“It’s zombie time.” How are we saving our cars from cyberhacking?

This scene in The Fate of the Furious — part of the Fast & Furious franchise, shows Cipher (Charlize Theron), international hacker extrodinaire, wanting to hack “thousands” of cars in NYC from her control room. Her employee strikes a few keys and boom, her proclaimed “zombie cars” come to life, with her at the helm commanding them to crash into each other in order to corner a motorcade with nuclear codes. Honestly, it’s a pretty terrifying scene that exaggerates a real world concern for the developments in ACES (autonomous, connected, electric, shared) vehicles and how cybersecurity will play a part in keeping our vehicles in our control.

Insight;

Car makers will be expected to deliver vehicles with cybersecurity measures similar to how physical safety measures are touted today. New cybersecurity regulations (UNECE WP.29) and best practices are expected make automakers liable to show cyber-risk management and ability to fix bugs and security issues over-the-air to customer vehicles. Due to these expectations and regulations, the automotive cybersecurity market will reach $9.7B by 2030.

Context;

The UNECE WP.29 (United Nations Economic Commission for Europe World Forum for Harmonization of Vehicle Regulations Working Party 29) is set to enforce cybersecurity regulations for 2022, which is expected to impact 20 million commercial vehicles worldwide in the top 10 countries. The regulations will force automakers to:

Manage vehicle cyber risks; Secure vehicles by design to mitigate risks along the value chain; Detect and respond to security incidents across vehicle fleet; Provide safe and secure software updates and ensuring vehicle safety is not compromised, introduce a legal basis for so-called “Over-the-Air” (O.T.A.) updates to on-board vehicle software.

Automakers will be impacted to identify and design processes and architecture in all levels of their value chain giving opportunity to suppliers and small businesses to provide vertical solutions. (See my previous post on Automotive Software and Electrical Hardware)

On top of pressure from regulation, automakers will also face increasing litigations due to cybersecurity . In this National Law Review article, they detail a recent class action lawsuit Flynn v. FCA US LLC, where the Plaintiff Flynn demonstrated the FCA UConnect system could be hacked in a controlled evnironment. The court dismissed the case citing that all products have vulnerabilities and that cybersecurity hacks are speculative. This outcome is positive for automakers and sets a good precedence on what the automaker is responsible for. However, with more digital products in vehicles, we will be seeing an increase in these types of cases.

Investors;

Companies that audit, inspect and certify start-ups and OEMs to the regulations will be necessary. The models of which they develop may include Blockchain technology and Software Defined Perimeter (SDP). SDPs enable secure communication between the cloud and the vehicle and Blockchain enables secure smart contracts, billing, and other forms of information/messaging transfer. Be on the look out for these full stack solutions (enterprise IT provider) to encryption and security. There will also be specialized security start-ups that focus on a small aspect of the stack, they will have the opportunity to partner with OEMs to develop specific security tools.

Industry;

Automakers need to implement a vertically integrated architecture that addresses cybersecurity in all aspects of their value chain. The UNECE WP.29 regulation enforces automakers to manage software version tracking, create robust engineering requirements with inherent security features, source certification bodies compliant to the regulation, research and development into edge cases, and develop customer incidents response plans. Take queues from the enterprise IT industry, a much more highly regulated sector in cybersecurity — to build out security operation centers. Be strategic about how your vehicle will receive security updates over its lifetime of use, which is significantly longer than any operating system in consumer electronics.