From Selling Cars to Selling Services – OEMs’ Challenges in Securing Complex Data Environments


October 18, 2018

The automotive world is seeing a huge increase in data. Some of this stems from the front end, such as connected hardware, vehicle sensors and infotainment systems. Other data sources are operating behind the scenes, such as backend servers and cloud-based telematics for technical operations. On top of this, we need to consider data gleaned from the environment such as traffic or weather information. As vehicles are becoming increasingly autonomous and thus introducing even more data sources, it’s no surprise that some estimates suggest data usage will soon be as high as 4TB per day, the data equivalent of 3,000 people.

The rise of the connected car is changing car companies, opening opportunities for OEMs to move into new service models altogether. But connectivity also brings about new cyber risks. How can OEMs balance the two?

Opportunities for OEMs in an Increasingly Connected World

Where OEMs used to find the lion’s share of their profit through making and selling vehicles, they are now increasingly moving into related services and mobility solutions. This new business model supports them in taking advantage of the latest technology, meeting the rising expectations of customers, and keeping pace with the competition.

One great example is Amazon’s in-car delivery service, allowing customers to have their packages securely delivered to the trunk of their vehicle. For car manufacturers like Buick, GMC, Cadillac and Chevrolet – their cloud-connected vehicles sync with the Amazon Key App, allowing delivery drivers to securely obtain authorization to access your car.

Connected mobile apps are another area that OEMs are increasingly utilizing. BMW has three disparate smartphone applications. One has the power to lock/unlock the car, change the temperature, and locate the car remotely, as well as sync with your favorite apps and infotainment systems. The second provides technical information for electric vehicles, such as battery levels and range, while the Roadside Assistance app dispatches help to your location when it’s needed.

These exciting opportunities are opening doors for OEMs to do far more than ‘just’ sell cars. The future for car manufacturers shows their capabilities in a virtual marketplace of innovation, from providing car-related services like car wash and maintenance services, to integration with ride-sharing, mobility providers and leisure activities. We’re living in a reality where your connected vehicle could soon autonomously obtain a parking place for you in advance, or book a table at the restaurant you’re traveling to. It seems the future for electric vehicle OEMs is in services as much as products.

Challenges of Securing this Complex Environment

Being able to embrace this type of innovation means that security needs to be front and center of your business plan. Using mobile applications to control any functions within the connected car, as well as to access behind the scenes data means that you have an extra element to secure within the vehicle ecosystem.

Attackers can breach a user’s mobile app, and not only have access to that specific vehicle, but potentially to entire connected fleets. Theft of the cars themselves is one potential threat, as well as identity theft and fraud if hackers get hold of your data. Even if you manage to catch the breach before any physical harm is done, many businesses find their reputation does not recover, and that customers lose faith in their brand altogether. Mckinsey comments that when it comes to connected vehicles, this loss of trust would likely fall onto OEMs, even if it wasn’t their fault to begin with:

“OEMs as the sole customer interfaces and most often final system integrators are the ones to ultimately deal with the integration risk and would bear responsibility for ensuring that secure, stand-alone systems do not become vulnerable when connected.”

Limitations of Mobile Security

Mobile apps, in particular, are known for being vulnerable to hackers, in part due to flaws in the software itself, or in the phone’s operating system leading to unauthorized data leakage. Lack of binary protections can give attackers the chance to reverse engineer the code of your app and inject malware, while weaknesses with authentication when a mobile app is offline can allow bad actors to brute force their way into your system and make changes.

For many, the answer is to ensure that the mobile apps are secure. But even this may be a long way off. Kaspersky tested 9 connected car apps, and found that none were adequately protected against cyber-crime.

Security in Silos is Not Enough

While the lack of security around mobile apps clearly puts both the consumers and the OEMs themselves at unnecessary risk, securing the mobile app might well be missing the point if you consider the way we use data is increasing so exponentially.

Think about the sources of data in just one connected car using a simple service such as an app that allows you to find your vehicle. As well as the car itself and the mobile app, the areas that need security include the mobile phone, the mobile application servers, the telematics servers that communicate with the car, as well as the data centers and back-end architecture. Even if we get to a point where security solutions exist effectively for each of these in silos, it remains impossible to track and analyze this data from end to end without a full network perspective.

Focus on Visibility with a Single Source of Truth for Automotive Cybersecurity

The only way to understand your data flows in such a complex environment is to establish a single source of truth. Not only does this enable you to spot threats to your customers and your network, but it also gives you the tools you need to make smarter decisions and predict the patterns that will lead to business success.

By organizing the data from every stream into one aggregated dashboard, events can be correlated and tracked against one another, making it easy to see through the noise of all the information, and uncover actionable insights and causation that make a measurable difference to your bottom line.

Adapting your business model to take on new services and cloud-based solutions is the next step for many OEMs. As you expand your capabilities, it’s essential to ensure that your visibility remains granular, and you have the discovery you need to enter a marketplace of solutions without fear.

Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

7 Key Financial Implications of Automotive Cybersecurity Risks

In June 2023, a leading Taiwan-based semiconductor manufacturer disclosed a cybersecurity incident involving a ransomware group and one of its IT hardware suppliers, which led…

Read more

Newly Discovered IoT Vulnerabilities in ELDs Raise Risk for Fleet-Wide Attacks

In late March 2024, The Register published a unique coverage, describing multiple new vulnerabilities and elaborating on the cyber risks in ELDs (electronic logging devices)…

Read more

Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is also exposing mobility assets to a…

Read more

With Its Second Milestone Coming Soon, the Impact of UNECE R155 Continues to Expand

The UNECE WP.29 R155 regulation is rapidly evolving, reflecting the automotive industry’s commitment to addressing cybersecurity risks across an increasingly connected and technologically advanced mobility…

Read more