Connectivity sits at the forefront of vehicle development in the market today, with global automakers focusing on innovations such as infotainment and autonomous technology. With this new era of the connected car, vehicles are further relying on a constant internet connection which has created a new risk of cyber security. Car hacking is now, more than ever, becoming a serious threat to the automotive industry, as cyber attacks are forcing manufacturers to find different methods to protect the connected car. Unlike consumer devices, such as smartphones and tablets which are protected from external access through built-in software, cars have not yet developed a major security system that prevents hacking, meaning that cyber breaches could become a great difficulty for those who have not prepared.
This is why it is so important for manufacturers to realise the dangers that follow complete connectivity, which will motivate them to produce secure systems for their consumers, especially with autonomous cars appearing on the horizon. Automakers will have to gain complete control over new platforms to ensure safety, be it manually-driven or autonomous vehicles. As vehicles become more connected and autonomous they will become progressively detached from human control, attracting hackers who will be rubbing their hands behind computer screens.
I speak to Jeffrey Massimilla, Head of Cyber Security for General Motors, and start by asking him whether the automotive industry is getting the best out of the IT that is available today. “I think, from a cybersecurity perspective, there is a lot of great capability and a lot of great knowledge out there and I think it is being applied in the automotive industry overall,” he tells me. Now, more than ever, it is vital that the automotive industry tackles cyber threats and prevents them from getting in the way of connected car development. Otherwise, things could get serious.
Massimilla explains that there are two ways that you can view cyber security: “One way is to look at it as impeding business and innovation, as kind of a check in balance at the end. Or you can design the security from the beginning before enabling the technology that you want to put in the car. At GM, our customer safety and the privacy of our customer's data is our highest priority.”
GM made a very distinct effort to partner the product cyber security organisation with all of the innovative and development groups in the company. This ensured that the company could prepare security protocols before hitting any problems with new software. “By building our security up front, we enable those designs as opposed to doing this too late in the process where it can stifle that type of innovation,” Massimilla adds. Automotive players are finally realising how important it is to build cyber security from the front, rather than building the technology and then having to go back when cyber breaches occur. We have already seen a few automakers and startups have problems with this, so there needs to be a realisation of the importance of protect first, develop second.
There is a growing need for over the air software updates which can help companies overcome issues such as cyber threats in the development of the connected car. You cannot keep recalling cars like what has normally happened with faulty components, you are going to have to update them on a regular basis to ensure protection of customers. By utilising frequent over the air updates, automakers can significantly improve cyber threat prevention, reducing reaction times and increasing safety. “Ultimately, as we all know, no system is unbreachable. Therefore, detection and monitoring are vital in order to know what is occurring in your environment, using over the air updates to catch issues early through this great response capability,” says Massimilla. “We have already enabled over the air updates in certain aspects of our vehicles, such as with our OnStar system, and we are continuing to grow this in other areas of our vehicle to make it even more prolific as we go forward in preparation for those types of challenges.”
One of the key factors to achieving a high level of cyber protection for customers is frequency. First, you need to ensure that your software is completely safe before giving it to the public, however there will always be a risk that something may happen, be it a security breach or a software glitch. The biggest issue for automakers is that they have to weigh up getting technology out as quickly as possible to beat rivals or take more time to make sure the software is completely safe. Businesses need to realise that they are putting their customers in danger. It is so important to find the right balance between the development of connected technology and to roll it out onto public roads whilst ensuring ultimate safety for customers.
Massimilla agrees, telling me that cybersecurity is - and has been for some time - a boardroom discussion at GM. “I am positioned in this company to ensure that the products and connected services that we develop do have an appropriate security posture before we send them out to the customer. If we detected some risk through the design, we will simply not launch that product,” he affirms. “This organisational structure allows it to be effective, however, when we get to the back-end of this, there is also a lot of knowledge and capability needed which has always been a big challenge in the area of cyber security.” In order to manage these difficult vulnerabilities over time, you need to analyse whether a specific issue will present any risk to the customer, because not all vulnerabilities will. Thus, automakers need to have an understanding of the software, architecture and ecosystem in order to make an informed decision. Then they will be able to perform over the air updates to resolve any vulnerabilities quickly and even take action on any imminent threats whilst patching.
This all becomes a little more complex with the addition of third party services - something that has becoming extremely popular in many industries. Customers will soon own the data within the vehicle, wanting to share personal information for a better experience. People want to continue their connected life within the vehicle, so automakers must allow innovation, but value privacy. “When you start to talk about standardisation and how you could employ techniques to get data off vehicles for different third parties to use, there is definitely an inherent cyber risk there,” warns Massimilla. “We want to ensure the safety of the vehicle and customers within it, retaining privacy but allowing information to be sent to a third party. Now you are talking about the design and involvement of an entire ecosystem.”
This is concerning for automakers, who must create defensive posture detection monitoring and response capability in order to protect customers. There are ways to create a solution where you can get data off the vehicle safely, however it will be completely different for each OEM’s ecosystem.
The connected car has revolutionised the way that we drive, share and function, making automakers focus on software updates over the mechanical side of things that we have become so accustomed to. However, it seems as if many - especially new players - are leaving security till last, which creates a serious problem that needs to be addressed. Unlike distinguished automakers who have the experience of customer safety, start ups and other businesses who have entered the automotive market for the first time are - unintentionally - putting customers at risk. Massimilla stresses that GM views cyber security “not as a competitive advantage, but as the cost of doing business.”
GM has had connected vehicles on public roads for many years and, because of this, has had a cybersecurity focus for a while. “Creating a connected culture and working with all of the technology solutions in advance ensures us to build security from the start. Otherwise, you run the risk of just delaying the launch of features that the customer wants and is excited about,” he adds. “You end up looking at a balance of wanting to give it to them, but not knowing how safe it is. It is important to have everything organised upfront and positioned appropriately.”
Unlike a computer or smartphone, any issues with connected vehicles can put customers at risk. This is extremely concerning as these new players, many of which specialise in phones and computers, may not take the same level of precaution as an established automaker. This issue must not become common in the race for success within the new market, so it is vital that there is a focus on not just the software but the actions that are being taken when producing new technology. Massimilla believes that collaboration is the answer to this issue: “I think that collaboration is so important in this space; you cannot sit a bunch of people in a room and create a strategy without learning from other areas such as consumer electronics and aerospace defence. The IT industry has helped us apply technology to the vehicle and adapt the software appropriately.”
The automotive industry has a long way to go with the connected car, but Massimilla agrees that the future is bright and more exciting than ever before. “Technology continues to travel at lightning speed and there is no better time to be living than our time right now. From a cybersecurity perspective, I also think the future is bright. I look at things like the Auto-ISAC being set up which allows the sharing of threats and vulnerability information and helps create the best practices with everyone in the industry.” GM is taking action long before it has any serious cyber threats, collaborating with automotive groups, researchers and software specialists in order to tackle arguably the largest hurdle in connected car development.
It seems that everyone in the industry has finally woken up to the future where software and connectivity will rule. However, we must make sure that, as an industry, cyber security receives parallel attention. “There will be challenges, of course. But as long as we approach them from a strong position and really make sure we keep the highest priorities in front of us, I think we will do very well,” concludes Massimilla.