It’s 2019 and where do we stand? To an outsider, it might look like the automotive industry is sitting on its hands when it comes to cybersecurity. But there’s a lot more going on behind the scenes than you might think.
OEMs and their tier suppliers are beginning to consolidate and cooperate. This year we’re already seeing chipmakers and cybersecurity suppliers working together on solutions for automakers. So what’s driving this, and what else does the year ahead hold for automotive cybersecurity?
As big OEMs such as BMW, Ford and GM continue to ramp up spending on their autonomous vehicle programs it’s likely we’ll see Level 4 autonomous vehicles be deployed more widely. We may even see high-end automated vehicles become available to consumers as a product, and not only as a service, if the costs of the necessary electronics continue to fall.
To illustrate, BMW raised its R&D spending in electric and autonomous vehicles to about €7 billion ($8 billion) last year. With this kind of investment, it’s become essential for OEMs and their suppliers to secure their vehicles, ecosystems and components from malicious attack. With that in mind we expect them to begin integrating solutions into their vehicles this year.
2019 will see the continuation of the trend toward ECU consolidation, with once-separate ECUs – such as telematics and infotainment – being combined into one system. These electronics control units will perform both functions, and in some instances even form gateways to the in-vehicle network
As these ECUs become more powerful they become more tempting targets for hackers. It’s vital that protection of these systems be considered in any multi-layered security strategy.
While providing greater functionality, connected ECUs also allow for the gathering of data on a larger scale. Connectivity, personalization and car sharing will drive the collection of data from vehicles going forward. This data is a potentially lucrative target for hackers, with vehicle usage data set to reach an estimated market value of $750 billion by 2030 according to a recent study by Mckinsey & Company.
Expect to see attempted (and potentially some successful) data breaches in this area. This, in addition to regulation and legislation in the form of GDPR and its like, will push automakers to place greater focus on data privacy protection in automotive environments.
Monetization of Cyberattacks
Cybercrime is big business and is expected to reach a value in the multi-trillions by 2022 according to Juniper Research. Personal data is a tempting target and as vehicles become more personalized and we store more data in them, the more likely an attack will come.
We should also consider vehicle ransom. So far, we have only (publicly) seen full-scale attacks on vehicles for research purposes. In 2019 we may see attacks that are more focused on monetization. These attacks might mirror the WannaCry ransomware from 2017 that caused havoc across 150 countries, causing estimated damages to the tune of hundreds of millions, if not billions, of dollars.
Standards and Regulation
The guidelines and standards are still far off. The ISO/SAE guidelines are still two years away, and that’s just the draft versions. This is obviously far too long for OEMs and their tier suppliers to wait. They are desperate for guidance, and they’re looking to cybersecurity providers and industry organizations such as AUTO-ISAC for help.
It is likely we will see movement from legislators in 2019. Whether this is driven by the advances in autonomous vehicles and the need for regulation in this area, or by pressure from automakers remains to be seen. Certainly, with the high-profile FCA Jeep Cherokee class-action lawsuit now set to go to trial in October in an Illinois federal court, OEMs will be watching very closely.
Market Penetration of Cybersecurity Systems
All this has led to a sense of urgency, and of nervousness, among OEMs. No one wants to be the first to suffer a crippling cybersecurity attack. Yet nor do they want to be seen as the first to move – potentially painting themselves as a target for hackers. These conflicted motivations have held them back from acting; however, this reluctance is weakening.
It’s clear that R&D in connected systems for vehicles has seen a huge spike in spending, whether for electric and automated vehicles, or for safety and communications features such as ADAS or telematics ECUs. And with investment comes the drive to protect it.
As these systems evolve and grow in complexity it becomes even more important that cybersecurity is considered, not only as a feature, but as a fundamental design principle. OEMs and the tiers that support them are coming to understand this, and in 2019 we expect the industry to start commercially adopting cybersecurity systems at a large scale.
Ziv Levi is CEO of Israeli automotive cybersecurity company Arilou Technologies