2020 May Be the Turning Point for Automotive Cybersecurity

The first blog I wrote for Guidehouse Insights, in 2014 was a critique of the auto industry’s approach to cybersecurity. At the time, we were about 6 months away from a 60 Minutes report demonstrating a remote attack on a General Motors (GM) vehicle and 1 year from a Wired story of a similar attack on a Jeep. In the years since I wrote that article, much has changed. 2020 looks like the year more secure vehicles will hit the market.

The first demonstrations of security vulnerabilities in vehicles emerged in the late 2000s, with many of those early attacks requiring physical access to the vehicle through the diagnostics port. By 2014, researchers at the annual Black Hat conference began to show the potential for remote attacks. But 2015 was the year the industry finally awoke to the threat. The 60 Minutes and Wired reports showed researchers taking control of a vehicle’s brakes, steering, and other functions through laptops, while reporters in the driver’s seat could do nothing, certainly got some attention.

Automotive Industry Takes Cyber Attacks Seriously

In the years since, all of the major automakers and most big suppliers (except for Tesla) formed an Automotive Information Sharing and Analysis Center (Auto-ISAC). Many startups focused on how to secure vehicles also came onto the scene, many launching in Israel. GM appointed its first chief product cybersecurity officer and its automated driving unit Cruise Automation hired Chris Valasek and Charlie Miller. Numerous automakers now operate bug bounty programs, which enable security researchers to responsibly disclose security vulnerabilities they have discovered to manufacturers and earn cash rewards.

Before vehicles became ubiquitously connected to the outside world, there was comparatively little risk of an attack if you needed physical access. If someone wanted to mess with a vehicle, there were far simpler ways to do it than hacking the electronics. Since few saw cyber attacks as a threat, it was not really considered in design.

New Smart Vehicles Have Better Cybersecurity

2020 will see the launch of many new vehicles that are more dependent on software than ever before to manage electrified propulsion, more advanced driver assist systems, and even partial automation. Most of these new vehicles incorporate redesigned electrical and electronic architectures. GM has its Digital Vehicle Platform that will go into all of its new vehicles starting in 2020. Volkswagen Group has an advanced architecture for its MEB EV platform and the EV platform for the Ford Mustang Mach-E is new from the ground up.

Each platform has been designed with security in mind. To varying degrees, automakers have begun consolidating the 100 or more computers into fewer, more powerful machines with virtualization capability. Network gateway modules monitor all data traffic for any anomalous messages. The code running on these computers is digitally signed and encrypted to make it more difficult to penetrate and change. New tools from vendors like Aurora Labs and Karamba Security make it more difficult to successfully inject malware.

Constant vigilance from Auto-ISAC and independent researchers will remain essential as we move toward highly automated vehicles like the GM/Honda Motor Company developed robotaxi unveiled by Cruise Automation, and Ford’s upcoming 2021 automated vehicle. When flaws are inevitably found, these new vehicles will have the ability to be updated over-the-air.