions, which have not been answered and are looming in the near future for multiple manufacturers. I will examine three of them here and suggest what I’d do if I were King of the World.
#1: How Much Is Enough?
You can spend enough product-testing dollars to buy all the tea in China, but the law of diminishing returns eventually overtakes the value of incremental security. Additionally, the income sheet’s denominator (a.k.a. “revenue”) shall not grow akin to other quality efforts, since you cannot create commercials about industry awards for the best cybersecurity. That’s the equivalent of placing a target on your back; you’ve made yourself the ultimate challenge for the basement dwellers.
So how much is enough? How much testing would satisfy a jury that the company did “due diligence”? How much testing would provide solace to Wall Street that you can prevent future messes? How much testing keeps the corporate insurance bill from going through the roof? How much would guarantee the brand survives? How much testing must be done years after selling a vehicle due to new threats and updated software?
The industry answer is … wait for it … undefined. Standards committees won’t specify testing procedures because that’s a blueprint for hackers. Government regulators won’t impose specific rules because they cannot keep up with the speed of the Dark Web or nefarious organizations. And automotive companies don’t know the answer because most of them do not presently know how many industry attacks have truly happened, nor do they know the size of future threat(s).
So how much is enough? I would suggest each OEM must look at the value pricing of connected cars (supposedly near $220 billion, according to MarketsandMarkets™), define a target margin that investors would require (e.g., 40%), and then put aside the available Cost of Goods Sold money as required spending.
At first, it may seem like wasted money (“We haven’t had ANY breaches!”), but manufacturers should consider it like a bipolar patient on medication: just because you haven’t had an incident doesn’t mean you should reduce your medicine.
#2: How Much Do I Do In-House?
The natural inclination of executives would be to in-house all design, operations and testing. Data is valuable and allowing any data “off-prem” is like loaning out the keys to the kingdom. This not only creates confidentiality threats but also informs suppliers about their customers’ needs, empowers them to create differentiated offerings and, therein, create premium pricing (a.k.a. the scourge of Purchasing).
But, wait: Cybersecurity specialists are hard to find. Getting enough experts to assist with system architecture, module design, tool creation, system validation testing (a.k.a. penetration testing) and operational oversight for every vehicle make, model and model year would be impossible. Not to mention some benefits are provided by having an industrywide or, better yet, cross-industry perspective, e.g., better threat modeling and more threat information sources.
So how much to in-house? I think the best way for the OEM to answer that is to look at each portion of the process separately:
System Architecture: This cannot be outsourced because it is fundamental and confidential. The only way to truly outsource this is to slap your logo on someone else’s vehicle – which has been done in the past but is unlikely to be a trend going forward. Answer: In-House
Threat Modeling: This could go either way. It depends upon available resources, but if you outsource it, make sure you use a different source for penetration testing. Answer: Either
Module Design: Let the suppliers design their own modules and include requirements for various elements of cybersecurity (e.g. Secure Boot, IDPS), but with agreed-upon rates for accuracy (e.g., false positives, false negatives) during detection and protection. Also, provide a message structure so notifications may be passed along the buses and connectivity pathways to the ASOCs for fleet monitoring. Otherwise, hands off … and I’ll explain why later. Answer: Outsource
Tool Creation: Creating your own testing or analyzing tools is never a good idea. That’s not an OEM’s core product, development and support costs may be spread over dozens of customers, and a supplier already is light years ahead in both development and understanding of needs. For example, OEMs will need to repeatedly test IDPSs, and reliable tools such as SCRIPTS are years ahead of any internal development – and will keep ahead because that’s their core business. Answer: Outsource
Penetration Testing: This one could go either way. Penetration testing will need to be redone so often that the cost of outsourcing might outweigh the effort of staffing a Red Team, but I think the tiebreaker goes to avoiding the trap of the fox guarding the henhouse. An external source will be motivated to prove its value and will not be predisposed by internal biases. Answer: Outsource
Operational Oversight: This might need to be a mixed bag. Certainly, the OEM wants the brick and mortar of the Security Operation Center and to staff it for collecting data, reflashing vehicles and understanding the fleet dynamics. But doing the detective work on information sent from the IDPS might require assistance. That said, the OEM can learn this over time and DATA IS MONEY. Answer: In-House
#3: Who’s Liable?
Almost as sure as Trump’s Twitter account will blurt something inappropriate in the next 12 hours, a lawyer will come knocking at an automotive door in the next decade. Who picks up the tab?
Arguably the IDPS supplier (and/or gateway supplier) provided a piece of software that was designed to thwart the hacker, so he should pay. Conversely, the OEM specified the system architecture and was running the operations that allowed the deficient software to remain in the field longer than it should have. And let’s not forget the ECU provider who created the hole through which the hacker originally entered the system!
Now throw in a bunch of insurance companies, scads of lawyers and, of course, the slippery CEOs and there’s quite a finger-pointing extravaganza to be had. Assuredly, the OEMs will “require” indemnification, and some poor, optimistic sap who’s crossing his fingers (and building his home on the side of a volcano) will agree to those terms. But in the end, no one entity will be able to pick up the check if there’s a catastrophic event.
There will be lots of blame to go around and, much like global thermonuclear war, the only way to win is not to play. Unless, of course, you’re a lawyer who charges by the hour.
So, who’s liable? In a way, it doesn’t matter: the OEM absolutely must protect the brand, or it’s game over. They might as well realize the buck stops there and truly own the liability or they’ll pay a premium price for indemnification, and still end up defunct if their global fleet is bricked by a super-virus.
Steve Tengler (above, left) is a principal at global automotive consultancy Kugler Maag. He has worked on the connected car for top automotive brands including Ford, Nissan and OnStar for more than a quarter of a century. He can be contacted at [email protected].