Cyber-Security Hardware at Risk of Being Ignored

By Roma Nazarov

---

21st September 2020

Automotive cyber-security hardware remains a relatively small market and a missing piece in the vehicle protection.

According to a forecast by security chip provider Infineon, cyber hacks might cost the automotive industry $24Bn within the next five years in brand damage, capitalization losses and through liabilities similar to the lawsuit against Fiat Chrysler Automobiles (FCA) in 2015. A huge number indeed but consider this: with global vehicle production expectations exceeding 600 million units for the same period, an automaker, on average, can justify expenditures on higher protection no more than $40 per vehicle. Much less, in reality, because even Infineon admits that no solution will make vehicles 100% secure.

It explains why dedicated security hardware is welcomed by premium automakers with their softer cost limits while it’s not easily coming down to the mass market. “Most OEMs and suppliers I was engaged with were generally happy with software-based solutions,” says James Hodgson, principal analyst at ABI Research.

Although the cost of security chips and other components can be negligible, embedding them means many more expenses. “There are difficulties and concerns for overall new investments when adopting new cyber-security technologies such as hiring experienced engineers, process and design changes etc,” stated in an e-mail Choon Kee Hwang, senior PR manager at Hyundai Mobis.

Harder to hack

So, why do we need more of that expensive silicon? In short, interviewed experts think that only combined hardware-and-software solutions can effectively offset certain types of attacks such as tampering and provide adequate protection for keys and credentials on IoT devices.

Meanwhile, a gateway for such attacks is growing with the rise of connectivity and MaaS. While it’s quite difficult for someone malicious to gain physical access to any controller within a private car, shared vehicles are a different story. “Those are a kind of vehicles that are going to stay regularly out in the public space unmonitored,” Hodgson says. “You can expect to see the demand for tamper proofing to grow.”

Corporate fleets, including shared ones, are exposed to higher-than-average risk. According to a survey presented by security specialist Irdeto at TU-Automotive Detroit 2019, 77% of transport and automotive organizations had experienced an IoT-focused cyber-attack in the past twelve months while 91% of them had some kind of impact on the organization. Only 6% indicated that they had what they needed to combat cyber-attacks.

Predictably, fleets comprise the ranks of early adopters. “Although automakers are our primary target market because their large volumes help to drive the cost down, fleet owners with higher error costs, namely VIP garages and public transport companies, show interest as well,” says Sergey Balashov, vice-president of business development at start-up Thea. Currently, the start-up is conducting early commercial pilots of what it touts a world-first hardware-centered automotive cyber-security solution with mass-market brands such as Kia, Skoda, Toyota, Chevrolet and Lada.

Globally, that interest is higher in the Asian countries, he says, where rapid adoption of connectivity is feeding the demand for protection of the vehicle’s communications with the outer world. His sentiment coincides with Choon Kee Hwang’s saying that, these days, hardware security elements are frequently implemented within vehicle controllers in more advanced vehicles.

Meeting trends

Technically, the task of embedding hardware contains no unsolved issues, Hodgson believes. The automotive industry can benefit from coming of suppliers such as Irdeto which is bringing their two decade’s experience in protection of video entertainment content.

Massive progress will happen when two trends, moving towards each other, will meet. Stricter standards are going to push up the automakers’ cost margins while re-shaping the vehicle’s computing architecture will drive the costs down. Hodgson thinks that Western Europe will lead the case with technical regulations: “In Germany, you have to meet the state-of-the-art definition with ISO26262 effectively mandated. It makes very difficult for an OEM to defend themselves in court if the vehicle wasn’t designed to subject to ISO26262. Generally, the more they’re exposed to that liability risk, the more incentive there is for them to invest in robust cyber-security hardware.” Soon release of the standard ISO/SAE21434 Road vehicles – Cybersecurity engineering have also drawn the automakers’ attention to cyber-security.

As to the meeting trend, the analyst foresees that the cost is going to gradually decrease thanks to what he calls “consolidation and harmonization”. The modern vehicle’s computing architecture is highly fragmentated, he explains. In the future, dozens of specialized chips such as ECUs are going to be replaced with few larger domain controllers will make protecting them more affordable.

Balashov claims that Thea was able to mitigate the cost of dedicated cyber-security hardware by thinking of a smart car solution as a holistic system when security hardware and software is integrated at the early stages of development: “In our vision, the only available evolutionary path for vehicle cyber-security is to fuse hardware and software solutions.”