Cybersecurity is a significant concern in the US, especially after SolarWinds, an information technology firm, had a supply chain cyber attack, which later infected their clients and went undetected for months. Allegedly, foreign operators were able to spy on private companies and government bodies like the Department of Homeland Security, further catastrophizing the incident. Another crippling cyber-attack happened to Colonial Pipelines, one of the nation’s largest energy pipelines, creating havoc by disrupting fuel supplies across the US. According to Colonial Pipeline’s CEO Joseph Blount, the attack involved a legacy VPN that did not require multi factor authentication (like a text message or email), meaning a simple password was able to take down fuel deliveries throughout the US.
These recent cybersecurity disasters prompted President Joe Biden to sign an executive order stepping up the nation’s cybersecurity measures and increasing the partnership between private industry and the public sector. The President’s main concern is protecting national security and the integrity of the government. It includes specific measures like removing obstacles between sharing threat information between the public and private industries, updating more robust cybersecurity policies, implement a review board, amongst many others.
One lesson that the US experienced is that one cyber incident has ripple effects and can wreak havoc on the business that was hacked, customers of that business, and anyone depending on them for services. In the case of SolarWinds and Colonial Pipelines it took the attack to a national level.
One thing is clear from these incidents: there is not any business that is immune from a cybersecurity attack. There is one industry in particular that has the ability to affect the world on an international level if hacked – the auto industry. As the auto industry moves to autonomous vehicles, the amount of technology in the vehicle can leave the vehicle vulnerable to attack on multiple levels. According to the McKinsey & Company’s report on cybersecurity, today’s cars have up to150 ECUs and around 100 million lines of code; by 2030, many predict they will have roughly 300 million lines of code. Now imagine if an entire fleet of vehicles were hacked? An attack like that could potentially have catastrophic consequences and easily happen if any vulnerabilities were left unprotected in the car. Autonomous vehicles are complex and have many layers and multiple sensors that all need to be protected and are often supplied by various OEMs, which can pose a great risk to cybersecurity if the right solution is not in place.
There are currently some regulations in motion like the United Nations Economic Commission for Europe (UNECE), which is creating a proposal through its World Forum for Harmonization of Vehicle Regulations (WP.29) to regulate cybersecurity management systems, vehicle software update processes, and software update management systems in the more than 60 countries within its jurisdiction. Once UNECE accepts this proposal at the beginning of 2022 and the regulations are adopted by its member countries at 2024, OEMs will be required to implement specific cybersecurity and software-update practices and capabilities for vehicle type approvals – effectively rendering cybersecurity a nonnegotiable component of future vehicles.
Additionally, there is technology to address these threats that is crucial to have integrated during the development stage of the vehicles. All Tier-1s and OEMs should have a comprehensive automotive cybersecurity lifecycle management platform that combines three key capabilities: visibility, control and protection. The purpose of these capabilities is to provide insight to OEMs and Tier 1s by simplifying in-vehicle cybersecurity management, creating unified communications across the supply chain (which can often be disparate), and automating threat identification and prevention. With this new technology, the automotive industry can better manage modern vehicle architectures, in order to significantly speed up the reaction to cyber attacks across the entire supply chain and better collaborate to implement UNCECE WP.29 regulation and other regulations for the future.
As the nation gears up to combat cyberattacks to protect national security, the auto industry with its huge technology advances over the years, needs to stand ready to do its part to ensure that the vehicles we know and trust are protected. As technology develops, the safety to protect consumers on a worldwide level needs to step up as well.