Cybercrime Magazine (CM) recently conducted a podcast interview featuring Deloitte Germany’s Automotive Cyber Security Practice Director, Ingo Dassow. During the interview, Ingo provides insight into the challenges and opportunities that automotive original equipment manufacturers (OEMs) face with today’s connected cars. Below are some of the highlights.
CM: What are the challenges automotive OEMs face with connected car cybersecurity?
ID: There has been a fundamental shift in how automotive OEMs view themselves and their business. A decade ago, they just made hardware – cars you can drive off the lot. Today, they see themselves as “mobility providers,” which opens up entirely new business models.
When you think about today’s connected cars, they collect an enormous amount of data. Just like Amazon uses data to understand customer journeys and behaviors, the same can be done with people driving connected cars. But this also opens vehicles to a complex threat landscape. This has not gone unnoticed by regulators, because cyber attacks on cars can harm the safety of vehicles and the people inside of them. If you, as an OEM, can’t show you’re managing cyber from the beginning of the design process forward, you’re out of the game. You’re not going to be able to bring the vehicle to market.
CM: What’s driving this new area of risk in the auto industry?
ID: The business model around automobile sales has changed. OEMs used to be in the business of selling cars. Now they’re in the business of providing a mobility platform that can generate recurring revenue. This has put the customer at the center of the universe - with the car serving as a platform for delivering a variety of mobility experiences that people want. This is easiest to see in the infotainment displays in cars today – it is a portal fed by a wide variety of content providers and subscription services. But when you open up the car’s architecture to deliver these services, you also open it up to cyber threats.
We have this new world where the vehicle is a platform for the delivery of services – but it needs to be done in a secure and compliant way.
CM: Automotive supply chains are complex – how does this impact incident response?
ID: Automobile OEMs today are only integrators - most of the code and electronic control units are built down the supply chain. And yet, the OEM is ultimately liable for the quality of work of supply chain partners when they deliver the vehicle to market.
This makes it very important for OEMs to be aware of the software quality procedures in place not only at their primary suppliers, but also at the suppliers’ suppliers. There are companies in the third, fourth or even fifth tier of the supply chain developing code for vehicles. This makes it a serious challenge for OEMs to build a “trust chain” that can ensure the quality and security of software being provided by different members of the supply chain.
CM: Why is it important to embed cyber into innovation strategies?
ID: Cyber has become an enabler for digital processes. You simply can’t digitally innovate connected cars without embedding security into the process, because the lack of appropriate cybersecurity controls can jeopardize the safety of the car.
Regulatory compliance is another important consideration when evaluating new digital innovations. Today’s vehicles generate an enormous amount of data, and OEMs are collecting that data in data lakes, but they often don’t dare use it due to compliance considerations. We’re working with OEMs to develop approaches for the ethical use of that data, factoring in the culture and laws of each geography where the cars are being driven. It’s a data governance challenge – and one that has to be factored into vehicle design early in the process, because “failing late” with data governance can be a showstopper for the entire development project.
CM: What are the aftermarket cyber challenges for OEMs?
ID: This is a unique challenge, because with new regulations OEMs are responsible for performing software updates across the lifetime of the car. One of the big challenges is the life span of the computer systems in cars. When you think about it, the typical enterprise replaces its servers every 2-3 years. But the hardware in an automobile typically has a 10-12 year life span, and users want new functionality – so that means you need to be able to perform updates for functionality and security on the “same old hardware” for a very long time. This is not a trivial problem.
Another key thing to think about is the threat landscape. Attackers are learning and becoming more skilled at attacking connected cars – so it’s important for OEMs to understand these emerging threats so they can take them into account when they assess the various potential vulnerabilities in the car. Attackers may not have the skills today to exploit a particular vulnerability, but they very well might in the near future. So there needs to be robust threat hunting and threat intelligence in place to understand how these attack groups are evolving.
CM: Who’s taking the lead in creating regulations requiring OEMs to address these issues?
ID: The United Nations Economic Commission for Europe (UNECE) has been taking the lead in defining regulations. These regulations require OEMs to have a certified management system in place by 2022, and a software update management system as well, so they can update and patch systems on connected cars. These regulations will evolve as we see autonomous driving mature, which will open new challenges for OEMs.
CM: What can companies do now to prepare for increasing regulation in the future?
ID: One big thing they can do is evolve how they’re organized. Auto manufacturers today are organized in domains – they have different groups focused on different parts of the car. But cyber needs to be end-to-end, across systems and across the entire car lifecycle. There is an ISO regulation integrated with the UNECE standard (WP.29) that provides best practices on how to do this.
We help OEMs achieve these best practices by starting with a maturity assessment, to understand how well the OEM is integrating cyber into the design and development of the car, and how well they are conducting ongoing vehicle security monitoring. From there you can discover gaps and develop a roadmap for achieving compliance.
Beyond UNECE regulations, there will also be local laws that need to be considered, and they will vary across geographies. There are not yet many local laws in most parts of the world around autonomous driving. But in Japan, they want to use autonomous vehicles to drive athletes to sports venues for the Tokyo Olympics this summer, so they have accelerated the development of these laws and are ahead of the rest of the world. As autonomous driving advances and becomes increasingly common, we will see these types of local laws across other geographies as well, opening a whole new layer of complexity for automobile OEMs.