The digital transformation comes for us all. Just ask the auto industry.
As automakers develop smarter, more connected vehicles, the storied manufacturing companies face new technical challenges—including cybersecurity.
In 2020, more than 90% of all new cars in the US were connected according to ABI Research. By 2030, the majority of new cars sold in the US could be EVs, which have even more points of connection. Experts worry that automakers’’ cybersecurity capabilities could struggle to keep pace with the explosion of connectivity.
“People want to do the right thing, but the rate at which the industry is moving toward EVs—we are in no way shape or form ready to absorb this at scale across the board,” David Chaddock, director of cybersecurity at consulting firm West Monroe, told us.
Automotive cybersecurity in 2022 is akin to where software security was around the time Bill Gates published his “Trustworthy Computing” memo at Microsoft in 2002, Chris Valasek, director of product security at the GM-owned self-driving car company Cruise, told us. The industry is aware of its importance but has not yet developed all the standards needed to mitigate risk.
“The runway is way too short for what we need to get it right,” Chaddock said. “It doesn’t mean that it’s not possible, but it’s going to take a big cultural, mental, financial shift to get us where we need to be at scale in the next five [years].”
Digital embrace
Markus Braendle experienced a similar pivot to digital more than a decade ago when he was working on cybersecurity with companies in the energy sector. He now leads security for Cariad, the software business at VW Group, as automakers go through their own digitization.
“You see these companies transform from being more engineering-type companies, manufacturing, to suddenly becoming almost software companies. And of course, security becomes a really important piece,” Braendle told Emerging Tech Brew.
Perhaps the most unsettling scenario made possible by cars becoming more like computers is remote hacking. In 2015, Valasek took control of a Jeep Cherokee while it was driving on the highway via his laptop in another location and was able to cut the transmission and disable the car’s accelerator.
“While a remote compromise to control steering or braking may not be the most likely, it does have the most impact because it involves human safety and human life,” Valasek said. “We just want to get things to a point where a software security flaw doesn’t result in a safety issue.”
In Chaddock’s view, the less dramatic, but potentially trickier-to-address threat is that greater connectivity and data-sharing can create more opportunities for hackers.
“[Safety is] probably not the biggest challenge,” he said. “All of those connection points are far more concerning to me than the actual vehicle.”
Keep up with the innovative tech transforming business
Tech Brew keeps business leaders up-to-date on the latest innovations, automation advances, policy shifts, and more, so they can make informed decisions about tech.
By sharing the data that enables smart charging or connecting EVs to the grid to use or sell energy, additional companies or utilities become part of the ecosystem, creating an “extended border,” Chaddock said.
That makes it difficult for those responsible for automakers' cybersecurity, “because they don’t have control of every other company’s infrastructure or the individual consumer of these cars that wants the bells and whistles and all the adaptive tech in their smart house, and so forth,” he said.
And perhaps one of the most difficult things for automakers is how far in advance they develop products, Valesek said.
“The cars that you’re going to see in 2026 are getting finalized right now. So you have to be way ahead of the game to make the security controls and fixes and mitigations and strategies that you want way more in advance than you would, say, in the software world,” Valasek told us.
The car is a computer
Addressing security across the entire ecosystem of connected cars means verifying the cyber hygiene of suppliers as well as helping consumers adjust to a world in which their car is a computer that needs software updates, experts told us.
On the first point, it’s becoming more common for companies doing business with EV makers to be asked to prove the hardware or software they’re providing—down to the chips and the code—was not in some way vulnerable to potentially hostile actors, like China, Iran, or Russia, Chaddock said.
“That is very, very difficult and costly to do, which means it’s either not being done or not being done right,” he said.
And as with most cybersecurity risks, humans could wind up being the biggest liability for automakers.
“A big challenge is [that] it’s a big shift in mindset as being the end user. And if they don’t play that part, that’s going to expose the system to a lot of risks,” Braendle said.
Regulatory bodies recognize the need to think about vehicles differently as well. Right now, most cybersecurity standards for the industry are not requirements, but recommendations—like those published by the NHTSA—provide a good starting point, Valasek said.
“I’m not a fan of regulations driving security, because there’s a saying—compliance doesn’t mean security. But it’s a foundation that we can build upon,” Braendle said.
Ultimately, it will take a lot of collaboration to secure this ecosystem, both within and between companies, Chaddock said.
“You need to treat it like a program, not a project,” he said. “There’s no finish line to this.”