90 Days with Upstream: From “Project Beacon” to “Data-driven Cybersecurity”
Having just completed my first 90 days in the cybersecurity domain, I feel it’s important to share a few reflections on market opportunities and risks with my industry colleagues and friends, especially those who – like me – have spent years in the tech, connectivity and automotive sector, but not necessarily with a specialist cybersecurity background.
As some of us remember, the first connected car programme was launched in 1996 by the CEO of General Motors. “Project Beacon”, shortly after renamed OnStar, was a global success, with over 20 million connected GM vehicles to-date around the world.
Other OEMs joined in, with BMW now counting over 14 million connected passenger vehicles, followed by Daimler and Mercedes-Benz, Stellantis, Volkswagen Group, Toyota, Hyundai-Kia, the Renault-Nissan-Mitsubishi alliance and Ford.
The same is true for Commercial Vehicles, with the likes of Volvo having passed 1 million connected trucks and buses and Daimler, PACCAR-DAF showing significant volumes.
Of similar interest is the expected contribution in terms of new connected vehicles sales by innovative OEMs such as Tesla, Einride, Volta, BYD, VinFast, Lucid and Tevva, among others.
25 years on, there are 240 million connected vehicles on the road worldwide, estimated to grow to 400 million by 2025 (source: Statista). A staggering amount.
The OEM business model is undergoing a radical transformation, focusing now on technology innovation and volumes of services to offset a global net slow-down in volumes of vehicles sold. In the board room, job titles including the words “Software” and “Connected Services” are now common practices.
Looking at the market cap ranking of OEMs, it seems EV manufacturers such as Tesla and BYD, 1st and 4th by market value with less than 1 million vehicles sold each, are definitely gaining from this transformation.
Connected car services have proliferated thanks to both:
- An advanced IOT managed connectivity infrastructure – further enhanced by 5G cellular technology – from leading providers such as Vodafone, ATT, T-Mobile, Verizon, Orange, Telenor, Telefonica and China Telecom.
- The increasing presence of software in the car.
So-called software-defined vehicles today are providing access to convenient mobility services and a more comfortable and safe ownership and driving experience. In the near future, software-based services in the vehicle and in the cloud will enable gradually higher levels of automation, culminating in fully Autonomous Vehicles.
Connectivity + software = more safety + convenience.
Well, not quite.
By definition, the combination of connectivity and software implies an exposure to potential cyber threats, further exacerbated by recent geo-political events. This is not a guarded secret, and most OEMs include this topic in their investor meetings nowadays.
As a newcomer to the cybersecurity community, I am now starting to see things under a different light, in terms of the trade-off between opportunity and risk. I now see the need to find a balance between providing access to more services and convenience, and being able to do it safely from a cyber risk perspective.
A good example is the vehicle braking system. Brakes are a safety system, they help decelerate and prevent collisions. More intelligent connected and software-driven braking systems can assist the driver to avoid side effects of sudden breaking in difficult road and weather conditions. However, we can all imagine the consequences if those intelligent braking systems were remotely hacked and disabled. Or if engines were switched off, or doors locked, against the driver’s or passenger’s will. If a backend server was subject to a malicious attack, an entire fleet would become exposed too. EV battery recharging is also a domain where software malfunctioning could lead to potential physical risks.
This is why OEMs, Tier-1s and Insurance companies are investing so much in cybersecurity solutions and cyber threat intelligence services. This is also why the UN and other agencies are focusing so much on cybersecurity regulations (e.g. UN R155 and ISO/SAE 21434) and their rapid enforcement in the next three years.
OEMs know that cybersecurity monitoring, detection and protection both at fleet level and backend services level (telematics servers, APIs, FOTA update services) is required to protect ambitious revenue growth forecasts associated with connected car services. This is also pushing the emergence of Chief Information Security Officers, executives with cybersecurity experience, overlooking the deployment of advanced VSOC security.
Connectivity + software + cybersecurity = more safety + convenience.
That must be right ?
Mmmm… not yet.
In-vehicle protection software agents and hardware devices take many months to test, certify, install and ship before a new car hits the road. The hacking community, whatever the underlying motivation, tries to be always one step ahead.
There is a more efficient way to protect the entire connected car services ecosystems, to gain a fleet-wide and ecosystem-wide view of cyber exposure with minimum time-to-safety, to monitor both moving endpoints (the vehicles) and backend servers (telematics, FOTA, APIs, consumer services) communicating directly with hundreds of thousands and even millions of vehicles. The only way to prevent widespread cyber-attacks is to adopt a holistic approach covering all elements of the connected vehicle ecosystem at once, to understand chains of events leading to attacks, and to detect and act upon anomalies in the data, before they are even classified as known threats.
We might therefore conclude:
Connectivity + software + data-driven cybersecurity = more safety + convenience.
Yes, that sounds about right.
Upstream’s 2023 Global Automotive Cybersecurity Report
Fleets Shift Focus to Secure Against Operational Disruptions Following Cyber Attack
Fleet management solutions are indispensable in fleet operations, offering essential insights into vehicle inventory and status, helping to monitor driver behavior and safety, and more.…Read more
Cleared for takeoff? Upstream’s vSOC is the traffic control center for vehicles
Air traffic control centers play a critical role in ensuring the safety and efficiency of air traffic. The control centers help prevent aircraft collisions, maintain…Read more
Discovery: An Essential First Step in Securing APIs
API security is a crucial facet of cybersecurity in this era of rapid digitalization. While APIs serve as potent tools operating across every aspect of…Read more
Securing the Road Ahead: The Automotive Perspective of the New SEC Cybersecurity Rules
Cybersecurity has been recently positioned as a top priority by the SEC, requiring corporate America to disclose information on material cyber attacks. In addition to…Read more