Cybersecurity:
Automakers Remain Passive as Government Takes Action
A Frost & Sullivan White Paper
frost.com
Questions from Congress
(Summarized)
1. Who in your organization
is responsible for
evaluating, testing, and
monitoring potential cyber
vulnerabilities?
2. How does your organization
incorporate cybersecurity
best practices into your
products?
3. What policies, procedures,
Frost & Sullivan, an industry leader in the connected car space, developed this
white paper to outline the trending topic of cybersecurity. During its composition,
two fundamental cybersecurity events transpired: the federal government
proposed significant auto security legislation, and a Jeep Cherokee’s infotainment
system was successfully penetrated in a now famous, but somewhat irresponsible,
hack, which resulted in the recall of 1.4 million Chrysler vehicles. Frost & Sullivan
discusses the critical nature of cybersecurity and outlines a best-practices
approach versus the current, evidently unsuccessful, automotive security model.
Plain and simple, automotive security is
not where it should be
and practices do you employ
to evaluate potential cyber
vulnerabilities?
4. Who in your organization is
responsible for addressing
potential vulnerabilities
in the products of your
suppliers?
5. How do you work with
suppliers to minimize
potential vulnerabilities?
Is Legislation the Answer?
On June 1, 2015, bipartisan leaders of the House Energy and Commerce
Committee sent letters to the chief executives of major car manufacturers and
to the National Highway Traffic Safety Administration (NHTSA). These letters
included 14 questions on each automaker’s cybersecurity readiness. Not even
two months later, the Security and Privacy in Your Car Act (SPY Car Act) was
introduced. The SPY Car Act is unprecedented legislative action that focuses
on hack mitigation and data privacy standards. Ultimately, the legislation would
require a “cyber dashboard” rating system for vehicle security and privacy
protection. Frost & Sullivan believes automakers are less than enthusiastic about
these requirements, yet will take the right steps to properly secure their vehicles.
The recent commotion surrounding cybersecurity began with automakers’
inability to provide acceptable answers to questions raised by Senator Ed Markey
of Massachusetts. Followed by the Jeep experience, the government appears
2
All rights reserved © 2015 Frost & Sullivan
6. How do you track or evaluate
potential vulnerabilities once
a product is in the field?
7. How do you, or how do
you intend to, remediate
vulnerabilities after a vehicle
has entered the market?
8. Do you intend to use
over -the -air (OTA) updates
to upgrade vehicle systems
or technology?
Cybersecurity: Automakers Remain Passive as Government Takes Action
Questions from Congress
(Summarized)
to be taking action, while automakers are slower to respond. These roles must
be reversed. The industry’s apparent inability to view cybersecurity holistically has
put it in the role of an onlooker — the opposite of where it needs to be.
9. To what extent do existing
vehicle systems and
Were the 14 Questions a Setup?
technologies utilize public
When reviewing the automotive industry’s security posture, it seemed that the
letters directed to OEMs contained many “gotcha” questions. In a February 2015
report by Sen. Edward J. Markey (D-Mass.), titled Tracking & Hacking: Security &
Privacy Gaps Put American Drivers at Risk, wide holes were exposed in global
automaker data collection practices; it highlighted a clear lack of adequate security
measures. Just four months after the Markey Report was released, the 14 new
questions were asked by a broader coalition of congressmen. Historically, vehicles
had been closed systems; there was no need for a detailed security model. As
the industry evolves, however, vehicles are now communicating with other
vehicles and outside infrastructure. Frost & Sullivan believes OEMs have become
complacent because there has been no public evidence of attacks occurring
outside controlled conditions. It should not take a malicious, premeditated attack
for automakers to take action.
key infrastructure and/
or certificates for secure
communications?
10. What steps have you taken
to evaluate how connected
elements, such as in -vehicle
Wi-Fi and infotainment
services, interact with vehicle
safety systems?
11. Because connected vehicles
interact with technologies
outside the vehicle such as
mobile devices, what steps
are you taking to evaluate
potential vulnerabilities?
12. How do you interact
with the security research
community to identify
potential threats and/or
vulnerabilities?
13. What are the greatest
Why Does the Government Feel a Need to Lead the
Cybersecurity Conversation?
As a group, automakers are still not spearheading the process of how to best
address the automotive security posture. A 2014 NHTSA report —A Summary of
Cybersecurity Best Practices — discusses the government’s proactive approach to
the subject. Key findings include learning from the experience of other industries
(e.g., information technology) and viewing cybersecurity as a holistic lifecycle process. The report portrays the situation as yet another example of
how automakers are behind the times on cybersecurity efforts compared to
governmental organizations. Frost & Sullivan believes that, among the Markey
report’s eight key findings, the following statement best articulates the government’s
view of current automotive security:
challenges to cybersecurity
in the automobile industry?
14. How is the automobile
industry working with
Security measures to prevent remote access to vehicle electronics are inconsistent and
“ haphazard
across all automobile manufacturers, and many manufacturers did not seem
to understand the questions posed by Sen. Markey.
”
the federal government to
address the challenge of
cybersecurity?
What Does this All Mean?
In short, automakers must begin to think and act more proactively about
cybersecurity. Vehicles are designed with driver and passenger safety as a key
concern; however, without proper security, one cannot have safety. This white
All rights reserved © 2015 Frost & Sullivan
3
frost.com
paper will analyze key cybersecurity challenges, identify solutions, and capture best practices. By referring to some
of the 14 questions, Frost & Sullivan aims to shine a new light on the automotive security posture and provide
unique insights that have yet to enter the cybersecurity discussion.
There is no reliable way to know whether a vehicle has
been hacked
How can a Vehicle be Attacked?
As vehicles become more connected, consumers will reap the benefits of added convenience. However,
automotive manufacturers, also known as OEMs, are challenged with the growing security vulnerabilities. House
committee question No. 10 asks how automakers have evaluated connected elements such as Wi-Fi, Bluetooth,
and key fobs. In the Markey Report, the white-hat, or ethical, hacking community claims that all wireless entry
points (WEP) in today’s connected car are susceptible to attacks. Recently, using a handheld device, vehicle thieves
in Europe cracked the keyless entry systems of nearly 300 Range Rover Evoque and Sport models. As a result,
United Kingdom vehicle owners using street parking are now required to purchase a specialized security device
to be deemed insurable. With similar attacks expected to continue, automakers must address security measures
for each WEP and remedy what is obviously an incomplete cybersecurity system.
When Will the Inevitable Happen?
In today’s connected world, it is just a matter of time before an unsupervised, life-threatening attempt to hack
into and control a vehicle occurs. In 2014, over 50% of the vehicles sold in the United States were connected.
Frost & Sullivan believes the inevitable malicious attempt will target a vehicle that is already on the road. The
automotive industry must immediately address question No. 6: How do you track or evaluate potential cyber
vulnerabilities in vehicles or vehicle systems when already in the field? Fiat Chrysler recalled 1.4 million vehicles
in July 2015 after hackers successfully committed an experimental attack on a Jeep Cherokee. From just over
10 miles away, two hackers orchestrated a remote hack and entered the vehicle through its Web-connected
infotainment system. They gained control of features including dashboard functions, steering, transmission, and
brakes. Of course, it will be impossible to recall cars every time someone discovers a vulnerability. With up to
100 million lines of code (incidentally, much larger than any commercial or military aircraft), modern cars
represent a huge attack surface. The potential for fatalities is a reality and with no current means of retroactively
securing existing vehicles, OEMs must immediately develop an answer to this issue.
4
All rights reserved © 2015 Frost & Sullivan
Cybersecurity: Automakers Remain Passive as Government Takes Action
What can be Expected in the Next Five Years?
Big Data is a term commonly heard in the automotive industry. Vehicles have the capability to collect upward of
2 gigabytes of data per hour. As automakers begin to offer more connected services and improved content, data
collection will exponentially increase. Currently, with limited monetization campaigns in effect, there is no real
incentive for hackers. That will change in the near future as OEMs begin to monetize the flood of data points
coming from the car. Frost & Sullivan believes that within five years, targeted ads sent to a vehicle’s dashboard
will be an industry standard—all made possible by the collection of vehicle data. Automakers will be faced with
the challenge of protecting lives with an impenetrable system, while also creating secure communication channels
that contain the flow of data and continuing to deliver the benefits of a connected vehicle.
How will Automakers Fix the Problem?
OEMs are fully aware of the importance of their brands’ security posture, yet they still are not overtly accepting
responsibility for improving their security systems. However, cybersecurity awareness is at an all-time high for
almost every other industry. Automakers have established internal teams with appointed leaders who head
cybersecurity efforts; however, these groups need outside consultation to create a completely secure system.
Frost & Sullivan assumes that current practices involve a “Band-Aid” approach — a quick spending spree to develop
a partially effective solution. For automakers, because of the long manufacturing cycle, creating a fully secure
car quickly is unrealistic. However, by establishing already existing best practices and approaching automotive
cybersecurity holistically, OEMs can fully secure their next generation of vehicles within three years.
There is no quick cybersecurity fix; automakers must use a
holistic approach
Who is on whose side?
One question (No. 12) directed to automakers asks about their involvement with the security research community.
Given the lawsuit brought upon members of the white-hat group, Frost & Sullivan expects that some of the
targeted OEMs may have less than favorable relationships with the exact group that can help them. The white-hat
hacker community has been tinkering with automotive vulnerabilities, posting in forums and identifying legitimate
threats. But through a Digital Millennium Copyright Act (DMCA) lawsuit, OEMs are putting pressure on the
very community that aims to assist with the growing cybersecurity concern. The white hats are hoping for a
DMCA exemption that would permit a vehicle’s legal owner to circumvent its cybersecurity system.
All rights reserved © 2015 Frost & Sullivan
5
frost.com
What is the first step for OEMs?
Again focusing on question No. 12, collaboration will be essential to properly secure a vehicle. There
is minimal involvement between automakers and the security community. Cybersecurity is a young
concept for the automotive industry, but within the security community as a whole, the concept is far
from new. Third-party security firms have dedicated experts with experience that evolved long before
the automotive cybersecurity discussion began. Beyond just security firms, the automotive industry
must cooperate with the white-hat community. OEM legal actions, such as the DMCA suit, only hurt the
industry’s efforts to improve its weak security posture. Even though the government is making the initial
efforts triggered by the Markey Report and the SPY Car Act, it must be the automotive community
that continues and energizes the cybersecurity discussion. Ultimately, automakers will not be able to solve
the cybersecurity challenge alone — it will be a collaborative effort with the security community.
Is one exclusive solution available?
The short answer is no. Using a single solution to secure vehicles is far from the answer. Every vehicle module
must have its own unique security posture. No single module is more secure than another—especially given the
complex communication channels (which also must be secured) between in-vehicle systems. A single solution
will create several vulnerabilities, but by implementing a holistic approach, automakers can develop a complete
model. After partnering with the security community, OEMs must become better educated. The complexity of
today’s vehicle is not conducive to a “Band-Aid” method. Frost & Sullivan believes that automakers do not yet
have the in-house knowledge to properly secure a vehicle, making their answer to question No. 2 (How does
your organization incorporate cybersecurity best practices into information technologies that currently exist in
your products, networked or otherwise?) inadequate. Prior to connected cars hitting the road, comprehensive
security analyses such as risk ranking and vulnerability assessments must be conducted. OEMs must determine
how internal systems are connected and the potential attack vectors, and then flag those that touch safetycritical systems as priorities. Establishing a top-down and bottom-up best-practices model in partnership with
the security community puts automakers in a realistic position to fully secure their vehicles within three years.
How do car makers take away the driver’s role?
Drivers historically have not been diligent about bringing in vehicles to address recalls. With today’s technology,
dealership visits will be a thing of the past because of over-the-air (OTA) software updates. Automakers (with
the exception of Tesla) provide OTA updates exclusively for software. Larger automakers simply do not have
an established security posture that can support OTA updates for electronic control units, better known as
firmware. Given the complex nature of firmware files, OEMs must ensure 100% security. A malicious attack on
a firmware update may give the hacker control of vital systems (e.g., power steering or anti-lock brakes). By
rolling out a secure OTA update system, automakers can give drivers a more seamless ownership experience
by reducing dealership visits and keeping in-vehicle infotainment systems relevant, and taking a more proactive
approach toward reducing the approximately $1 billion in recall costs each company spends annually.
6
All rights reserved © 2015 Frost & Sullivan
Cybersecurity: Automakers Remain Passive as Government Takes Action
How will automakers fully secure a vehicle by 2018?
Automakers must collaborate with the security community, become educated, and implement a holistic approach.
Cybersecurity will continue to be a dominant topic, and OEMs, rather than the government, must take back the
leadership role. Unfortunately, the newly unveiled SPY Car Act presumes that automakers will continue to take
a backseat on cybersecurity efforts. The SPY Act also requires automakers to work more closely with external
security companies. One example of the firms the act had in mind is Wilmington, Mass.-based cybersecurity firm
Security Innovation, which has already been selected to work on numerous US Department of Transportation
projects. OEMs can leverage Security Innovation’s established expertise through similar partnerships to consult,
educate, design, and even implement a secure cybersecurity model. For instance, Security Innovation recently
created Automotive Centers of Excellence in Seattle and Boston, and recently partnered with GM to provide
its innovative and secure Aerolink vehicle-to-vehicle communication software for Cadillac’s flagship 2017 CTS
model. This is an example of a best-practice starting point for OEMs looking to unveil a fully secure vehicle by
2018 and earn excellent SPY Car Act cyber dashboard marks.
To avoid diminishing their brand and potentially save lives,
automakers must become more proactive
Will the Government Continue to Drive Cybersecurity?
The Markey Report and the House Energy and Commerce Committee’s 14 questions have set the stage for
tackling automotive industry cybersecurity vulnerabilities. Automakers must develop accountability and take the
lead from the government in improving cybersecurity. As vehicles become more connected, the threat potential
increases. No automaker wants to be the first to report their vehicle was maliciously hacked, which inevitably will
happen. With no current method of identifying whether a car has been hacked, OEMs face a two-fold challenge:
securing future vehicles and retrofitting security for existing fleets. Since the House committee’s 14 questions
have been posed, it is likely that OEMs will become more proactive, properly follow best practices, and seek
the help of the security community.
As vehicles become more connected,
the threat potential increases.
Global automakers have a difficult road ahead. The industry is constantly evolving, and vehicle vulnerabilities are
increasing. In an ideal world, the 14 questions and the SPY Car Act would not be necessary. There is no magic
bullet in the cybersecurity world, and with today’s connected car expected to protect both lives and data, the
pressure mounts. No deaths associated with a vehicle hack have been reported, but it is only a matter of time.
With no proven vulnerability tracking, all connected vehicles are vulnerable. If automakers expect to have strong
marks on their cyber dashboard, they cannot expect to accomplish it alone. The hacker needs to be right only
once; automakers need to be right 100% of the time.
All rights reserved © 2015 Frost & Sullivan
7
Auckland
Bahrain
Bangkok
Beijing
Bengaluru
Buenos Aires
Cape Town
Chennai
Dammam
Delhi
Detroit
Dubai
Frankfurt
Herzliya
Houston
Irvine
Iskander Malaysia/Johor Bahru
Istanbul
Jakarta
Kolkata
Kotte Colombo
Kuala Lumpur
London
Manhattan
Miami
Milan
Moscow
Mountain View
Mumbai
Oxford
Paris
Pune
Rockville Centre
San Antonio
São Paulo
Seoul
Shanghai
Shenzhen
Singapore
Sydney
Taipei
Tokyo
Toronto
Valbonne
Warsaw
Silicon Valley
331 E. Evelyn Ave., Suite 100
Mountain View, CA 94041
Tel 650.475.4500
Fax 650.475.1570
San Antonio
7550 West Interstate 10,
Suite 400
San Antonio, TX 78229
Tel 210.348.1000
Fax 210.348.1003
London
4 Grosvenor Gardens
London SW1W 0DH
Tel +44 (0)20 7343 8383
Fax +44 (0)20 7730 3343
877.GoFrost
[email protected]
www.frost.com
Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that
addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than
50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment
community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing
competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies?
For information regarding permission, write:
Frost & Sullivan
331 E. Evelyn Ave., Suite 100
Mountain View, CA 94041