Automotive cybersecurity is still in its infancy but developments have accelerated since 2015, when several high-profile hacks showed the industry"s vulnerability and cost the companies affected a lot of money to fix. The attacks also emphasized big shortfalls in software capability and pushed compliance up the agenda.
With so much to play for, automotive cybersecurity has become a burgeoning but crowded sector. Suppliers already well positioned to benefit from the predicted boom include Robert Bosch, Harman, Cisco, Honeywell, NNG, Irdeto and Karamba and Continental-owned Argus, but IHS Markit senior automotive technology analyst Colin Bird describes the sector as “still very much the Wild West.”
Bird estimates revenues in the sector will have topped more than $30 million at the end of 2017, but will balloon to more than $2 billion by 2024. Said Bird: “About 90 percent of the dots remain to be joined so there is huge opportunity. Out of a potential market of 100 percent, fulfillment is currently 4 percent to 5 percent.”
Israel is currently at the leading edge of cybersecurity innovation and Krishna Jayaraman, an automotive connectivity specialist at Frost & Sullivan, estimates there are close to 10 established companies in the cybersecurity space across different industries with many more to come. He says automotive companies currently spend about 3 percent to 7 percent of their IT budgets globally on security and expects “investments to acquire software services and security capabilities to continue to gain momentum with security becoming part of r&d budgets.”
Cybersecurity experts have criticized the auto industry for not moving fast enough, but there has been a big push to strengthen capability over the last two years. This has created early consolidation.
Harman reportedly spent more than $1 billion to buy TowerSec, Red Bend software and Symphony Teleca in 2015-2016.
Continental bought Israel-based cybersecurity company Argus for a reported $400 million last November.
There has also been brisk acquisition activity further down the chain with innovative young companies being swallowed by bigger players.
There is no single answer to safeguarding cybersecurity in vehicles because there are so many moving parts -- software, hardware, data, networks and the cloud. Cost is an issue as is how to integrate solutions, such as layered encryption, into existing architectures. Control of the supply chain, securing the loop from the car to the cloud and ensuring that a vehicle can continue to function even if it is attacked, are all potential weak spots in search of solutions.
Companies are taking different approaches to the problem but multiple inter-manufacturer cooperations, partnerships with legacy suppliers, and cross-industry collaborations are accelerating the rate of development. In 2015, the industry-backed Auto ISAC, (Automotive Information Sharing and Analysis Center) was formed to identify and track potential cyber threats globally.
Legislation is adding to the pressure for viable solutions, as is the fact that virtually all vehicles will have some form of connectivity by 2020. Guidelines and legislation on cybersecurity are coming fast. The Self Drive and AV Start Acts have been introduced in the U.S. while the EU’s cybersecurity agency is looking at issuing certificates to connected cars similar to those used in other critical areas such as food safety.
Last August, the British government laid out its position on cybersecurity, putting the responsibility for dealing with the issue firmly on the shoulders of the manufacturing supply chain. British officials also stated that cybersecurity should be owned, governed and promoted at the board level.
“We are already seeing initiatives whereby the top management of the companies delivering these [cybersecurity] programs will be personally liable,” says Alex Kocher, president and managing director of embedded software solutions company and Continental subsidiary Elektrobit. “The big challenges we face are to build the right infrastructure, to maintain it over the life of the vehicle and to have very fast reaction times to any problem. We recognize that having 100 percent cybersecurity is not a reality.”