Once hacked, twice shy: How auto supplier Harman learned
to fight cyber carjackers
Send a link to a friend
 [September 20, 2019] By
Tina Bellon
LAS VEGAS (Reuters) - When researchers
remotely hacked a Jeep Cherokee in 2015, slowing it to a crawl in the
middle of a U.S. highway, the portal the hackers used was an
infotainment system made by supplier Harman International.
Harman, now part of Samsung Electronics, has since developed its own
cybersecurity product, and bought Israel-based cybersecurity company
TowerSec for $70 million to help it overhaul manufacturing processes and
scrutinize third-party supplier software.
The expensive efforts have prevented another public breach and helped it
become a key player in automotive cybersecurity, but they show the
strain suppliers and automakers face in dealing with this new dimension
of automotive technology.
"At the end of the day, automotive is a very competitive business with
small margins. If a competitor wants to eat the cost to win the
business, you have to do the same thing," said Geoffrey Wood, Harman's
director of cybersecurity business development, who joined the company
in late 2016.
The automotive cybersecurity market has seen exponential growth. While
global revenue was at around $16 million in 2017, it is expected to
reach $2.3 billion in 2025, according to IHS Markit, driven by Harman,
Garrett Motion Inc, German suppliers Continental AG, Robert Bosch [ROBG.UL]
and a range of smaller U.S. and Israeli companies.
Securing cars from hackers is a complex task for these companies. Modern
vehicles run on 100 million lines of code, are equipped with hundreds of
different technologies and can have up to 150 electronic control units
using various operating systems.
Unlike consumer electronics, cars can stay in use for decades, long
after operating systems and component software cease being supported
through updates that patch vulnerabilities - a challenge the industry is
still grappling with.
Automotive cybersecurity requirements now number in the hundreds of
pages from just a page five years ago, according to interviews with a
dozen automotive cybersecurity professionals.
For its 2024 vehicles under development at BMW AG, for example,
suppliers are required to ensure that driving system control units have
no direct connection to customers' internet-connected devices, said
Michael Gruffke, head of security system functions at BMW, which sources
parts from Harman.
Small auto suppliers with thin profit margins are often the weakest link
for hacks, said Rotem Bar, a cybersecurity professional until recently
at Israeli company CyMotive which has partnered with German automaker
Volkswagen AG <VWOG_p.DE>.
But automakers typically still hand off testing and ensuring the
security of data systems to their subcontractors, industry experts said.
"It's really shifting the burden onto the suppliers because the
automaker is not able to test and verify everything along the supply
chain," said Dennis Kengo Oka, senior solutions architect at Synopsys
Inc, who conducts research on automotive cybersecurity.
At BMW, more than 70% of the components in its vehicles are manufactured
by suppliers. "We therefore must expect our partners to take
responsibility for implementing cybersecurity in respective deliveries,"
the automaker said in a statement.
[to top of second column] |
General Motors said in a statement that it handles "a significant amount of
work" related to security and testing without passing the expense to its supply
chain partners.
Ford Motor Co and Fiat Chrysler did not respond to requests for comment.
Volkswagen and Daimler AG declined to comment.
BUILDING CYBERSECURITY BUSINESS
Harman saw its Jeep hack experience as a viable business opportunity: the
supplier today sells cybersecurity software that allows automakers to monitor
their fleets and provide over-the-air software updates. Analysts at IHS Markit
consider Harman one of the top players in that segment, with some 20 automakers
using its over-the-air services.
Harman does not break out revenue for that business. But the company does try to
recover some costs by charging higher prices for advanced security.
"We have to educate our sales people in conversations with carmakers' purchasing
departments and say 'don't let this go without adding cybersecurity to your
quote'," said Amy Chu, Harman's senior director of automotive product security.
Asaf Atzmon, the Israel-based vice president and general manager for automotive
cybersecurity, said Harman has come a long way since he joined in March 2016 as
part of the TowerSec deal.
At the time, Harman employed only some security architects, and the company
later changed its organizational structure, appointing or hiring professionals
such as Wood and Chu to oversee cybersecurity efforts, Atzmon said.
The changes helped Harman consider cybersecurity issues at every stage of the
production process, creating a checklist for engineers that includes scanning
third-party software for bugs, increasing Harman's own cybersecurity defenses
and creating a risk analysis of potential vulnerabilities for every component.
Instead of simply adding comfort features such as Bluetooth, for example,
designers now first have to show how they would secure such a connection.
A particular challenge is securing vehicles over their entire lifecycle, said
Chu. Cybersecurity professionals are used to simply issuing software patches,
but automotive engineers caution that only a fraction of vehicles can receive
over-the-air updates.
During the Jeep hack, costly recalls had to be issued for 1.4 million vehicles
to fix software flaws at dealerships. Tesla Inc, which offers over-the-air
updates as a standard for even safety-critical functions, is so far the
exception.
"Things are just not that easy for us in the auto industry," said Chu.
Conscious of the many challenges, the industry over the past years has come
together in a rare show of collaboration. Automakers in 2015, soon after the
Jeep hack, created a group to share threats and vulnerabilities and companies
currently try to define industry-wide cybersecurity standards that in turn could
lower costs to suppliers.
Still, common standards are not expected to be published before next year. And
some of the standards might be watered down to protect smaller suppliers and
ensure they have the resources to comply, said Victor Murray, a group leader at
the Southwest Research Institute, which tests cars and components for
cybersecurity vulnerabilities.
"You want to be careful and not box anybody in because if smaller suppliers get
overwhelmed with mandates they're out of business," Murray said.
(editing by Edward Tobin)
[© 2019 Thomson Reuters. All rights
reserved.] Copyright 2019 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
![](http://lincolndailynews.com/adclicks/count.php?adfile=/graue_preowned_091619.png&url=https://www.graueinc.com/VehicleDetails/used-2005-GMC-Sierra_1500-CREW_CAB_143.5"-Lincoln-IL/3505095243)
