Cyber security has swiftly gone from a loose concept to an issue that rivals quality, safety and other mainstays of design must-haves. It’s a multi-faceted challenge that extends from simple vehicle systems to cloud connectivity.
“The biggest challenge is how many interconnections there are to many different things,” said Tejas Desai, Head of Interior Electronics Solutions, North America, for Continental AG. “All different types of things connect to the vehicle and we don’t know about what’s on the other side.”
It’s not just the dark side of the Internet that concerns automakers. While hackers are a major concern, automakers must also ensure that a disgruntled employee at a supplier does not create problems.
“Threats are not just external, they can be internal, from within the company or the supply chain,” said Joe Kwederis, Principal, Deloitte & Touche. “That’s not to discount that a predicted 200 million connected vehicles by 2020 will be a huge target, vehicles will be a real trophy for hackers.”
Companies have to protect systems that might not seem to be of interest to hackers. But mundane systems could be taken over by extortionists who search for easy targets.
“Even the heating-air conditioning system has to be protected,” said Roger Berg, Vice President at Denso International America. “You might well wonder who would attack that, but it’s still something we have to consider.”
Experts described a number of issues that arise with connectivity during the 2016 SAE World Congress Panel, “Controlling Digital Exhaust: Cyber Risk and Security in the Age of Autonomous and Connected Vehicles.”
Panelists all cited the need for defense in depth, with a number of layers of protection to an attack that bypasses one protective technology will be caught by another security feature. Many of the charts presented showed scores of factors that must be considered and options that can be implemented.
That has made security an integral part of development programs, much akin to functional safety. It’s becoming a part of processes within Toyota and its suppliers.
“In every development project I’m part of at Toyota, the OEM and suppliers work closely together for a common goal,” said Derek Lewis, Manager, Electronic Systems at Toyota Technical Center. “It’s really critical to have a constant discussion back and forth.”
Corporate searches for solutions extend outside the automotive industry. Many are tapping information technology teams and military providers who have dealt with security for years.
“We want to partner with companies in other industries,” Desai said. “We want to gain insight from what they’ve already learned.”
Companies must also address long term factors. Hackers will be looking for vulnerabilities throughout the vehicle’s life cycle, so it will be important to deal with evolving threats. Information sharing may become common.
“We need global standards about how to react to attacks and minimizing vulnerabilities,” Berg said. “The industry has to look at the complete life-cycle domain, from concept through decommissioning. We need to look at life cycle of 15 years. The attack surface is a long-term thing.”
Panelists also noted that it will be helpful to provide a way for relevant companies to share information about attacks. That way, it will be easier for them to stay up to date. When companies learn about new types of attacks, they can create fixes and send them out using over the air updating technology. Updates are seen as an essential tool in the OEMs' security arsenal.
“There has to be a refined tracking system for attacks,” said Richard Popovich, Executive Vice President of FEDITC LLC. “The risk will turn more to OEMs if there are accidents. OEMs have to ensure that updates are installed to minimize their risks.”