Crain's Detroit Business Print Version
March 7, 2014
Hackers are typing away on keyboards with the goal of infiltrating and tearing apart advanced software systems. Some are motivated by chaos, others by theft.
But in metro Detroit and around the country, hired hackers, dubbed "white hats," are disassembling automotive software to expose flaws in supplier programs. The goal is to take the lessons learned and implement changes that will thwart cyberattacks and protect the future of automotive technology.
Why are cars a target? More software is being installed on vehicles to perform varying tasks, such as allowing cars to communicate with other vehicles and infrastructure and access information via the Internet.
Many current luxury models, some of the most technologically advanced, have more than 100 million lines of code, according to reports.
The new technology opens new realms of possibilities for performance, and passenger usefulness, but it also unlocks the door to cyberattacks, experts say. Hackers can pursue consumer information, or directly impact how the car functions.
In July 2013, two Pentagon-funded researchers hacked into a Ford Escape and Toyota Prius, remotely taking control of the vehicles, in a well-publicized event; Forbes published the initial story and video.
Much of the work to prevent attacks remains cloaked for security purposes, but experts say the rollout of connected vehicle technologies requires new protocols and diligence to maintain safety.
Andrew Brown, vice president and chief technologist for Troy, MI,-based Delphi Automotive plc, said cyberattacks are one of the greatest threats to the industry.
"We're in the infancy of figuring out cybersecurity, but we're all working to be proactive," Brown said. "We can't have any vehicle out of control because of a Delphi subcomponent or subsystem."
Sen. Ed Markey, D-Mass., is leading an inquiry into automotive security. In December, lawmakers sent letters to 20 carmakers asking how the industry is working to prevent cyberattacks. Responses were expected last month, but Congress has yet to release them.
Much of the fear stems from what hackers have been able to accomplish in recent years to disrupt business.
The December cyberattack on Target Corp. remains at the epicenter of the cybersecurity debate. Hackers gained access to the private information of as many as 100 million Target customers, opening the door to rampant credit card fraud—and a more than 5% decline in Target revenue and drop in its stock price.
Target executives told The Wall Street Journal (WSJ) last month that the hack occurred through a third-party refrigeration, heating and air conditioning subcontractor. WSJ reported that the hack occurred from stolen credentials from the subcontractor.
Planning for chaos
Federal regulators are paying more attention to cybersecurity than in the past. In the auto realm, that has focused on driverless car technology (expected to be market-ready by 2020) and the security risks inherent with connected cars.
Testifying in front of a Senate Commerce Committee in May, then-head of the National Highway Traffic Safety Administration David Strickland said, "These interconnected electronics systems are creating opportunities to improve vehicle safety and reliability, but are also creating new and different safety and cybersecurity risks."
Andre Weimerskirch, associate research scientist of transportation cybersecurity and privacy at the University of Michigan Transportation Research Institute, said the real threats aren't materializing in current cars. The future automobile, though, is ripe for hacking if the industry isn't prepared.
"There's no need to panic today, but as the knowledge of these systems becomes widely available, they also become a more attractive target," Weimerskirch said. "Carmakers and suppliers need to be prepared so they are always ahead of the hacker—because we're talking about the safety of people, not a home computer."
Karl Heimer, senior research director of cyber innovation for Columbus, OH-based research and development nonprofit Battelle Memorial Institute, said that while cars are a "low-volume target" for hackers now, the increase in technology will only drive them into the space.
"Hackers are extremely economy-conscious; they spend their time on dominant platforms, creating more chaos," Heimer said. "But the future brings a coming convergence of (software) architectures in cars. And when that happens, it's going to become an emerging target like cellphones are now."
Battelle has spent the past 18 months developing a coding system for automotive software to detect hacks and alert companies. The U.S. Department of Transportation has already evaluated the system, and Battelle expects to begin implementing the system in 2015, Heimer said.
"This is a defensive prototype," Heimer said. "The industry is more than 15 years away from creating preventative measures. Right now, we're working to mitigate threats."
Weimerskirch said that while the industry is developing reactionary and defensive measures, it must include cybersecurity early in the developmental process.
"Security needs to be included in the design from the very beginning; you can't develop a car and then drop in security because it doesn't work," Weimerskirch said. "Always assume that someone can hack into your system and how your architecture can prevent them from gaining access."
Delphi is placing IT employees in many of its engineering and design units to make sure cyber safety measures are developed with new products, Brown said.
"We need to stay ahead of the evolution of hacking; as we move forward with newer and newer technology, we have to maintain an advantage," Brown said.
Auburn Hills, MI-based Continental Automotive Systems Inc. chose to work directly with proven technology companies, such as networking provider Cisco Systems Inc., to protect its software.
"We see a key advantage in finding partners in the industry," said Tejas Desai, director of Continental's interior electronics solutions group.
"We have systems we develop internally, but as I start to bring big data into the car, they can help me manage it coming in and out of the vehicle securely—where we can't or haven't in the past."
Brown said the next step is for the industry to create standardized protocols to mitigate attacks.
"(The industry) lacks broadly based standards," Brown said. "We are concerned as (automakers) develop their own standards, we'll be left to develop to multiple standards."
Brown said General Motors Co. (GM) is developing its own standards and requiring levels of cyber protection for its supplied products.
GM declined to comment on specifics, but confirmed it is developing protocols.
"Data security is very important to us at GM, and the issues involved are complex and ever-evolving," Tom Henderson, global purchasing communications manager for GM, said in an email to Crain's.
Heimer said that as long as the industry maintains vigilance in its efforts, it can stay on the forefront of preventing a hack like the one on Target.
"Consumer demand is going to make vehicles more and more connected wirelessly," Heimer said. "To get in front of the security problem, we have to be serious; and we're at a point where, as long as we move quickly, we can avoid most of the bumps in the road."
Quality News Today is an ASQ member benefit offering quality related news
from around the world every business day.