Once hacked, twice shy: auto supplier fights cyber carjackers

123

When researchers remotely hacked a Jeep Cherokee in 2015, slowing it to a crawl on a US highway, the portal the hackers used was an infotainment system made by Harman International.

Harman, now part of Samsung Electronics has since developed its own cybersecurity product and bought Israel-based cybersecurity company TowerSec for $70 million to help overhaul manufacturing processes and scrutinise third-party supplier software.

The expensive efforts prevented another public breach and helped it become a key player in automotive cybersecurity. This shows the strain suppliers and automakers face dealing with this new dimension of automotive technology.

“At the end of the day, automotive is a competitive business with small margins. If a competitor wants to eat the cost to win the business, you have to do the same thing,” said Geoffrey Wood, Harman’s director of cybersecurity business development.

The automotive cybersecurity market has seen exponential growth. While global revenue was at around $16 million in 2017, it is expected to reach $2.3 billion in 2025, according to IHS Markit, driven by Harman, Garrett Motion, German suppliers Continental AG,Robert Bosch and smaller US and Israeli companies.

Securing cars from hackers is a complex task. Modern vehicles run on 100 million lines of code, are equipped with hundreds of technologies and can have up to 150 electronic control units using various operating systems.

Unlike consumer electronics, cars stay in use for decades, long after operating systems and component software stops being supported through updates that patch vulnerabilities – a challenge the industry still grapples with.

Automotive cybersecurity requirements now number in the hundreds of pages from just a page five years ago, according to interviews with automotive cybersecurity professionals.

For its 2024 vehicles under development at BMW for example, suppliers are required to ensure driving system control units have no direct connection to customers’ internet-connected devices, said Michael Gruffke, BMW head of security system functions.

Small auto suppliers with thin profit margins are often the weakest link for hacks, said Rotem Bar, a cybersecurity professional until recently at Israeli company CyMotive which partnered with German automaker Volkswagen.

Automakers typically still hand off testing and ensuring the security of data systems to sub-contractors, industry experts said.

“It’s shifting the burden on to suppliers because the automaker is not able to test and verify everything along the supply chain,” said Dennis Kengo Oka, senior solutions architect at Synopsys, who conducts research on automotive cybersecurity.

At BMW, more than 70% of components in its vehicles are manufactured by suppliers. “We expect our partners to take responsibility for implementing cybersecurity in respective deliveries,” the automaker said in a statement.

General Motors said in a statement it handles “a significant amount of work” related to security and testing without passing the expense to its supply chain partners.

Ford Motor and Fiat Chrysler did not respond to requests for comment. Volkswagen and Daimler declined to comment.

BUILDING CYBERSECURITY BUSINESS

Harman saw its Jeep hack experience as a viable business opportunity: the supplier now sells cybersecurity software that allows automakers to monitor fleets and provide over-the-air software updates. Analysts at IHS Markit consider Harman a top player in that segment, with some 20 automakers using its over-the-air services.

Harman does not break out revenue for that business. The company recovers some costs by charging higher prices for advanced security.

“We have to educate our sales people in conversations with carmakers’ purchasing departments and say ‘don’t let this go without adding cybersecurity to your quote’,” said Amy Chu, Harman’s senior director of automotive product security.

Asaf Atzmon, the Israel-based vice president and general manager for automotive cybersecurity, said Harman has come a long way since he joined in March 2016.

At the time, Harman employed some security architects and the company later changed its organisational structure, appointing or hiring professionals such as Wood and Chu to oversee cybersecurity efforts, Atzmon said.

The changes helped Harman consider cybersecurity issues at every stage of production, creating a checklist for engineers that includes scanning third-party software for bugs, increasing Harman’s own cybersecurity defences and creating a risk analysis of potential vulnerabilities for every component.

Instead of simply adding comfort features such as Bluetooth, for example, designers first have to show how they would secure such a connection.

A particular challenge is securing vehicles over their entire lifecycle, said Chu. Cybersecurity professionals are used to issuing software patches, but automotive engineers caution only a fraction of vehicles can receive over-the-air updates.

During the Jeep hack, costly recalls were issued for 1,4 million vehicles to fix software flaws at dealerships. Tesla which offers over-the-air updates as standard for even safety-critical functions is the exception.

“Things are not that easy in the auto industry,” said Chu.

Conscious of many challenges, the industry has come together in a rare show of collaboration. Automakers in 2015, soon after the Jeep hack, created a group to share threats and vulnerabilities and companies currently try to define industry-wide cybersecurity standards that could lower costs to suppliers.

Common standards are not expected before next year. And some standards might be watered down to protect smaller suppliers and ensure they have the resources to comply, said Victor Murray, a group leader at the Southwest Research Institute, which tests cars and components for cybersecurity vulnerabilities.



“You want to be careful and not box anybody in because if smaller suppliers are overwhelmed with mandates they’re out of business,” Murray said.