Mastering the critical art of cybersecurity in Automotive

Blog: Capgemini CTO Blog

Welcome to a brand-new era of automotive, which promises nothing short of seamless, personalized, and connected mobility. No longer is it acceptable (or profitable) for OEMs and suppliers to focus purely on how their vehicles drive. Instead, those that want to succeed are adopting a broader lens, creating cars with sophisticated software that integrate perfectly into a consumer’s digital ecosystem.

Think infotainment systems: navigation, audio, voice assistants, Bluetooth; personalized comfort, such as automatic cooling and seat adjustment with memory; and, perhaps most importantly, unprecedented driver assistance, accident prevention systems, and autonomic driving systems.

But each new line of code that goes into these software-enabled cars brings with it new vulnerabilities, exposing vehicles and the organizations behind them to malicious cyberattacks. But, while cyberattacks can have serious consequences across all industries, hacking in the automotive realm poses a much more sinister and potentially life-threatening risk.

It becomes a matter of safety, not just security. Take, for example, an attack on driver assistance systems, which control braking, speed regulation, blind spot detection, or even geo-positioning functions. A malfunction here could mean devastating and fatal consequences, not only to those operating the vehicles, but also to those in the surrounding vicinity.

Alarmingly, the automotive sector is underdeveloped in cybersecurity. A recent report from the Capgemini Research Institute highlights how most automotive OEMs face growing compliance and cybersecurity challenges as the industry moves to highly connected and software-driven vehicles and systems:

71% believe that the GDPR and other regulations have created unique challenges with regards to privacy and security of customer and vehicle data.
Only 10% OEMs, on average, believe that they are well prepared to implement various cybersecurity measures. Specifically, only about 8% of OEMs consider themselves well-prepared for detecting and addressing security threats across vehicle fleet in the field and only 6% are well prepared to secure vehicles by design to mitigate cyber risks.
60% find it challenging to ensure that suppliers’ products meet regulatory requirements around cybersecurity risks.

As OEMs jostle to satisfy customers and establish themselves as frontrunners in the constantly adapting industry, cybersecurity needs to be repositioned to center stage. OEMs must therefore create a strong technology foundation of data privacy, security, and cybersecurity requirements. However, over a third (37%) do not collect any data related to vehicle cybersecurity and out of those who do collect data, 25% do not analyze it to uncover patterns and insights.
Fortunately, there is no need to reinvent the wheel, as there are mature technologies, tools, and critically, lessons, to be gained from other industries and markets.

So what are some of the best practices that can lead automotive OEMs to safe and secure connected success?

Get the organization on board

The new automotive era goes well beyond the vehicle and into the manufacturing and business model of an automotive organization. Ensuring that security underpins all aspects of the product lifecycle and supply chain will be essential. And how do you enable this? With a concrete, well-defined, end-to-end strategy, understood by all stakeholders in the delivery chain and the whole team.

To this end, OEMs will also need to look at ensuring they have the right team members in all areas of the organizations. OEMs are currently staring at a skills gap of 40–60% in key software-defined areas such as software architects, cloud management experts and cybersecurity experts, which means building and retaining will be critical to creating a cyber-secure organization.

Test, secure, repeat

The average modern high-end car software has a staggering 100 million lines of code – a mind-blowing number when you learn that a Boeing 787 only has 13.8 million. So ensuring that security is built-in at every step is no mean feat. Conducting regular risk assessments and surveys on most critical components of a car system will help establish strong security rules and frameworks. Developers can then rely on these strong security practices while their code is produced and tested, avoiding inherent vulnerabilities.

Don’t put all your eggs in one basket

Defense in depth is a core principle of cybersecurity, already applied in several fields such as aeronautics or industrial systems. Protecting important assets using a multilayered security approach will help OEMs reduce the impact of a successful intrusion. Technological diversity will ensure that pain points across the whole product lifecycle – from in-vehicle applications to network architecture and supply chain actors – are kept siloed. An obvious target? Interfaces connected with the external world, including Bluetooth or over-the-air (OTA) applications. Decoupling these from other pain points will negate a security monoculture and avoid attack propagation.

Dedicated to the cause: establishing a global cybersecurity standard

As cybersecurity remains a relatively new topic for the automotive sector, a list of best practices to guide OEMs is underdeveloped and in general, missing. The global automotive industry as a whole will need to collaborate to develop well-established standards to guarantee that processes and implementations are compliant with shifting regulations and to reinforce the overall security of products. Cross-pollinating existing defense measures and technologies will help lead OEMs in the right direction.

The number of connected cars globally is growing by more than 70 million per year. As the majority (80%) of OEMs express plans to invest significantly in connected services in the next five years, cybersecurity is set to evolve into an even more critical and complex issue. OEMs who want to prosper, protect their customers, their teams, and the future of their business need to recognize the potential of becoming not only an automotive company – but a cyber-secure one too.

Want to learn more about the urgent steps OEMs need to take in order to get ahead of cyber threats and achieve this goal? contact our team today.

Follow Geert van der Linden on LinkedIn and Twitter.