Digital horsepower. Lots of it. That’s what it takes for the myriad of on-board computerized infotainment, engine control, automation and communications systems to perform their daily miracles.
How much? According to a report by the McKinsey Institute, today’s vehicles contain up to 150 engine control units and a combined 100 million lines of software code. By 2030, that number is expected to balloon to about 300 million lines, with IEEE projecting some autonomous vehicles will hit 1 billion.
In comparison, a passenger aircraft has an estimated 15 million lines of code, a modern fighter jet about 25 million and a mass-market PC operating system close to 40 million, according to McKinsey.
Amazing, right? It is. Amazing not only because of the capabilities and conveniences all that digital horsepower provides, but amazing in the increasing opportunities for cybersecurity attacks by those with nefarious intentions. That’s why it’s time the industry, with the help of government, tightens up its defenses.
Indeed, the United Nations Economic Commission for Europe (UNECE) is not just suggesting but is requiring that automakers “up their cybersecurity game.” Non-compliance means losing the right to sell their vehicles in certain nations, potentially costing them billions in lost sales.
Starting in the European Union from July 2022 and staged to July 2024, UNECE regulations require a proper Cybersecurity Management System and Software Update Management System to operationally monitor and adjust long past the sale of the vehicle.
In short, the UNECE cybersecurity regulations mandate automakers to show evidence of sufficient cyber-risk management practices from vehicle development through production all the way to post-production. Failure to complete the upfront and ongoing engineering demands could result in billions of dollars of palpable and opportunity costs.
So far compliance is varied. In the European Union the regulations will be mandatory for all vehicles starting July 2022. Japan and South Korea plan to introduce them in steps. Altogether the three regions accounted for the production of about 32 million vehicles in 2018, according to the UNECE.
In the U.S and China, the world's two largest auto markets, governments have issued only non-binding guidelines or best practices. Still, the industry is on notice it must protect its customers from cyberattacks that can cause not only inconvenience but also life-threatening safety situations if they lose control of their vehicles.
Given the historical difficulty in quickly ramping up a qualified cybersecurity team, the short timeframe to comply has led to what could best be described as “panic hiring” of engineers and specialists in cybersecurity.
Automakers and suppliers should not conduct “hair-trigger” hiring to make an impending regulation deadline but rather protect their long-term cybersecurity by taking a more deliberate approach. This means adopting the philosophy of “hire slow, fire fast” that translates into taking the time to fully screen applicants to ensure their skill level, experience and honesty.
OEMs and suppliers also should work to identify threats early and make sure their teams understand cybersecurity regulations and standards and how to apply them during development. Adapting existing workflows and procedures to address key cybersecurity issues and establishing new ways to work securely also are musts.
The McKinsey report supports the industry relying on partners, declaring, “Cybersecurity is very complex, and no company will be able to do everything on its own. Thus, partnerships will become essential.”
McKinsey is correct in suggesting those partnerships should cover capabilities that include: managing vehicle cyber risk; securing vehicles by design; detecting and responding to security incidents; and providing safe and secure software updates, as well as penetration testing and consultant services.
The UNECE cybersecurity regulations are only adding urgency to addressing a vulnerability in a state of constant escalation. One analysis predicts in the next 10 years there will be 966 million (accounting for approximately 86% of the global automotive market) connected cars on the road all “talking” to each other, offering all sorts of information and, by extension, opportunities for hackers.
All that digital horsepower, all those capabilities consumers are demanding and are willing to pay for. But without putting up strong and constant defenses all those marvelous technologies that add to our motoring enjoyment are open to cyberattacks with devastating physical and fiscal results.
Without security, there is no safety.
Steve Tengler (pictured above, left) is a principal with Kugler Maag Cie (https:// www.Kuglermaagusa.com)