Cars are increasingly becoming more connected and technologically advanced – reflecting incredible changes and capabilities, even compared to where we were a few years ago. This has also made them more susceptible to cybercrime. These high data security demands can’t be tackled alone, which is why HARMAN not only serves as a highly-regarded automotive cybersecurity leader, but also as a supplier of vault-like security solutions. In honor of National Cybersecurity Awareness Month, we spoke with Hadas Topor Cohen, Senior Director, Head of Products & Business Development, OTA and Cybersecurity and Nir Berman, Senior Product Manager, Automotive Cybersecurity, at HARMAN to learn how our engineers and cybersecurity experts are helping OEMs deliver new in-car experiences while managing critical risks and other vulnerabilities.
Q: IHS Markit estimates that more than 620 million vehicles will be equipped with embedded connectivity in 2025, up from 208 million in 2019. But increased connectivity brings increased security concerns. Based on your expertise and market analysis, can you outline what your team is focusing on for the next 12-18 months?
Nir Berman (NB): With added connectivity, security risks are increasing over time and to get ahead of them, automakers need to implement constant security monitoring. That’s just one of the initiatives our team is focused on. For example, security patches and system updates are being developed almost constantly – that means a lot of Over-the-Air (OTA) updates for our vehicles. We also have to focus on regulatory compliance, which involves completing regular threat assessments of the vehicle, keeping in mind new potential risks as well as the ability to monitor and react to known threats.
Hadas Topor Cohen (HTC): Today, automakers lack the ability to accurately evaluate the cybersecurity risks for a given vehicle. Even though cars are thoroughly tested for security at the development phase, those findings could be irrelevant or outdated in just a year’s time. Cybersecurity threats are constantly evolving – the landscape is always different because the types of threats are changing simultaneously. For example, as a result of the coronavirus pandemic, our world has experienced an increased focus on personal vehicles. COVID is accelerating transformations that have great benefits for consumers, such as mobile payments, but that increase potential cybersecurity risks at the same time. At HARMAN, we’re focused on giving an up-to-date view of potential threats to the vehicle in order to stay one step ahead of any hackers. We’re providing solutions that present an accurate picture of the current situation to help manufacturers evaluate their vehicles as they currently are, not as they were at the time of production.
Q: Many OEMs are planning to deploy a connected car platform in the near future, in response to consumers’ demand for a more ‘smartphone-like’ experience. What are the top three security challenges these platforms pose to the vehicle’s overall safety and passengers’ privacy?
NB: Unlike having a proprietary software, as automakers used to have for their infotainment systems, when automakers bring in Android technology, they also bring in a handful of components which may contain extra vulnerabilities. This risk didn’t used to exist within the automotive industry, but is something that automakers must take into consideration. For the ‘smartphone-like’ experience to be successful, anyone should have the capability to decide which Apps they want to download and install on their vehicle’s infotainment systems. This creates a need for an App store, which in turn creates a need for third-party developers – the more the better. Yet, once you bring in this larger group of external actors, more vulnerabilities are added – either by oversight or malicious actors. While the benefits for the consumer are clear, the risks increase for automakers. The second challenge is related to the eco-system, which connects the car with personal devices. Even if a system is secured from anything that might happen to the car, new issues could arise once the car is connected to a smart-phone or even a WiFi hotspot. And the third challenge is keeping up to date. While our smartphones are being updated almost every night in one way or another, automakers are traditionally updating cars less than 4 times a year. If this does not improve, it means known vulnerabilities will not be fixed in cars, giving malicious actors great opportunity to exploit the situation.
Q: When it comes to securing a connected car, what keeps you up at night?
HTC: On an industry level, we’re probably losing some sleep thinking about automotive cybersecurity. However, on a HARMAN level, we see this as an opportunity, to help OEM to protect their cars.. HARMAN is a leading IVI (in-vehicle infotainment) provider, and with the market leaning toward Android IVI, we’re presented with a unique opportunity to deal with attack prevention, vulnerability alerts and mitigation of those vulnerabilities. In terms of Android specifically, it is widely deployed, and when multiple automakers are running the same OS, the chances of someone finding a weakness to exploit are higher. When an OS is open source, potential hackers can more easily find vulnerabilities. These are the types of things we’re constantly thinking about and looking for new solutions to mitigate!
Q: There seems to be an increased focus on regulation, first with ISO/SAE 21434 and now UNECE WP.29. What impact do these regulatory initiatives have on OEMs? What are some of the things that OEMs should keep top of mind?
NB: Until now, automakers didn’t need to concentrate as strongly on security. But, these new regulations are raising the bar for the level of security, which is a good thing. Without them, automakers could be more vulnerable to cyberattacks. The regulations still provide plenty of flexibility for automakers, too. For example, there are guidelines that call for continuous risk assessment, but it is up to the automakers whether they asses the risks on a weekly, monthly, or annual basis. Of course, at HARMAN, we recommend performing it as frequently as possible. And, just like automakers have policies and procedures in the event of a recall or other events, the same operations should be in place in the event of a cybersecurity attack.
Q: What else should OEMs know about HARMAN’s unique approach to automotive cybersecurity?
HTC: HARMAN provides cybersecurity from the initial design phase through the entire vehicle life cycle. We’ve found this is the best approach, rather than trying to add security solutions as an afterthought. For example, our team is helping automakers drive digital expansion while managing risks without hindering growth. A flexible, far-reaching, and sophisticated suite of products and technologies, offering a scalable, end-to-end cybersecurity solution that protects, and monitors cars today and in the future and mitigates potential vulnerabilities keeping the car secured
As a pioneer in automotive cybersecurity, and with a rich legacy in connected vehicle solutions under our belt, HARMAN has solidified its place as a trusted cybersecurity partner to vehicle manufacturers around the world. To explore our connected vehicle services and solutions, visit: https://car.harman.com/