The automotive industry is accelerating at speed towards a technology-centric future. Disruption is coming at every turn from new players like Tesla and even tech companies like Google and Apple. To stay relevant, traditional carmakers must change decades-old business models, embracing partnerships with tech providers and service-oriented revenue streams. But to do this successfully, OEMs must also focus on the escalating cyber-threat facing vehicles and especially connected fleets.
An evolving security car industry
As vehicles become loaded with more and more technology, the car industry is rapidly transforming into one built around software and services. Gartner predicts there will be 220 million automobiles with data connectivity shipped by 2020. It also claims automotive CIOs are investing at a “much higher rate than other industries” in Internet of Things (IoT) technologies in a bid to transform their companies into digital-first organizations. In fact, it’s claimed that the average connected car already contains more than 150 million lines of code, 60+ wireless connections and multiple on-board computers.
Some experts, such as KPMG, predict that the result of this industry transformation will be to force carmakers to focus on providing mobility services rather than manufacturing traditional “dumb” vehicles. Indeed, Ford’s current CEO, Jim Hackett was previously head of the company’s smart mobility group.
“Already, many leading automotive companies recognize that providing mobility services is a much more lucrative business model than the traditional approach to automotive sales,” says KPMG.
The sums back up these claims. A vehicle can take up to a decade to come to market and then lose value as soon as it’s driven away. However, mobility services could generate profits across that car’s entire lifecycle: it’s an industry KPMG says will be worth over $1 trillion by 2030.
McKinsey has identified over 30 distinct use cases that have the potential to help ecosystem players monetize car data by turning it into valuable products and services, including:
Revenue generation: via OTA software add-ons; networked parking services; targeted advertising…
Cost reduction: via usage-based insurance (PAYD/PHYD); e-hailing; P2P car sharing…
Increased safety and security: via breakdown/emergency call service; aggregated card data-based CCTV service; driver’s condition monitoring service…
However, to realize these benefits, OEMs must recognize where their strengths are, and partner with the experts where necessary.
Time to act fast
Accenture claims the automotive industry “must act fast” if it wants to stay in the lead as disruptive new entrants rival their pre-eminence in the connected car space. To do so, they must “leverage their strategic strength in deep vehicle integration,” says the firm’s MD of Automotive Strategy, Andreas Gissler, adding:
“Attempting ‘a go it alone’ strategy could see vehicle manufacturers shunted into the slow lane as vehicles become increasingly deﬁned by the convergence of powerful connected ecosystems. These will be made up of many different types of partnerships involving OEMs, technology giants, telecommunications companies, start-ups and after-market service providers.”
For those that can do this efficiently, there are big rewards. The consulting firm claims that total business value of connected car services will reach €100bn ($123bn) by 2020, rising to €500bn ($618bn) by 2025. A single connected car could deliver as much as €5,000 ($6,188) over its lifetime.
At the same time, fleet operators — including companies offering taxi services (Uber, Lyft); on-demand services (Zipcar); car rental (Hertz, Europcar); and commercial enterprises (Coca Cola, FedEx) — are getting more connected. Why? Because telematics data can help improve safety, keep assets well-maintained, avoid accidents, improve route-planning, and optimize supply chain logistics, among many other benefits.
This offers fantastic opportunities to reduce overheads and liabilities, improve efficiencies and customer service, and ultimately drive competitive advantage. But as fleets become connected and data-driven they are exposed to the same cyber-risks facing OEMs and their partners.
Securing the data-driven car
However, one issue dominates the connected car industry and must be addressed as part of OEM efforts to shift their business model: automotive cybersecurity.
As cars become more connected, data-driven and packed with computing power, they become a bigger target for hackers. Think of an air-gapped computer suddenly connected to the Internet. With one single move it becomes exposed to a whole world of threats – that’s the reality facing connected cars today.
The attack surface is extremely broad, including back-end OTA and telematics servers in the datacenter, mobile apps, on-board connectivity, and in-vehicle electronic control units (ECUs). Threats include:
- Fleet-wide hacking — targeting of connected fleets operated by car-rental and ride-hailing providers, and assorted enterprises (ie FedEx, British Gas, Virgin Media etc..)
- Individual vehicle cyber-attacks
- Data center attacks (ie targeting C&C server)
- Denial of Service attacks targeting vehicles or servers
- Communication level protocol attack on the vehicle
- Theft of vehicle’s intellectual property
- Identity fraud (a major challenge for fleet operators)
These threats are far from theoretical. Researchers have demonstrated multiple ways hackers could remotely control a connected car’s steering, brakes and accelerator, and even unlock the doors, switch off the alarm and start the engine. Ransomware in 2017 caused serious service outages for several OEMs, while identity fraud and policy violations remain a major issue for fleet operators. We compiled our list of the top 9 real work hacks facing connected cars and fleets in a previous post.
It all adds up to serious liabilities for carmakers and firms operating connected fleets. We’re not just talking about data theft, service outages and fraud here but the potential for loss of life. And when it comes to fleets, the impact could be exponentially greater. It’s no coincidence that Elon Musk’s biggest security concern is preventing a fleet-wide hack of Teslas.
Most connected cars today are exposed to cyber-threats. Those that do feature security only do so at the vehicle level. The others still require in-vehicle security installation which can only be implemented in future cars, while traditional data center security platforms simply aren’t designed to be automotive aware.
Upstream offers a new way forward: a real-time Automotive Cybersecurity solution for vehicles and fleets on the road today. It connects to data feeds and the operational data centre infrastructure – the most strategic location for true protection – creating a demarcation point between the operational network (OT) and information network (IT). It features IPS/IDS tuned for specific automotive telematics protocols, and machine learning algorithms designed to spot unusual activity which could indicate fraud, policy violation or cyber-attack.
There are four key security and analytics pillars:
Protocol security: detects threats in vehicle-server and server-vehicle comms.
Transactional analysis: detects comms patterns and anomalies between vehicle-server and mobile app.
Contextual security: detects anomalies in the current state and context of the vehicle.
Behavioral security: detects anomalies in driver, vehicle and fleet behavior.
The proximity of our Automotive Cybersecurity platform to the data center means the platform has great visibility into attacks on servers, vehicles and mobile apps, and is 100% non-intrusive.
More importantly it can stop attacks before they even reach the vehicle, at which time it may be too late.
This is just the start of the journey for the automotive industry. To adapt and thrive, it must reinvent itself with fleet cybersecurity at the heart of its new model.
Upstream’s 2023 Global Automotive Cybersecurity Report
Cleared for takeoff? Upstream’s vSOC is the traffic control center for vehicles
Air traffic control centers play a critical role in ensuring the safety and efficiency of air traffic. The control centers help prevent aircraft collisions, maintain…Read more
Discovery: An Essential First Step in Securing APIs
API security is a crucial facet of cybersecurity in this era of rapid digitalization. While APIs serve as potent tools operating across every aspect of…Read more
Securing the Road Ahead: The Automotive Perspective of the New SEC Cybersecurity Rules
Cybersecurity has been recently positioned as a top priority by the SEC, requiring corporate America to disclose information on material cyber attacks. In addition to…Read more
Upstream Security joins AWS ISV Accelerate: What does it mean for Connected Mobility and SDV makers?
On May 24, 2023 Upstream was selected to join the AWS Independent Software Vendor (ISV) Accelerate Partner Program. This marks an important milestone in our…Read more