Connected and autonomous cars are the future and they massively include software components
It is estimated that by 20201, a quarter billion of connected cars will be on the road. Functions that can usually be found in several electronic consumers devices such as smartphones or on internet websites and apps now also exist in cars. Today, cars include very complex internal networks linking together different components such as sensors, passenger connectivity and even main driving capabilities such as as braking or steering. Some functions like automated parking (e.g. Park4U system from Valeo), automated speed regulation or in-line driving are already available for customers today. With the involvement of all automotive companies as well as other industry giants such as Google or Apple, the number of autonomous and connected cars is growing fast. In the future, networks of inter-connected cars communicating with each other both for driving safety purposes and passenger communications could become the norm.
Such levels of connectivity and autonomy increase the potential impact of cyber-attacks on cars
Potential attacks on cars are no longer reduced to carjacking as it is now possible to cyber-attack vehicles remotely. In fact, this has already been demonstrated for some of cars’ main functions such as steering or braking (examples of this can be seen with Chinese hackers remotely taking control of a Tesla car or American hackers taking control of a Jeep). With the increasing number of connected cars, such hacks could have dramatic effects on road safety: what would happen if a whole fleet of vehicles is no longer controlled by their drivers? Personal connectivity to the car via Bluetooth, Wifi or GPS technologies is also a key function that most customers not only use but are also very fond of. Theft and hostile access to such data would pose issues to people’s privacy (access to their location in real time, gathering their interactions with infotainment in the car and potentially analysing their actions). Having an integrated car network also means that gaining access through one part of the vehicle could provide access to all vehicle’s networks both personal and functional.
Car manufacturers are starting to structure their software development activities by first securing product quality and safety but not security
Software development being a fairly new activity for automotive companies, it is currently mainly focused on making sure to secure product quality and thus passengers safety. Companies are now following the Automotive SPICE initiative aiming at enhancing quality as well as controlling processes and norms such as ISO 26262 related to functional safety of vehicles on the road. Quality has always been car manufacturers’ first concern as defects on a vehicle can lead to costly recalls which are quite damaging for companies’ image. Since most automotive manufacturers do not allow for over-the-air (OTA) update of their vehicles’ software, any identified bug also require the retrieval of the vehicle. In fact, Tesla is one of the first companies already providing this capability which is today a common practice for all smartphone updates for example.
Questions raised on cybersecurity and autonomous cars affect more than just car manufacturers
Autonomous and connected cars pose a drastic change to the way safety has been and is perceived in the automotive industry. Until recently, drivers were considered responsible in case of incidents, unless the vehicle showed defects. With the increase of autonomous driving and new available software having a strong role in all vehicle’s functions, the line on who is responsible for the overall vehicle (and what it entails) becomes blurry. The current level of autonomy found in most cars today is identified as Level 2, meaning that the driver remains responsible to have control over his car. However this is already a significant change in the driver’s habit and how he is used to driving.
Therefore, the question is: who should be held accountable in the event of a software glitch, unpredicted circumstances or a hack? Is it car manufacturers, equipment suppliers, the driver, the hacker, pedestrians or other vehicles on the road? The prevailing set of rules and regulations do not apply to such situations yet. Additionally, individuals or manufacturers are not the only ones who should adapt to these changes, other actors such as insurance companies will also be impacted by this topic.
How far could automotive cybersecurity attacks impact the industry?
The world has seen an increase of cyber attacks on different types of data in the past years: emails hacking, leak of confidential documents, attacks on utilities infrastructures (UN nuclear power plant), … This demonstrates how cybersecurity has now become a pressing matter globally. Therefore the setup of wider networks of more interconnected and interdependent cars increases the cybersecurity risk for the automotive industry.
Automotive companies are racing to meet customer demands and to provide them with more advanced technological products; artificial intelligence and deep learning could even be the next steps for the industry. But is this race going too fast in regards to passengers’ safety and systems security? How will regulations and laws be set up to properly structure this growth and avoid dramatic consequences?
The extensive forecast growth of the cyber security industry (from USD 122.45 Billion in 2016 to USD 202.36 Billion by 2021)2 clearly demonstrates that this is a global and cross industry topic and it is difficult to predict what the future will bring to the automotive industry.