The automotive industry is in a state of flux, and automotive security is becoming a key success factor. ESCRYPT CEO Dr. Thomas Wollinger explains how mindsets and actions are changing direction – and why this calls for a conductor.
Dr. Wollinger, is the automotive industry seeing a shift in its awareness of security?
It’s really exciting to see how things are taking shape. The industry is facing a fundamental shift – up to and including completely new business models based less on selling cars and more on data-driven services. Increasing digitalization and connectivity have long been sounding the death knell of traditional vehicle platforms with static control units and the advent of Ethernet-based platforms with distributed and connected ECUs. Individual embedded security functions just don’t cut it anymore. We must think and act beyond the vehicle and take a holistic approach.
What do you mean?
When we talk about the future, we’re talking about connected and automated driving. And this is based on exchanging data in real time, which provides a bigger target for attacks and means that threats take on a whole new dimension. When vehicles become rolling computers in a network, IT security becomes a question of personal safety.
So the car as a system needs to be completely protected, as does the communication among vehicles and between vehicles and roadside equipment, as well as the traffic infrastructure itself. And we must do this throughout the entire life cycle. We have to protect vehicles that will be on the road for 15 years or more from methods of cyberattack we have not yet seen. To do so, we must have the right processes and organization ready to go. Holistic automotive security, as we at ESCRYPT understand it, requires effective protection for the entire system and its infrastructure. And this must be for the entire life cycle, backed up with an organization that makes this possible.
That’s the theory. What does this look like in practice?
A prime example is our intrusion detection and prevention solution: Security software in the vehicle monitors the central ECUs and gateways. Anomalies in the electrical system communications are detected, documented, and forwarded to a security operations center in the backend. There, tools analyze the aggregated data and in the case of cyberattacks, security updates are carried out for the whole fleet in line with defined incident response procedures. The major advantage is that new attack patterns are detected as soon as one vehicle is targeted and lead directly to protection measures for the entire fleet. What you get is a kind of immune system in which IT security mechanisms are sustainably maintained over the entire life cycle and supported by the organization.
In other words, the IT security of an automaker’s fleet hinges less on the security measures themselves and much more on how these are coordinated and managed.
Absolutely. For OEMs, protecting their vehicle fleets will be a constant, complex, and crucial task. They will require predictive concepts, concrete security structures, and sufficient resources. And they will need central security management that ensures the harmonious interplay of all security measures and one that guides all involved at the OEM as well as external service providers, suppliers, and workshops – similar to how a conductor leads and develops an orchestra.
Just as automakers already orchestrate the processes and requirements of their core business, in the future they will have to orchestrate automotive security. The road to smart mobility can only go through effective IT security.