Automotive cybersecurity: A pre-requisite for connected and software-defined vehicles
The growing adoption of mobility and cloud technologies in the automotive industry is facilitating the delivery of seamless on-the-go experiences such as enhanced navigation, connectivity, and smart safety. Additionally, the rising popularity of mass customization across vehicle categories is boosting the demand for tailored solutions, especially in the connected vehicle ecosystem with increasing demand for holistic automotive cybersecurity measures.
The automotive cybersecurity market size was valued at USD 1.98 billion in 2022 and is projected to reach USD 7.75 billion in 2030, with a forecasted growth at a CAGR of 16.53% from 2023 to 2030. With cybersecurity making its way as one of the top ten priorities for most executives in the automotive ecosystem, here’s an interesting discussion between Ric Vicari, Vice President – EMEA at Upstream Security, a prominent thought leader in cybersecurity, and Siddharth Jaiswal, Automotive Practice Head at Netscribes.
Siddharth: So to start off, could give us a quick introduction about yourself, about Upstream Security, and your journey with it?
Ric: Absolutely. So I’m the vice president for Europe, the Middle East, and Africa for Upstream. Upstream is a cyber security technology scale-up, founded by Yoav Levy and Yonatan Appel in 2017 in Israel. And, counting among its investors are Volvo, BMW, Hyundai, Renault-Nissan-Mitsubishi, and also a couple of insurance companies – Mitsui Sumitomo, Nationwide, and Salesforce.
I would say what we do is relevant for OEMs, tier-1s, smart mobility companies, insurance companies, fleet management companies, and the energy sector too. And, I think this topic should be of interest to both executives and experts in the connected vehicle ecosystem. Perhaps a little bit of myself, my background is in automotive, energy, and telecom. Many years ago I joined a British company that was acquired by Fujitsu in the UK. This took me to Southeast Asia and other regions. A journey of 18 years in the telecom software sector, which culminated with Comverse Technology, a very well-known Israeli company. And, a US company called Aria Systems, where I was initiated into the subscription economy across several industries.
Then, there’s another company I’d like to remember – Opower, which is a data monetization company in the utility sector. And, Vodafone Automotive was my last company before Upstream that introduced me to the world of telematics services for OEMs, insurance companies, and fleet management.
Upstream Security is a leading SaaS vendor focusing on providing data management solutions for the connected vehicle ecosystem, starting with our incredibly popular cybersecurity application already monitoring 12 million vehicles. We have a new API security application and a very interesting roadmap based on data management including fraud detection, connected insurance, vehicle quality, and fleet management.
Just to conclude, data management and monetization in automotive is a major part of my background, and it’s really pleasing to see this powerful big data anomaly detection platform being used for the benefit of road safety, security and regulatory compliance, and other business benefits.
Siddharth: Excellent! Just navigating to the cybersecurity in automotive – why has this become so prevalent now? I’m sure OEMs are concerned about it. The entire ecosystem is concerned about it. Can you shed some light on why cybersecurity has become so prevalent at this stage of the market?
Ric: It’s a very good question because connected vehicles have been around for the last 15 years or so. The real question is why now? If you look at modern software-defined vehicles, they’re very powerful, valuable, and heavy computers on wheels. There is actually more than one computer onboard because on average modern vehicles have between 100 and 150 electronic control units or ECUs that are controlling every aspect of the vehicle like infotainment, engine, powertrain, braking systems, lights, and steering.
You have probably seen these infographics that software-defined vehicles have over 100 million lines of code, which is second only to the whole Google Apps suite. And, the amount of software in a fighter jet pales by comparison. So, you have all this technology in the vehicle which is connected, and you need to update the software through over-the-air server processing.
When it comes to electric vehicles, for example, software controls battery management and safe charging from EV charging stations. So, you have this complex supply chain logistics, multiple batches of components, and various software releases. This is the ideal playground for hackers and the number of cybersecurity incidents has increased massively in the last three or four years.
Siddharth: Understood. Very interesting that you brought up connected vehicles at the junction that we are all at. You also mentioned there’s an explosion of ECUs [and sensors]. And, with all these, we are just expecting too many things from a car to drive autonomously ultimately. So, in this context from a cyber security standpoint, what are the vectors of these attacks in your experience? How does this span out given that the sensor content is only going to grow?
Ric: That’s right. You might be aware that Upstream has been studying the market for the past few years and the cyber security situation in the automotive sector. And, we are producing an annual cyber security report which has just been published where we share information about various attack vectors. So, I can tell you what’s just fresh off the press.
We have some statistics, for instance, 35% of all incidents in 2022 took place affecting telematics and application service. 18% of the attacks were local through remote keyless entry systems and 14% were affecting ECUs and TCUs. But, probably the most important and interesting stat regards automotive and smart mobility APIs. Last year they represented 12% of the incidents, but the most interesting information is that there was a 380% year-on-year increase.
Here, we’re talking about the ability to remotely lock, unlock and block a vehicle or a fleet of vehicles. There were many examples, for instance, taxi services are affected around the world. At the end of the list, we have infotainment systems, mobile apps, and EV charging infrastructure. This is interesting again, only 4% of incidents are from EV charging infrastructure. But, this is only the beginning and it will grow as a result of growth in the infrastructure rollout.
Siddharth: That’s quite interesting when a majority of the attacks are coming through remote functionality, and especially now that the auto industry is moving towards a subscription-based sort of a business model. In fact, I was reading the other day that OEMs have become so innovative that drivers can unlock 10% of charge remotely, and can unlock 50 horsepower remotely. So, when the business model is moving towards being more subscription-driven, what does it mean from a cybersecurity standpoint? Especially now that we have multiple OS, so many ECUs coming in, and so many sensors coming in? How does this span out?
Ric: It’s a very interesting question. One thing that I should have probably mentioned even earlier is that OEMs are deploying monitoring solutions also as a result of the new regulatory requirements that are coming to place. So, there will be VSOCs – vehicle secure operating centers, that will monitor the status of fleets, and VSOCs are concerned mainly from a cybersecurity perspective.
However, when it comes to subscriptions, I’m really interested in two scenarios. You have on one hand an honest vehicle owner that wants to purchase a subscription to a service. I think it’s common knowledge that nowadays software-defined vehicles leave the factory with overspec’d hardware. Because you want to avoid the recall or having to go to a garage to install more hardware to enable the new services that are just available at a click of a button through an app. So, the honest vehicle driver will subscribe to a service and we’ll expect that having paid for it, the service will be provisioned. And if it doesn’t happen [if the service is not available], it will be quite a disappointment and dissatisfaction.
The other scenario is the fraudulent vehicle user or owner who wants to unlock functionality without necessarily having paid for it without having a subscribed-in agreement with complicit garages. We have realized through our platform that this type of fraud happens a lot with odometer tampering, for example, so why not extend to other aspects of the connected vehicle?
So, in this case, there would be a loss of revenue for the OEM or for the fleet manager. So I guess the role of data management platforms and monitoring services is really to monitor the entire situation that includes not just avoiding fraud and attacks, but also making sure that customer satisfaction is high. Did I answer your question?
Siddharth: Yes, absolutely. You’ve mentioned that a lot of OEMs are now figuring out cybersecurity, although it’s been there for ages but it’s still in an experimental phase. In fact, the entire business model is in the experimental phase. You’ve also mentioned there is the threat of recall, which is quite measurable. You can say explicitly that – OK if there’s a recall, this is the impact on the revenue. Now, if I have to look at cybersecurity and you’ve mentioned one use case where you have a fraudulent driver who fraudulently unlocks a subscription service. What other impacts do OEMs need to be prepared for, in terms of revenue impact from cybersecurity threats?
Ric: It’s again a very interesting topic to know what’s the business case for cybersecurity investments, and how to measure the impact. Well, the hackers and their community are mainly interested in getting a monetary return from cyber threats and cyberattacks. So we talk about ransomware and therefore, very often these cyberattacks are announced, but perhaps not necessarily implemented.
If you think about the expected revenue from the automotive industry in terms of data-driven, connectivity-based, and software-defined services. Several analysts have projected an increase – probably three times in terms of the proportion to total revenues. We’re expecting approximately 30-35% of revenues from connected services for data-driven services by 2040 and today it’s below 10%. Now, this is an aggregate number made of revenue forecasts from OEMs and other automotive players.
The ability to actually achieve these ambitious results is also a function of consumer adoption, consumer confidence with these new services, and, with the perception of public safety and security. So the strategic impact of cyber security is that if there is no effective protection, then public perception and regulatory perception could induce changes in your ability to achieve these ambitious goals.
That’s the strategic aspect. We can then measure the immediate monetary elements of the impact of ransomware or stolen vehicles etc. But I think there’s a strategic impact which is very hard to calculate, but it’s very strong.
Siddharth: Understood, and that brings me to the ‘How’ part. So, now that we understand why cybersecurity is important and its impact on the auto ecosystem. Let’s move to the ways that OEMs tackle cybersecurity, and how is Upstream’s approach different from the rest of the market? What is your solution there?
Ric: Thank you for this question. So when we think about cybersecurity, we speak about software-defined vehicles – as a computer on wheels. So, intuitively one may think, well, I’m going to adopt the same solution – a sort of antivirus firewall kind of solution in the vehicle. These sorts of software-hardware solutions do exist. They are installed in the vehicle and they are called IPS [intrusion prevention system] or IDS [intrusion detection system].
These solutions follow the production phase. So there’s a long time-to-market and they depend on the over-the-air update process to always have the latest software onboard. And we totally appreciate the value of these solutions to protect the vehicle from a number of immediate attacks. But are they effective on 100% of the types of attacks? Probably not.
So, the approach that our founders took was to think about a holistic approach where you not only look at an individual vehicle, but you collect data from all the vehicles of the entire fleet, and not only from the vehicles but also from the back-end systems – the automotive cloud, telematics service, over-the-air update service, APIs, consumer applications, and in the future – EV charging stations. All the various potential attack vectors, because attacks are ever more sophisticated and it’s very important to have this complete overview.
So our founders thought of a platform that could deal with the big data scalability, purpose-built for the automotive sector and would immediately understand the thousands of signals coming from the connected vehicle ecosystem and could apply highly advanced data anomaly detection on a very well-designed digital twin. So, the approach is back-end versus on-board.
It’s an agentless solution and perhaps to complete the picture. I’m sure the audience would be familiar with the IT SOCs – secure operating centers. Well, one of the main applications in an IT SOC is the SIEM [security information and event management] solution. And I guess 3-4 years ago it felt like a natural decision to extend the use of an IT SOC SIEM to connected products like connected vehicles.
There are very important differences that we now understand between the IT SOC and VSOC. Because of these differences you really need a dedicated solution now, which is more efficient, scalable, that immediately understands the context, and is more effective in identifying any potential anomalies.
So I wouldn’t say that one does not exclude the other. In fact, the Upstream solution is present in OEMs alongside the traditional SIEM, to further enable OEMs to protect themselves against the majority of attacks across the entire fleet. Was that a clear explanation?
Siddharth: Yeah. It’s good to know, and it’s such an evolving space that triggers another thought in my mind. So, amid these integrated solutions for cybersecurity, and you’ve also mentioned a bit on data monetization, I’m very curious on how the cybersecurity solution enables or is married to data monetization in this context?
Ric: Again, a very interesting aspect. You may be aware that OEMs have been looking at ways of monetizing their data for many years. And there is one route which is direct data monetization and there are a number of data brokers out there. Upstream is not a data broker, Upstream is a platform and solution provider that enables OEMs to manage their data. The data never leaves the OEM premises. Our platform is deployed on the private cloud environment of an OEM. In terms of data monetization -how does this solution enable OEMs to generate value? Well, in a number of ways.
For example, – cybersecurity by itself, as we said, has a strategic impact on the business. Fraud detection as a separate application is a way to reduce costs to the business or foregone revenues. And if you imagine, for example, data quality and your ability to improve data quality thanks to understanding the context, again, is a way to reduce the cost of data quality within the IT department or within the product department. And then there are other use cases that we can enable together with partners in the realm of improving vehicle quality, for example – predictive maintenance or connected insurance.
So with a dedicated data-driven platform, you can essentially reduce risk and costs, and also enable applications that are value and revenue-generating. But the specific discussion of use cases is very specific to each and every OEM. Every OEM is different and every large fleet management organization is different, and their prioritization of use cases will differ according to the context.
What’s important is that you have an enabling technology that allows you to achieve the goal.
Siddharth: Yes absolutely. At the end of the day, technology becomes the enabler and then you add in layers of your strategy, your focus, and your direction. You’ve been tracking the auto industry for a while, so what’s your take? What is your prediction for 2023 in terms of the overall auto industry, cybersecurity, and data monetization? Or in general, the acceptance of newer technologies by conventional OEMs. What is your prediction?
Ric: There are many thought leaders out there that will have different views and perspectives on what is going to happen in many different sectors. I would say from my perspective, what really is interesting is to see the increasing adoption of connected vehicles because it’s a driving force behind OEM success, and what do we do? Now we know that we have approximately 250 million connected vehicles today. The growth rate is such that we’ll probably pass the 1 billion connected vehicles by 2040. So we’re on the right trajectory.
The overall sector is expected to grow beyond USD 10 trillion by 2040. So we’re excited about this adoption of the fact that every car that leaves the factory today is connected and equipped with advanced technology. In terms of cybersecurity, aside from the fact that the creativity and sophistication in the hacking world is only going to increase because the automotive sector is attracting a lot of interest.
Therefore, we as an industry need to collaborate. If I have to leave one word, let’s say advice – it’s collaboration. There are so many industry bodies like AutoISAC, for instance, where this collaboration happens. It’s so important that there’s a sort of coalition of forces to protect this sector.
And how does this translate into monitoring against cybersecurity attacks? We see the evolution of the VSOC – the Vehicle Secure Operating Center into something closer to a VOC – vehicle operating center, where the monitoring affects everything. I mentioned before, not only negative behaviors like cybersecurity attacks and fraud but also potentially helping OEMs to improve their customer satisfaction.
Because we shouldn’t forget that as a result of this transition to connected services, there’s a digital transformation process that has also affected other industries. This means that OEMs which were manufacturing entities relying on distribution channels before are now starting to have direct relationships with their B2C customers. So, customer satisfaction becomes extremely important within the OEM itself. These are the main aspects that I’m thinking about today.
Siddharth: Interesting. Most often and in many of our discussions, we somewhere sideline the end consumer when we talk about new technologies and solutions. What according to you should the end consumer expect from connected services with an angle of cybersecurity?
Ric: Well, I think users look at the vehicle as a means of transportation – as a way to go from A to B, on time, reliably. And then they look at convenience. Of course, it depends on the specific segment. If you’re a customer of a McLaren or a Ferrari, you will have a different reason to use the vehicle than someone with a smaller vehicle to go to work every day. I guess as you said before, the focus on technology – electrification and connectivity, should not distract from the fact that transportation has to work, has to be convenient, and the user has to be safe.
The introduction of V2X technology of IoT, which is quite pervasive, and software-defined features and functions should improve the convenience and the quality of the experience and not make it worse. So I guess we all need to focus on safety and convenience, and customer satisfaction.
Ric Vicari is the vice president of EMEA at Upstream Security, a cloud-based cybersecurity and data management service provider. Previously, he held leadership positions in renowned organizations namely Wejo, Vodafone Automotive, Globetouch, Opower, Aria Systems, Comverse Technology, and Tech Mahindra. Vicari holds a bachelor’s degree in MIS and business studies from Liverpool John Moores University. He is based in the United Kingdom.