In 2015 WIRED magazine famously hacked a Jeep Cherokee, slowing it to a crawl on a US freeway. It was an early demonstration of the potential damage that could be inflicted by hackers on connected vehicles. The portal that enabled the hack was manufactured by Harman International, one of the world’s biggest suppliers of OEM equipment for all sorts of vehicles.
Originally American, Harman is now part of South Korea’s Samsung Electronics. Since the Jeep hack Harman has reacted by developing its own cybersecurity product and acquiring Israeli cybersecurity company TowerSec. The $70 million purchase of TowerSec is intended to help Harman to overhaul its manufacturing processes and scrutinise third-party supplier software. As a result, Harman has avoided another public breach and has become a key player in automotive cybersecurity.
With the advent of connected vehicles and the rapid development of autonomous ones, the automotive cybersecurity market is currently enjoying strong growth. Global revenue was around $16 million in 2017, but is expected to reach $2.3 billion by 2025, according to IHS Markit. Key players include Harman, Garrett Motion, Continental and Robert Bosch.
Securing cars from hackers is far from easy. Modern vehicles run on 100 million lines of code, are equipped with hundreds of different technologies and can have up to 150 electronic control units using various operating systems. In addition, cars can stay in use for decades, long after operating systems and component software cease being supported through updates that patch vulnerabilities.
Compared with just a few years ago, automotive cybersecurity requirements now number in the hundreds of pages. New requirements are added all the time.
For its 2024 vehicles under development at BMW Group, for example, suppliers are required to ensure that driving system control units have no direct connection to customers’ internet-connected devices.
When developing data systems, testing is a crucial element in the process. However, automakers typically hand off testing and ensuring the security of data systems to their subcontractors.
At BMW, more than 70% of the components in its vehicles are manufactured by suppliers. “We therefore must expect our partners to take responsibility for implementing cybersecurity in respective deliveries,” the automaker said recently.
General Motors has said that it handles “a significant amount of work” related to security and testing without passing the expense to its supply chain partners.
Recalls and updates
During the Jeep hack, costly recalls had to be issued for 1.4 million vehicles to fix software flaws at dealerships. Tesla Inc, which offers over-the-air updates as a standard for even safety-critical functions, is the exception.
To address present and future cybersecurity challenges, in recent years car makers have begun to collaborate. Soon after the 2015 Jeep hack, they created a group to share threats and vulnerabilities. Car companies currently try to define industry-wide cybersecurity standards that in turn could lower costs to suppliers.
The next step is likely to be a set of common standards. We may see these emerge next year. To enable smaller suppliers to remain competitive, some of the standards might be watered down, but this suggests an industry that is moving in the right direction.
A more detailed version of this article can be found at Automotive News Europe.