Imagine driving home from the supermarket in your car, when suddenly the windscreen wipers start sweeping at highest speed, although there’s not a single cloud in the sky. The next second, the A/C blows hot air in your face and the stereo turns to full volume. You can’t find a minute to get angry about that, as all of a sudden, your car starts accelerating uncontrollably. And this is the moment you realize, your vehicle just got hacked.
The threat of cyber hacking for automotive OEMs is real
What sounds like an unrealistic horror scenario actually happened in 2015, when two American cyber security researchers successfully hacked a new Jeep Cherokee (although they did it in a controlled environment). The event caused a bit of turmoil in the automotive world, but disappeared quickly from the spotlights, when the details of the Diesel emission scandal leaked, making 'Dieselgate' the biggest car-related scandal to this day. However, Dieselgate could appear like a bagatelle, compared to the threats of what these two men had just done for the first time.
In the example stated in the beginning, the researchers remotely took full control of the moving vehicle. They activated windscreen wipers, honked the horn, accelerated and even disabled the Cherokee’s brakes. In response, 1.4 million vehicles were recalled. It seems, that in this moment the Internet of Things (IoT) had surpassed the Security of Things (SoT). The risk of cars being hacked is increasing steadily with the rising number of connected cars. Most vehicles today offer some form of connection to the internet and other external sources, necessary to find destinations or POIs, to obtain traffic or weather information or play your favorite Spotify playlist on the car's infotainment system.
The increasing connectivity of cars increases the risk of hacking
Each of these interfaces should be seen as a potential loophole for criminals to intrude into the car's systems. The threat will become even more visible, the moment autonomous cars hit the streets without any human behind a steering wheel to intervene. The impact and consequences could be very severe. Just imagine cyber-terrorist hacking into the systems of an OEM´s fleet.
It would then only take them the push of a button to engage various functions in those vehicles: The range goes from rather harmless, like accessing the media system, to life threatening, such as making all cars of that specific manufacturer accelerate, brake or turn the engine off. If this would be done synchronously, suddenly all over the world thousands of accidents would happen, possibly causing a global road traffic collapse with numerous fatalities. Besides the destroyed reputation, that specific manufacturer would certainly not survive the flood of compensation demands following this incident.
This makes cyber security one of the top priorities automotive OEMs should have right now. And as a study about the acceptance of autonomous cars shows, customers are already aware of the risks and express their concerns about cyber security issues: In a survey of 127 people, 42 rather and 30 fully agreed, they were afraid that someone else could hack their car and thereby gain access to the vehicle. And the fear of third parties gaining control over the vehicle functions is even greater: more than 58% rather or fully agreed that they were afraid of a third party hacking into their car and taking control of the vehicle (see Daniel Kolb, 2018: Zur gesellschaftlichen Akzeptanz des autonomen Fahrens).
Still, car manufacturers seem to be reluctant - or overstrained - when it comes to taking serious countermeasures for these issues. But what are reasons for this? It appears as if cyber security is often seen as a task of the IT-department, which needs to get lines of code straight and fix the issues. However, it is not that simple. Cyber security must be implemented and lived across the whole organization to cover the entire automotive lifecycle. And even when the first cyber security project seems to be done, it should be updated constantly and integrated into a continuous improvement process. A big step for companies, which look back on a proud heritage of building great mechanical products and employ only few IT specialists.
How to tackle the challenge of cyber security regarding OEMs?
Transnational legislators have become aware of the issue and are currently working on several frameworks, to make sure risks are minimized. Those efforts include development standards such as ISO 26262 and assessment models like Automotive SPICE. Yet most important will be the cyber security specific standard ISO 21434, which is going to be released in 2020 and will comprehend aspects such as threat analysis or risk treatment for the full automotive lifecycle.
To successfully implement the mentioned standards and ensure all cars to be as cyber-safe as possible, automotive OEMs and their suppliers need to invest into the right resources and tools and establish appropriate processes and methods. This can be challenging, especially in large organizations. With our experience in analyzing and remodeling business processes as well as helping OEMs to implement frameworks and process models, accilium is the ideal partner to get ready for the digital future of the automotive OEMs.
Header Photo by Kaique Rocha of Pexels