90 Days with Upstream: From “Project Beacon” to “Data-driven Cybersecurity”

RIC VICARI

VP EMEA

March 10, 2022

Having just completed my first 90 days in the cybersecurity domain, I feel it’s important to share a few reflections on market opportunities and risks with my industry colleagues and friends, especially those who – like me – have spent years in the tech, connectivity and automotive sector, but not necessarily with a specialist cybersecurity background.

As some of us remember, the first connected car programme was launched in 1996 by the CEO of General Motors. “Project Beacon”, shortly after renamed OnStar, was a global success, with over 20 million connected GM vehicles to-date around the world.

Other OEMs joined in, with BMW now counting over 14 million connected passenger vehicles, followed by Daimler and Mercedes-Benz, Stellantis, Volkswagen Group, Toyota, Hyundai-Kia, the Renault-Nissan-Mitsubishi alliance and Ford.

The same is true for Commercial Vehicles, with the likes of Volvo having passed 1 million connected trucks and buses and Daimler, PACCAR-DAF showing significant volumes.

Of similar interest is the expected contribution in terms of new connected vehicles sales by innovative OEMs such as Tesla, Einride, Volta, BYD, VinFast, Lucid and Tevva, among others.

25 years on, there are 240 million connected vehicles on the road worldwide, estimated to grow to 400 million by 2025 (source: Statista). A staggering amount.

The OEM business model is undergoing a radical transformation, focusing now on technology innovation and volumes of services to offset a global net slow-down in volumes of vehicles sold. In the board room, job titles including the words “Software” and “Connected Services” are now common practices.

Looking at the market cap ranking of OEMs, it seems EV manufacturers such as Tesla and BYD, 1st and 4th by market value with less than 1 million vehicles sold each, are definitely gaining from this transformation.

Connected car services have proliferated thanks to both:

  • An advanced IOT managed connectivity infrastructure – further enhanced by 5G cellular technology – from leading providers such as Vodafone, ATT, T-Mobile, Verizon, Orange, Telenor, Telefonica and China Telecom.
  • The increasing presence of software in the car.

So-called software-defined vehicles today are providing access to convenient mobility services and a more comfortable and safe ownership and driving experience. In the near future, software-based services in the vehicle and in the cloud will enable gradually higher levels of automation, culminating in fully Autonomous Vehicles.

Hence

Connectivity + software = more safety + convenience.

Correct?

Well, not quite.

By definition, the combination of connectivity and software implies an exposure to potential cyber threats, further exacerbated by recent geo-political events. This is not a guarded secret, and most OEMs include this topic in their investor meetings nowadays.

As a newcomer to the cybersecurity community, I am now starting to see things under a different light, in terms of the trade-off between opportunity and risk. I now see the need to find a balance between providing access to more services and convenience, and being able to do it safely from a cyber risk perspective.

A good example is the vehicle braking system. Brakes are a safety system, they help decelerate and prevent collisions. More intelligent connected and software-driven braking systems can assist the driver to avoid side effects of sudden breaking in difficult road and weather conditions. However, we can all imagine the consequences if those intelligent braking systems were remotely hacked and disabled. Or if engines were switched off, or doors locked, against the driver’s or passenger’s will. If a backend server was subject to a malicious attack, an entire fleet would become exposed too. EV battery recharging is also a domain where software malfunctioning could lead to potential physical risks.

This is why OEMs, Tier-1s and Insurance companies are investing so much in cybersecurity solutions and cyber threat intelligence services. This is also why the UN and other agencies are focusing so much on cybersecurity regulations (e.g. UN R155 and ISO/SAE 21434) and their rapid enforcement in the next three years.

OEMs know that cybersecurity monitoring, detection and protection both at fleet level and backend services level (telematics servers, APIs, FOTA update services) is required to protect ambitious revenue growth forecasts associated with connected car services. This is also pushing the emergence of Chief Information Security Officers, executives with cybersecurity experience, overlooking the deployment of advanced VSOC security.

Then,

Connectivity + software + cybersecurity = more safety + convenience.

That must be right ?

Mmmm… not yet.

In-vehicle protection software agents and hardware devices take many months to test, certify, install and ship before a new car hits the road. The hacking community, whatever the underlying motivation, tries to be always one step ahead.

There is a more efficient way to protect the entire connected car services ecosystems, to gain a fleet-wide and ecosystem-wide view of cyber exposure with minimum time-to-safety, to monitor both moving endpoints (the vehicles) and backend servers (telematics, FOTA, APIs, consumer services) communicating directly with  hundreds of thousands and even millions of vehicles. The only way to prevent widespread cyber-attacks is to adopt a holistic approach covering all elements of the connected vehicle ecosystem at once, to understand chains of events leading to attacks, and to detect and act upon anomalies in the data, before they are even classified as known threats.

We might therefore conclude:

Connectivity + software + data-driven cybersecurity = more safety + convenience.

Yes, that sounds about right.

Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

The GenAI Arms Race is Here

Listen to this blog Your browser does not support the audio element. The Automotive and Smart Mobility Ecosystem is entering a new era of GenAI,…

Read more

Upstream Participates in TISAX, Accelerating Customer Onboarding & Ensuring Data Protection

Listen to this blog Your browser does not support the audio element. In the fast-evolving landscape of the automotive industry, ensuring robust information security practices…

Read more

Revving Up Safety: UN Regulation R155 Now Covers Motorcycles

Listen to this blog Your browser does not support the audio element. On Jan. 26, the UNECE decided to include motorcycles, scooters, and electric bicycles…

Read more

NIS2 Directive’s Impact on the Smart Mobility Ecosystem

Listen to this blog Your browser does not support the audio element. The NIS2 Directive, expected to become mandatory in October 2024, aims to significantly…

Read more