We haven’t yet reached mid-way through the first month of 2016 but 4 key events in M&A, OEM action and standards provide clear evidence of what to look for in the Automotive Cyber Security Market over the year.
Timeline of key events in the Automotive Cyber Security Market in Jan 2016
Jan 6 | Harman is acquiring TowerSec for an estimated $70-75 million
Jan 6 | GM launched a cybersecurity bug bounty program which encourages researchers to find vulnerabilities in its cars and disclose them
Jan 5 | NHTSA ends 5-month investigation on Fiat-Chrysler’s automotive radios following the Jeep hack
Jan 15 | The USDOT, the NHTSA and 16 major automakers are expected to announce voluntary agreements on cybersecurity, recalls, defect reporting and proactive safety
Harman leads acquisitions in the marketplace, similar to 2015
Harman, which in Mar 2015 acquired another Israeli company engaged in car cyber security, Red bend, as well as Symphony Teleca, aims to integrate TowerSec’s ECUSHIELD and TCUSHIELD into its own ‘’5+1 security architecture’’ to protect connected and autonomous cars. This move demonstrates how integral cyber security is for a comprehensive Connected Car portfolio.
Ann-Arbor, Michigan-based TowerSec delivers on-board cyber security technology to OEMs, suppliers and telematics unit and service providers. The company received an undisclosed investment from IncWell back in Oct 2014 and it has cooperative agreements with British AC Cars and French SEGULA Technologies to embed its technology to their offerings.
‘’The ECUshield can be built-into smart gateways, body control modules, and other CAN-based ECUs and no additional hardware required’’
Dr Anuja Sonalker, VP of Engineering and Operations at TowerSec
2 reasons why M&A and partnerships will continue in 2016
With a government mandate in the horizon, carmakers will face an additional cost from having to integrate cybersecurity solutions into their future Connected Car offerings. Automotive Cyber Security expertise though is rare among their Tier-1 suppliers therefore demand for car cybersecurity experts will increase. This will probably lead to more partnerships or M&A over the next few years as carmakers tend to prefer having all the expertise in-house.
What is more, the viability and successful monetisation of Connected Car business models requires the incorporation of robust automotive cyber expertise and the capability to implement cyber security. This will attract further investment for cyber security experts, either in terms of capital or personnel.
GM joins Tesla in bug bounty programs
So far, Tesla was the first and only company to reward hackers with $100-$10,000 for reported bugs in its cars. Daimler has its own team of hackers testing the vulnerabilities of its vehicles since 2012.
Now GM launches a cybersecurity bug bounty program which encourages researchers to find vulnerabilities in its cars and disclose them. This comes almost after a year since a researcher named Samy Kamkar demonstrated the capabilities of remotely locating, unlocking and starting the engine of vehicles equipped with GM OnStar. In its first 8 days of the bug bounty program’s operation there have already been 2 issues identified by a researcher and already closed.
‘’In the last 6 months, the awareness level has risen much higher in the industry. We see a lot more activity in terms of the penetration testing requests we receive and also in terms of evaluation of our product’’
Ziv Levi, CEO Arilou Technologies Ltd
OEM demand for vulnerability assessments to rise in 2016- product integration follows
GM’s move demonstrates that demand for cyber expertise, both in terms of 3rd party vulnerability assessments and/or personnel, will rise even more in 2016. This will lead to more product evaluation and in some cases product integration for their next generation vehicles before the end of 2016.
Additionally, as the number of Connected Car and Connected-to-the-car devices increases, the vehicle’s attack vector will grow exponentially. OEMs realise that a collaborative approach, together with a proactive strategy can lead to more effective car cybersecurity. Thus, we expect more OEMs to follow on GM’s footsteps of GM and adopt similar practices.
The USDOT, the NHTSA and 16 major carmakers are expected to announce voluntary privacy principles on car cybersecurity
In a nutshell, no official regulation or common standards in Automotive Cyber Security exist yet. But regulators and the auto industry are working on both as demonstrated by the SPY Act in the US and the announcement of J3061 standards from SAE International.
Following a record 63.95 million vehicle recall in the United States in 2014 and multiple fines for safety violations, the government and the car industry are working on a framework that will guide their work on cyber security, as well as safety, defect reporting and recalls. In this direction, multiple industry sources indicate that the USDOT, the NHTSA and 16 major carmakers are expected to announce voluntary agreements on Jan 15, as required by their meeting in Chicago on Dec 16.
This step reaffirms our position that Automotive Cyber Security is now a top priority for carmakers, as well as regulators, because of its implications on physical safety, the carmakers’ whole business and the transition towards more automated vehicles.
Collaborative, proactive Automotive Cyber Security is paramount, but is it realistic?
Although we view any collaborative, industry-wide agreement as a step forward, we approach this development with scepticism because of the degree of effectiveness when relying in voluntary agreements in an industry characterised by the lack of collaboration among OEMs, as in the case of Electric Vehicles.
Carmakers disagree on the effectiveness of a mandate, with some arguing that industry-wide cybersecurity guidelines and practices would be more appropriate to mitigate real-life malicious cyber-attacks than a government regulation in terms of speed of action and relevance.
But in our view, mandatory fitment of robust software and/or hardware solutions together with industry-wide standards and certification of peripheral devices can reduce organised crime’s incentives to attack cars as their probability of success and their gain from infiltrating car security will decrease significantly.
Fiat-Chrysler’s investigation ends but is there more to come?
On Jan 5, the NHTSA ended its 5-month investigation on the 1.4 million recalled Chrysler’s (FCA US LLC) models equipped with Uconnect head units (HU) 8.4A (RA3 radio) and 8.4AN (RA4 radio) manufactured by Harman International. The investigation, issued by the Office of Defects Investigation (ODI) on Jul 24 2015, aimed to ‘’examine HU security vulnerabilities and remedy effectiveness in the recalled population and to determine whether similar units have been supplied for use in other FCA vehicles’’ according to the agency.
The recall query investigation is now closed following remedies in the recall vehicle population and no findings that infotainment units sold to other companies by Harman were susceptible to hacking.
‘’The opportunity cost of management distraction, the potential loss of sales, the cost of a recall, and then potential lawsuits and/or fines from the regulators mean that OEMs must take Cyber Security seriously and act now-doing nothing is not an option’’
Mike Parris, Head of SBD Secure Car Division
Car hacking is inevitable so what can be done to secure Connected Cars?
Malicious cyber-attacks on cars from organised crime can and will move from a possibility to reality. Why?
Simply because we expect the proliferation of Connected Cars over the next ten years and considering that more than once ‘’white hat’’ researchers have demonstrated that modern Connected Cars can be hacked, there are many reasons to worry about. To put it simply, in many cases the existing in-vehicle network security needs to be upgraded to withstand the new cyber-threats arising from the introduction of the Cyber-Physical System.
Additionally, the amount of personal data (e.g. preferences, behaviour, location, even credit card details) collected and distributed over the network by Connected Cars will increase significantly over the next decade as the Internet-of-Cars develops (OTA, V2V, V2I, Autonomous).
‘’A multi-layer approach is always a good practice, starting with a holistic process of security by design which involves addressing potential threats right from the requirement and design phase of products’’
Asaf Atzmon, VP of Business Development, TowerSec
Finally, as the number of connected-to-the-car devices increases, the vehicle’s attack vector will grow exponentially. And what’s worse, what we call Peripheral car cybersecurity will never be 100% robust. Even the smallest breach in car cybersecurity, whether it’s in-vehicle, peripheral and/or cloud security, is enough to draw the attention of sophisticated criminals who look for opportunities to monetize vulnerabilities.
To learn more about the Automotive Cyber Security market, including our forecast on the adoption of Cyber Security solutions for Connected Cars in key geographies over the next decade and insight into the evolution of the market landscape read our report:
For more information on this report, including sample pages and full Table of Contents, please contact us on (+44) (0)20 3286 4562 or using Contact us form