LIVONIA, MI – When Delphi Vice President and Chief Technology Officer Andrew Brown Jr. talks about the cybersecurity threat to connected and automated vehicles, he recalls a recent event hosted by the global parts supplier where hackers were invited to try their hands at breaking into a car remotely.
The big winner was a 14-year-old who spent as many dollars on parts from Radio Shack to assemble a security board overnight and hack the vehicle of an unidentified automaker.
“It was mind-blowing,” Brown tells a Center for Automotive Research conference here on automotive cybersecurity.
“All the OEMs said there was no way he should have been able to do that. That’s when the reality came upon us,” he says of the event, which Delphi will host again this year at its headquarters in Troy, MI.
But until that day some eight months ago, Brown admits the industry was skeptical over the cybersecurity threat to its products. It was considered a “Y2K scenario,” the digital meltdown scare 15 years ago that saw the U.S. alone spend $300 billion to prevent.
Now Brown warns, “We know today our systems have some vulnerability.”
Other industries know the risk is authentic. Retailers Target and Home Depot suffered hacks to customer information last year, and a report released Monday detailed how hackers have stolen up to $1 billion from banks worldwide since 2013.
The threat struck the auto industry a few weeks ago when German researchers hacked into the Connected Drive system of a BMW, prompting U.S. Sen. Edward Markey (D-MA) to call on automakers last week to adopt a rating system so shoppers could determine which models are most secure.
Markey’s bid came on the heels of a report from the television news magazine 60 Minutes, where a hacker broke into a vehicle’s communications system and gained control.
“2015 will be the year of auto cybersecurity,” says Praveen Narayanan, research manager-Automotive and Transportation at consultant Frost & Sullivan. “In the last 18 months this topic has exploded.”
Narayanan says telematics systems offer a first point of attack for hackers, and more than 14 automakers offer the option today in the U.S. But the bigger prize will be active safety systems, he claims, a sector of the industry expected to grow sixfold to $91.5 million by 2020 and open the way for automated driving.
“What all this means is more software,” Narayanan says, which will lead to more access points for hackers looking to upset vehicle systems or access owner data from smartphones connected to the car and containing items such as credit card information.
Narayanan, who speculates cybersecurity will add upwards of 5% to the cost of a vehicle, advises automakers currently working with outside firms to begin bringing protection development in-house with their Tier 1 supply partners.
“It will no longer be an isolated thinking item,” he offers.
And the threat is not isolated to the car, says Anuja Sonalker, lead scientist and program manager at Battelle, a technology development specialist that worked with Delphi last year on the hacking event.
Sonalker expects the vehicle simply will become a conduit to accessing cloud-based information about bank and law-enforcement infrastructure.
“The car is a springboard to everything else,” she says.
Robust standards must be written, offers Brett Hillhouse, WW Engineering Solutions executive-Internet of Things at business-systems giant IBM. In that activity, he claims the auto industry is “a few years behind” other sectors such as aerospace and medical-device makers.
Hillhouse suggests automakers and suppliers hire more software engineers, instead of relying on electrical engineers who have “learned how to write code.”
Shawn Slusser, vice president-Automotive Business at Infineon Technologies, says the auto industry should begin hiring security architects for work in vehicle development. Engineers with security expertise also will become a hot commodity, as vehicle software content shifts from 10% today to 40% in the future, and the manufacturing floor probably demands a security chief.
“It’s not yes or no, it’s what level of security,” he tells the CAR conference, where a new attendance record was set for the think tank’s series of educational events. “It’s how much can the car afford and how much will you need to put in.”
Delphi’s Brown does not speculate how much the industry must spend on cybersecurity in the coming years, but notes today’s vehicles use 100 million lines of software code and as the automated driving space grows it will expand to 300 million.
“We cannot sit idly by and say it cannot happen on my vehicle,” he says. “We have to make sure that the safety and security systems are just that. We must understand our vulnerabilities and make sure our designs are up-to-date and we are using best practices. We want to be able to say to our customers, ‘We stand behind what we provide.’”