Future opportunities for cyber security in the automotive industry
I have been doing some research into automotive cyber security. I found many references to the McKinsey & Co report Cybersecurity in automotive - Mastering the challenge. In the report it makes some interesting points:
- Hacking of connected cars by security researchers has made headlines over the past few years, and concerns about the cybersecurity of modern vehicles have become real
- The UNECE WP.29 regulation on cybersecurity and software updates is on the horizon and will trigger a paradigm shift in the automotive industry
- Regulatory programs for cybersecurity and software updates in the automotive sector, the regulator will require automotive OEMs – the responsible parties for vehicle homologation – to demonstrate adequate cyber-risk management practices throughout development, production, and postproduction of their vehicles, including the ability to fix software security issues after the sale of vehicles and over the air
- We expect to see the market grow from USD 4.9 billion in 2020 to USD 9.7 billion in 2030, with software business representing half of the market by 2030.
- Today’s cars have up to 150 ECUs and about 100 million lines of code; by 2030, many observers expect them to have roughly 300 million lines of software code.
From press sources they found that software vulnerabilities have been observed across the entire digital car ecosystem:
2019: Hack of an OEM’s automotive cloud via third-party services and tier-1 supplier network
2019: Memory vulnerability at a cloud provider exposed data incl. passwords, API keys, and tokens
2019: A malware infection caused significant production disruption at a car parts manufacturer
2019: Vehicle data exposed during registration allowed for remote denial-of-service attacks on cars
2019: Malware infected the back end, making laptops installed in police cars unusable
2018: An ex-employee breached the company network and downloaded large volumes of personal information
2018: Cloud servers hacked and used for cryptomining OEM back-end services Infrastructure/third-party services
2018: Security issues discovered in 13 car-sharing apps
2017: Ransomware caused the stop of production across several plants
McKinsey shared a helpful diagram that depicted the regulations, standards and best practice frameworks that are in flight:
They predict that the penetration rate of hardware security modules will also reach saturation around 2025, corresponding to the expectation that the UNECE WP.29 regulations on cybersecurity and software updates will be enforced in 2024.
They also predict that the market for vehicle SOCs will emerge over the next few years. “Similar to enterprise IT SOCs, we expect to see third-party vehicle SOCs, and software companies offering products to operate these SOCs”.
I have no doubt that the innovation, growth in the market space and increase in regulation will drive a further need for skills in the cyber security arena.
Very experienced Information Security professional, open to contract opportunities
4 年Meanwhile in other news https://edition.cnn.com/2019/02/06/uk/driverless-cars-scli-gbr-intl/index.html
Leadership | Intelligence | Cybersecurity
4 年This is a good point about whether the current operational practices we have in place will be able to scale to new Cybersecurity use cases enabled by 5G and the convergence of physical and enterprise infrastructure. For example what does an informational sharing model look like for fully autonomous vehicles.