Connected cars: When cybersecurity comes into play

Cybersecurity and digital trust

    Posted on

    On the occasion of the cybersecurity month and while the Mondial Paris Motor Show has just closed down,

    Here is a little background on the study released during the Vivatech event dedicated to startup and technological innovation, called “How are startups shaping the future of road mobility?” in which a chapter was dedicated to cybersecurity.

     

     

    The automotive industry must now consider cybersecurity as an integral part of how cars are built, just as physical safety became a critical part of how cars were built in the late 20th century.

    Many people in this field caught on leading to the creation of many startups on the topic. Today, no less than 20 startups try to provide solutions to face automotive cyber risks.

     

    Cybersecurity, yes, but with a different approach

    Those startups show that the challenges to be handled are almost the same as those usually encountered in other sectors but need to be addressed differently.

    Due to the current specificities and constraints related to the automotive industry and connected car in particular, startups are having to adapt existing cybersecurity concepts and solutions while innovating including:

    • Manufacturing costs;
    • Proprietary and specific technologies for embedded materials, with little security originally integrated (e.g. CAN – Controller Area Network);
    • Systems with long lifetime and complicated upgrade capacity;
    • Limited processing capacity;
    • Architecture complexity.

    4 main cybersecurity objectives are addressed by startups in the field, through the products and services they propose:

    • protect hardware, firmware and software, as well as related processed-data which is a true challenge especially when having to implement cryptography mechanisms requiring significant computational
    • ensuring only legitimate communications are allowed to ensuring no-one is able to take unauthorized control of  a car, while protecting data in transit which is essential for privacy;
    • detecting abnormal events and reacting accordingly in order to prevent any intrusion or cyber attacks on a car as well as a whole fleet;
    • managing systems lifecycle, particularly related-vulnerabilities is  becoming a major concern all the more so when a car has a 15 to 20 year life;

    It appears clearly that intrusion detection and threats prevention are two of the most covered topics as 70% of the automotive cybersecurity startups are offering related solutions. One can say that the market and car manufacturer kept in mind what happened to the Jeep Cherokee. However this figure may originates from the fact that is probably easier to provide security at the car boundary rather to integrate cybersecurity in the current constraint in-vehicle architecture and components.

    One another key point is that vehicles have a lot in commons and share, for some aspects, the same characteristics with the Internet Of Things. That’s why it is not surprising to see startups like Prove&Run or IoT.BZH coming from this world and offering embedded software and hardware oriented security services and solutions to the automotive market.

     


    Cybersecurity startups anticipate future connected car architectures

    Even if startups mainly offer solutions and services to secure existing systems and architectures within modern vehicles, there is a trend today showing some of them are anticipating and building cybersecurity solutions for the forthcoming systems and architectures.

    The startup Argus Cyber Security* is a good example. One of its first products was the “CAN firewall”, to protect the historical CAN network which is still the reference protocol in  current vehicles. The startup has since developed new solutions like the “In-Vehicle Network Protection Suite” to support a wide array of network protocols – CAN and CAN-FD, FlexRay, Ethernet (with SOME/IP, DoIP etc.), etc. – and thus defend current and future vehicle architectures.

    Another example is Arilou Technologies*, which recently designed a new cybersecurity tool called the “Ethernet Security Hub” especially for protecting future connected and autonomous vehicles equipped with Ethernet networks rather than CAN networks.


     

    Major actors invest in startups at an unprecedented pace

    The ongoing creation of cybersecurity startups in the automotive industry over the past years highlights the fact that cybersecurity has become a top concern in the sector.

    Established automotive companies, like car and equipment manufacturers, know this well.

    Some focus on hiring new talents and/or developing technologies in-house but most of them are very aggressive in investing or buying startups at an unprecedented pace. Are they afraid of the potential competition? Are they unable to provide these innovations with their own R&D teams? Do they want to
    accelerate with the integration of new ways of working and new teams? The answer is certainly a combination of these 3 factors as the connected and autonomous car represents a major shift in their organization and strategy.

    This fast movement is clearly visible when looking at the list of the latest startups acquisitions below:

    • Founded in 2013, ADVANCED TELEMATIC SYSTEMS was acquired by HERE in 2018;
    • Founded in 2013, ARGUS CYBER SECURITY was acquired by Continental in 2017;
    • Founded in 2012, TRUSTPOINT INNOVATION TECHNOLOGIES was acquired by ETAS (Bosch) in 2017, which had already acquired the cybersecurity company Escrypt in 2012;
    • Founded in 2012, TOWERSEC was acquired by Harman in 2016, which was in turn acquired by Samsung in 2017;
    • Founded in 2010, ARILOU TECHNOLOGIES was acquired by NNG in 2016;
    • Etc.

    In addition to these acquisitions, many actors also invest in startups and build partnerships with them, like Denso for example, which recently invested over $2 Million in Dellfer, a startup that was founded in 2016.
    Besides, startups are not the only ones to be concerned. Some established companies in the field are also concerned, highlighting the market dynamism on the topic. For instance, Thales and Vector recently formed a joint-venture to work on addressing cybersecurity challenges related to the connected and autonomous car.

     

    A new area of risks is rising

    The arrival of autonomous cars is a new challenge for cybersecurity. Many new risk scenarios will have to be taken into account, mainly in the field of attacks on artificial intelligence, advanced sensors security and even automated response to cyber events.

    To face this new challenge, solutions are only at a development phase and not particularly dedicated to the automotive sector. Many researchers like Nicolas Papernot or Ian Goodfellow are currently working on how to prevent Adversarial Attacks which aim at deceiving AI and which could lead, if applied to an autonomous car, to safety issues.

    Breakthrough solutions are probably being developed by startups from the Zeroth. AI accelerator, an Artificial Intelligence and Machine Learning focused startup accelerator.

    Although they will undoubtedly provide bleeding edge solutions to these complex problems, no one has declared working on the automotive field yet.

    Certainly, cybersecurity and safety will have to be addressed jointly to make autonomous vehicles a reality.