– Hi, Andy and welcome to Upstream’s tech talk series. I’m Fay from Upstream Security and we offer the first cloud-based cybersecurity solution that’s purpose-built to protect connected vehicles and smart mobility services from cyber threats and misuse through the use of data. I’ll be the host of this tech talk and handing it over to you, Andy, to introduce yourself.
– Hi Fay, thanks for having me in this tech talk. I’m here to tell you a little bit about the cyber risks that we currently see in the automotive industry. Just a couple of words to myself. My name is Andreas Herzig. I’m working for Deloitte. I am in fact a partner at Deloitte, responsible for automotive. I’m working for Deloitte since 28 years. And my focus in the past couple of years in automotive force, to move our capabilities into a more technical direction, because as we see, software is becoming a bigger and bigger part of cars in these times. It makes a lot of sense for Deloitte to go deeper into the product, into the vehicle in the automotive industry as we are dealing the trustworthy software, correct software development and all the things which make cars safer, more secure and which keep the trust of the customer in the car. That’s something we work on as Deloitte since more than 30 years.
– Beautiful. Now with that, you know, software involvement with automotives and these kind of growth within the connected automotive ecosystem. There’s been a lot of, you know, new regulations and standards that have been built specifically, you know, the WP 29 CSMs and the STMs regulation. Could you tell me a little bit about Deloitte’s work when it comes to compliance and risk assessment helping OEMs reach kind of compliance where with regards to this new regulation and what are some business opportunities that you see OEMs gaining from this?
– Yeah, sure. So the United Nations regulation WP 29 is about security. You always need to differentiate between safety and security in vehicles. So safety so far was a very big focus of the automotive industry. Security now, especially the security of cars, meaning the cybersecurity, comes more and more into focus as a car is more and more digitalized. It’s becoming a digitalized product like mobiles, like computers and that’s why cybersecurity becomes an important topic. And it’s also relevant for safety of the vehicle. The regulator has acknowledged that this is the case and therefore the United Nations brought up a regulation which is called WP 29, which requires cybersecurity management system for the whole development process. And you also need to prove, you need to have evidence for each new car series that you have taken care for the cybersecurity of that special car. Otherwise you will not get a type approval in future. Th regulation comes into force in 2022 or 2024. So for new cars in 2022 and for existing cars still in production in 2024. I think Japan is a little bit earlier. They try to put that law force in 2021 already. So that’s an important thing because it threatens the ability of the OEMs to bring cars on the street, because they probably can’t get a type approval if they do not adhere to that law. On the other hand, as you say, it also provides opportunities for the OEMs, because you need to make sure that you have a connection to the cars on the street already. You need to be able to update those cars and you establish a technical connection from the OEM to the car. If you have that, because you need it, it’s mandatory. It’s also written in the regulation that you need a software update management system and you have it already. You can also use this for after sales business, not only bringing a mandatory updates into the vehicle but also offer additional functionality for the drivers or the owners of the car. Additional functionality might be like very simple things, properly seat heating or a rain sensor or something which hasn’t been activated, when the car was purchased but the hardware’s already built in. So you can sell it in addition to the customer, to the owner of the car. In future, if you use that connection for additional business, you can also offer services like for example, additional apps, which might be useful for the driver to use. Parking apps is a very simple example from it, but also other things which makes life just a little bit easier. And that time driving consumes a little bit more efficient because you can do much more things in the car than just holding the steering wheel.
– Right. So like there are… It seems a lot of opportunities, whether that’s again, these upgrades or are these multiple options of services that you can offer OEMs, when it comes to the connected ecosystem. What are some of the obstacles that you see or some of the questions you’ve been getting from OEMs when it comes to compliance? They say, you know, you had mentioned the first one of the concern of getting the vehicles on the road and then being able to actually comply in order to get these vehicles approved and vehicle type approval. What are some other obstacles that you see that they say, listen, you know, these are… This is the requirements. How do we get there? What are some of those kinds of larger consistent questions that you might be seeing from OEMs?
– There are a couple of indeed. So let me just probably point out the biggest three obstacles which I see in the industry. First one lies in the kind of production of cars which we have nowadays. It’s all part of a very complicated supply chain and all of that. Most of the software like between 70 and 90% of the software within the vehicle nowadays is coming through for supply chain. So if you want to assure that you have reliable and cyber secure software in a car, you need to look at the supply chain and agree with the suppliers, what kind of measures do we have, what kind of rules do we follow, in making just part of the cybersecurity management system. Otherwise it will not work. Same thing in the aftermarket phase. So when the car is on the road already, you also need to make sure that the suppliers are still aware to provide updates. Otherwise it’s not gonna work. For example, you can to make that the kind of positive business for the suppliers, you probably could offer them a direct access to the customers because you have the platform on the street, you have the car and you can allow the supplier to sell additional functionality directly to your customer, to the car. That’s one possibility to motivate the suppliers, to stay the feud for the maintenance of the car. That’s one obstacle, supply chain. Another obstacle I see is kind of missing overall responsibility within the OEMs for risk. So where kind of departments, some are responsible for development. Some are responsible for cybersecurity. Some are responsible for aftermarket and they all should cooperate. Nowadays you need to coordinate all those departments and make sure that they all work towards the same objective. And that’s something which is not easy for the OEMs. At least that’s what we observe in the market. But they’re getting there. So they are… They do a good job in achieving those goals. And the third important obstacle I would like to mention is that it’s not the same kind of making sure that software works like hardware. So we may need to rethink their processes. They need to rethink their standards. For example, is a standard coming up. It’s existence long time, but it’s now kind of revitalized because it’s a good standard to assure software quality and software quality is quite different from hardware quality. It’s also a steep learning curve of OEMs have to take, but I said before, they do. And they are going to.
– Now with regards to that second obstacle you had mentioned. You’d mentioned that there was, you know, different divisions and the collaboration is something that is of a concern. Do cybersecurity issues tend to stay, I would say, on that mid tier level or with the CSO space, or do the conversation surrounding automotive cybersecurity reach the boardroom, reach the kind of top level decision makers of OEMs? And if it does, how do you see that happening if it doesn’t? How do you relate to that? How do you, you know, deal with that issue that it’s not being discussed enough?
– That’s a very good question because it’s really a big issue at the OEMs. And what we see is kind of two or three steps an OEM needs to take in that course. First thing is to accept that there is an issue. A cybersecurity issue in the car. And for example, we had a… They had a lot of discussions with CSOs cybersecurity departments at the OEMs. And quite often we say, you know, I’m responsible for the enterprise IT cyber security. I’m not responsible for the product because the responsibility of the product lies in the development department. So R and D is responsible for that. But R and D has no experience in cybersecurity in cars. So they need to accept that there is a cross-functional issue which we have to tackle. And that only works if this information comes to the board level. If the issue is addressed at the board level. It has taken a little bit of time before it was coming to the board level. Some of the OEMs have in very early terms, let’s say two or three years ago, already named WP 29 the biggest risk of the whole group. So they are quite ahead of it because they had recognized this issue on the board level immediately and have started cross-functional projects to tackle it. Ours have just started to work in small departments like R and D or like cybersecurity. And they start now to bring those smaller projects together to build one bigger project. And that’s the best way to do it. But back to the question, it’s not gonna work without really board attention.
– Now when you had mentioned earlier that again, there was… Whether someone was doing in charge of this IT security versus product security. One thing that Upstream really focuses on is that opportunity for a visa. For, you know, other opportunity to, you know, combine those cybersecurity forces, to recognize that this is an entire ecosystem needs to be secure. What are some other ways that you see a product like Upstream can work with you to help your customers achieve that cyber security compliance and demands of the regulation?
– I know Upstream’s offerings here and think they are an important part of the solution. You know, I mentioned that software updates management system, which is a mandatory part of the compliance to WP 29 regulation. And let me elaborate on that a little bit more. So to be successful in software updates, you need to have a kind of asset management. So kind of repository that you have everything like hardware and software versions, which are in every car you have on the street. Without that, you cannot really update a car because you are not sure what’s in the car already. And is it kind of, does it work with the software versions which are in the car already? So you need that asset management. You also need a full kind of fleet monitoring system because why would you do updates? Because there’s a cyber issue for example, which needs a bug fix and in the car, which needs an immediate update because there’s a threat of some hackers or you have a virus or or whatever. And that’s why you do a fleet monitoring. And that’s… And this fleet monitoring is done, for example, through a visa, the Eagle Security Operations Center, which is like a big data center monitoring the whole fleet of cars on the street of an OEM, for example. And that’s where Upstream comes into play because Upstream, to my knowledge, has excellent tools and excellent dashboards to get the data from the car and find the issues or find all the issues through data analytics, which are part of Upstream system, whether there are some incidences in the car. For example, if you say, there’s a traffic in a bus in the car, on a bus in the car, which should not be there. Is that an issue or not? That’s something data analytics helps to decide. There’s a kind of reaction or communication in the car from outside in, or inside out, which was not expected. So data analytics of Upstream help to detect that and help to analyze if that is an issue or not. Could be a quality issue, but could also be a hacker attack. And that’s something a fleet monitoring system needs to detect, and the OEM needs to have a kind of follow up measures on that kind of alarming system, if you would so. And that’s the place where I see Upstream playing a big role in future.
– Fantastic. Well, thank you. Is there anything else you wanted to leave our viewers with? Any last tips or advice that you think is important for anyone to know?
– Well, I think I said the most things. It is important to really speed up in this topic because 2022 and 2024 will be very quick. Some of the OEMs are already in kind of test audit with the technical services we have in Germany or in Europe. Some of them are still not there. So my advice to all of those is speed up and be ready, especially if you have new cars and new car architectures under development right now. Make sure they are compliant with the WP 29 requirements, because at the end, this is just the start of the regulation. There are already additional regulations in the pipeline that you need to be aware of for future developments. So make sure that your organization is prepared to achieve to those kind of regulations, not just right now, but also in future, because there will be more regulations.
– And no matter how long 2020 may have seemed to feel, it’s gonna end soon and we’re gonna get to 2022 and 2024 pretty soon. So I think that’s pretty good advice to end this off with. And Andy, thank you so much for joining us today. I really appreciate your time and yeah. Thank you.
– Thanks for having me Fay.