Cybersecurity Start-Up Upstream Lands Key OEM Backers

Israeli cybersecurity start-up Upstream Security draws $30 million in its Series B round of funding, money the developer says it will use to expand its global sales staff and continue to advance its cloud-based technology.

Maybe more important than the money, however, is where it is coming from: Among the list of investors in the round are the Renault-Nissan-Mitsubishi Alliance, Volvo and Hyundai, meaning the firm’s hacking-tracking software is beginning to catch the eye of global automakers.

“The majority of OEMs around the world are realizing (cybersecurity) is a mission-critical problem that they have to deal with in more than one way,” Dan Sahar, Upstream vice president-product, tells me. “It’s not something you just put a Band-Aid on and then you’re OK. It’s something that if you’re an OEM, you’re going to have to continue to invest and innovate on that.

“They’ve all done due diligence on Upstream and they like the approach we have, the architectural design in our solution.”

Vulnerability is an increasing concern for automakers as they ramp up infotainment features in cars and trucks, expand vehicle-to-everything connectivity and advance automated-driving technology.

The typical car has 70-100 computers onboard and uses millions of lines of code to operate, says Oded Yarkoni, head of marketing for Upstream. “It means you have bugs and software vulnerabilities,” he says, adding security becomes an even bigger problem once those cars are connected to the Internet.

Today there are more than 300 million connected vehicles on the road – and that’s growing, Yarkoni says, pointing to independent research indicating 98% of all vehicles in operation will be connected within a couple of years.

“When there was no connectivity there was very little risk. As you add a lot more capability, the risk goes up,” Sahar notes.

Although cyberattacks directed at vehicles mostly have been limited to a few high-profile incidents – many “white-hat attacks” made simply to expose the auto industry’s vulnerability and raise awareness, the threat from more nefarious black-hat hackers is real and has the potential to cost automakers millions of dollars per incident and tarnish their reputations with buyers.

In a report released earlier this year, Upstream examined 170 documented incidents of cybersecurity in the auto industry between 2010 and the end of 2018. That’s a small number, given a near decade of time, the company noted, but looking at just one incident involving the Jeep Cherokee paints a more alarming story.

In the Cherokee attack, hackers were able to stop the engine as the vehicle was in motion, a serious-enough issue that Fiat Chrysler was forced to recall 1.4 million vehicles – a volume equal to more than half its sales in the U.S. last year. Estimating an average recall cost of $400 per car, a single cyberattack of 1.4 million vehicles easily could cost $560 million, Upstream notes. Add to that the potential lawsuits and brand damage caused, and the tab could top more than $1 billion, the firm contends.

OEMs are beginning to war-game the threat, mapping the likelihood of each type of potential cyberattack, how many vehicles would be impacted and the cost associated with that, and then developing game plans on how best to respond. Estimates are the auto industry faces a $24 billion risk from cybersecurity attacks by 2023, Upstream says.

“We feel our product can cover many of the problems they’re dealing with,” Sahar says.

The conventional approach to cybersecurity is to install protective software on each vehicle. But Upstream Security adds an external layer of protection on top of that, using the cloud to collect and collate existing data produced onboard the vehicle, via apps used to control vehicle systems and collected on company servers and monitors that for anomalies.

For instance, if incoming data shows a car has had its doors unlocked via the company’s servers, but not its mobile app, Upstream’s software will flag the incident as a potential threat so it can be addressed.

Because it mines data already being generated, automakers using the tool don’t have to install additional software onboard the vehicle. Using Upstream technology, an automaker can track the performance of its entire fleet of vehicles on the road in real time through its own operation center.

The Upstream tool “allows you to detect things today, without having to wait on the production cycle” to introduce new onboard software, Sahar says.

In addition to the 170 cybersecurity incidents studied through last year, Yarkoni says another 100 were reported in the first six months of 2019, meaning the attack rate is increasing rapidly. About half of those were black-hat hacks, mostly aimed at stealing a vehicle by gaining access through its remote keyless entry system, he says.

Keyless entry is the on-vehicle system most vulnerable to attack (drawing 18.8% of the total hacks Upstream studied through last year), followed by onboard diagnostic ports (10.5%), mobile apps (7.4%) and infotainment (7.4%).

Upstream already is serving several clients, including some OEMs, Sahar says, but he declines to reveal whether the list includes its new investors. The company does say its software is providing cybersecurity for over 1 million vehicles on the road today.

In making the undisclosed investment in Upstream Security, Renault-Nissan-Mitsubishi’s venture-capital fund said it was drawn to the developer because of its “mature platform and exciting customer traction.”

Yunseong Hwang, vice president of Hyundai Motor’s Open Innovation Investment Group, says “Security is the core element of connected vehicles which we cannot compromise,” noting Upstream is “leading the innovation in the security of connected vehicle.”

Among other investors in the B-round is Nationwide Ventures, part of the Nationwide insurance group. It joins original stakeholders Charles River Ventures, Glilot Capital and Maniv Mobility.

In addition to sales staff, Upstream will use the Series B funding to hire more developers to work closely with clients to integrate the product into their IT systems.

“We hope this will allow us to expedite time to the market and be able to penetrate the market and get the market share as fast as we can,” Sahar says of the $30 million injection.