Cybersecurity in the Connected Car
Author:CSC Town Hall
The recent Internet-based hack of a Jeep Cherokee by cybersecurity researchers has automotive OEMs scrambling to secure vehicle systems and the electronic control units (ECUs) that operate them. These systems are facing even more scrutiny and regulation following the Volkswagen emission control software scandal.
- Rajesh Gupta, Global Industry General Manager, CSC
- Bill Lang, Americas Consulting for Manufacturing, CSC
- Suresh Mandava, Associate Partner for IoT/Big Data Security
- Dr. Alexander Schellong, General Manager of Cybersecurity for Central and Eastern Europe, CSC
- Jeff Caruso, Senior Managing Editor, CSC
Connected cars offer entertainment, navigation and safety benefits but they've also proven vulnerable to hackers. This CSC Town Hall discussed developments affecting manufacturers’ efforts to improve vehicle security and data privacy.
Millions of vehicles are being woven into a fabric of connected devices, raising many new questions about cybersecurity and privacy. Dr. Alexander Schellong, general manager of cybersecurity for Central and Eastern Europe at CSC, says that as the cyber ecosystem becomes more complex, so do the needs for security. "The issue of securing connected cars is not about technology alone. It's equally about processes, organizations, legal aspects, policy and social questions. Security comes at a cost, in usability or in profit margin, and the introduction of connected cars and the Internet of Things creates a new set of risks, new security requirements, and new costs," he says. Rajesh Gupta, CSC global industry GM, Automotive says recent demonstrations of remote vehicle hacking have highlighted the vulnerabilities of current vehicle information system designs. "OEMs haven't put any emphasis on security because they thought the possibility of remote attacks was low, but we see now that cybersecurity hasn't gotten the attention it deserves," Gupta says.
As connections grow between cars and the Internet, other cars and devices, Gupta says other vulnerabilities will be found. "Everyone in the value chain has to get serious about it – parts suppliers, OEMs, dealers, regulators, service providers. Everyone needs to be part of a coordinated response," he says.
Today's vehicles may carry 300 million lines of code in their systems, four times the code base of a Boeing 747. Suresh Mandava, CSC associate partner for IoT and big data security, says this complexity underscores the technical and business issues that manufacturers face. "This stems from the lack of integration among multi-vendor components and multiple software components. Overall, it demonstrates a lack of maturity toward vulnerability and security testing standards, encryption and data protection standards," he says. On the business side, Mandava says manufacturers will need to reconsider industry-standard practices like sourcing lowest-cost components. "Finding the cheapest supplier for a component doesn't bode well for security or privacy," he says.
Federal involvement may soon shape automakers’ response. Legislation introduced in July 2015 would involve federal agencies setting security and data privacy standards for vehicles sold in the U.S. Mandava says that, if passed, the legislation would require manufacturers to make reasonable efforts to secure all electronic entry points into newly manufactured vehicles beginning two years after regulations are set by federal agencies.
Beyond regulation, new business opportunities may encourage manufacturers to tighten security and privacy to protect a cache of data that's growing more valuable every day. William Lang, with CSC Americas consulting for manufacturing, says the evolution of the connected car creates an opportunity to look at the entire ecosystem for the industry, from OEMs and suppliers to downstream participants.
"OEMs are starting to see the value of the data collected by connected vehicles. At least two manufacturers I know are setting themselves up as telematics service providers to collect and sell data, replacing data collection done by dongles or cell phones," Lang says. "For applications like usage-based insurance, this can supply better data at a lower cost. There's a lot of opportunity for companies to evaluate their business processes and develop new services that can generate new revenue."
Other topics discussed include:
- The impact of regional legislation on connected cars
- Efforts to develop pan-industry security and privacy standards
- Determining responsibility for managing the connected car ecosystem