Highly publicized hacks have focused the spotlight on automotive cybersecurity, sparking activity on many fronts. The Society of Automotive Engineers is racing to complete a best practices standard, SAE J3061. Intel recently established the Automotive Security Review Board, which will encompass global security industry specialists. Even the U.S. government is jumping in with the evocatively-named Security and Privacy in Your Car Act (SPY Car Act). If passed, it will task the National Highway Traffic Safety Administration (NHTSA) with issuing motor vehicle cybersecurity regulations.
Mainstream autos are increasingly joining the Internet of Things. Gartner forecasts that about 20 percent of vehicles worldwide will have a wireless network connection by 2020, amounting to more than 250 million connected vehicles. In response to this growth, carmakers and their suppliers are acting to prevent hackers from causing crashes, disabling vehicles and extorting automakers or owners. That’s prompting something of a hiring frenzy.
“Five years ago, security was not top of mind in the auto industry,” said Grant Courville, director of product management for QNX Software Systems. “Now anyone with security expertise is very attractive. Automakers are grabbing talent from other sectors”
Automakers aren’t the only ones clamoring for this expertise. Security breaches in corporate fields and government agencies are vying with automotive suppliers to lure employees with strong security skills.
“Security experts are an extremely hot commodity. Everyone’s looking for talent, but companies are not willing to let their talent leave for another job,” said Gary Miller of Renesas Electronics America, the largest automotive semiconductor supplier.
While activity has intensified recently, there’s been a lot going on behind the scenes. Automotive microcontroller manufacturers have sold into information technology and other fields that have focused on security for years, so so they’ve developed encryption modules and other security features. Tier 1 suppliers like Continental and Visteon have also been gearing up to meet the demands of connected vehicles.
“The Tier 1s and semiconductor suppliers have done a lot in the past, but in the last couple years, there’s been more focus on security and more hiring,” said Greg Basich, senior analyst for Strategy Analytics’ Automotive Practice. “There have been a lot of acquisitions in the industry, I think we’ll see more of them in security, probably with more acquisitions of smaller companies.”
A growing number of start-ups are addressing automotive security. They’re seeing solid growth, which marks a changes from just a few years ago, when huge automotive companies were often reluctant to work with unproven young companies who might not last through the multi-year development cycle for cars.
“Our company was founded last year,” said Joe Saunders, CEO of Run Safe Security. “We’ve already doubled our technical staff.”
Regardless of whether these the security experts work at established companies or start-ups, they often work closely with auto manufacturers’ technical staffs.
“We’ve developed dedicated security chips and we’ve been very active in security standards development for the past five or 10 years,” said Renesas’ Bill Stewart. “Now we’re seeing more OEM and Tier 1 interest in what we have inside. We need to explain what security features are in our chips.”
The growing interest in security is prompting some staffing changes at most companies. Security has to be built into systems, not attached after concepts and architectures have been set. Protection must be built into all systems or malware that gets into any system on a vehicle network can attack other electronic modules.
“Security can’t be an afterthought. It has to be part of the culture,” Courville said.
This means that engineers and programmers who understand security must work closely with their counterparts who are well-versed in the subtleties of engine control, infotainment of safety systems, to name a few. Addressing this complex issue in vehicles that routinely run 100 million lines of software requires a well-structured architecture.
“Specialists in the security realm will be combined with specialists in various automotive platforms,” Saunders said. “Combining people on teams is critical unless a company finds enough people who are fantastic on both sides, security and the vehicle system.”
In the auto industry, security and safety are closely intertwined. Improving safety was a key thrust a decade or so ago, particularly as functional safety trends emerged. Now, executives and managers throughout the industry agree that security must be added whenever safety is part of the design.
“You can’t have a safe system if it’s not a secure system,” Courville said.
Both safety and security are basic ingredients that must be baked into system developments from the concept stage and throughout the development cycle. Small changes in one area can alter outcomes in unrelated areas. That means technologists will have to spend some time making security part of their basic thought process. That’s not an overnight step.
“Security is something that people don’t understand immediately, it takes time,” Miller said. “It’s a bit like when functional safety came around. At first, everyone hired experts. Then more people learned how to implement it in designs.”