COMMENT: FCA, the ‘canary in the coalmine’ for automotive cyber security

BY MARTIN KAHL. The auto industry’s just been issued with a 1.4 million unit cyber security warning. FCA took the hit – now the industry needs to ensure it doesn’t happen again

From the earliest days of 2015, it looked like cyber security would be the big automotive industry topic of the year.

Harman snapped up Red Bend in January, with cyber security ranking high on the checklist of reasons for the acquisition; and automotive cyber security has been a top topic of discussion ever since. It was a key underlying theme in the recent discussions over the acquisition of HERE; the unprecedented Audi/BMW/Daimler joint bid for Nokia’s mapping business saw Daimler’s Dieter Zetsche openly discuss the need to secure control of the software – and the security of the software – required for autonomous driving.

Earlier this year, a wormhole in BMW’s ConnectedDrive system was highlighted by a ‘white hat’ hack part-sponsored by Germany’s ADAC; BMW’s solution was to deliver an over-the-air (OTA) software patch to the affected cars within 24 hours. It’s a problem that probably should never have existed, but at least it was identified and solved, with no harm to customers or brand.

FCA may be the first OEM to issue a cyber security-related recall, but it won’t be the last

Last week, Fiat Chrysler became the first OEM to issue a recall for cyber security-related reasons. Unlike BMW, FCA can’t solve this one OTA, and has needed to recall 1.4 million vehicles to manually update the embedded software via USB (“updates can take up to 30-45 minutes and require that your vehicle be parked throughout the software update/installation process”), following the high profile hack of a Jeep Cherokee whilst being driven by Wired journalist, Andy Greenberg.

FCA may be the first OEM to issue a cyber security-related recall, but it won’t be the last. Maybe it takes high profile cases like this – and 1.4 million vulnerable (if not affected) cars is certainly high profile – to make the industry sit up and take the issue of cyber security as seriously as it does vehicle security and safety.

It’s worth noting that, in many languages, there’s only one word for safety and security. A hacked bank account or email address is an inconvenience; a hacked car could easily become a safety hazard, for the occupants and for those around the vehicle. Wired’s Greenberg described sitting in the frozen Cherokee on the interstate with a heavy truck bearing down upon him. “You’re doomed,” shouted the hackers.

The industry’s just been issued with a 1.4 million unit warning; FCA took the hit, but it’s just as easy to imagine it happening to another OEM

Should cyber security be something that OEMs work on in isolation, with each developing its own solutions? The silo approach certainly has its benefits, preventing hackers from making a single attack on thousands or millions of vehicles across multiple brands all at once; but it also means a duplication of R&D to achieve effectively the same result. Identifying threats is crucial, which is where some kind of cyber security social network would come in handy; AlienVault recently discussed its Open Threat Exchange (OTX) with Automotive World. OTX lets OEMs, suppliers and other interested parties to confidentially share information about threats and solutions.

The industry’s just been issued with a 1.4 million unit warning; FCA took the hit, but it’s just as easy to imagine it happening to another OEM. It’s time to take automotive cyber security seriously – really seriously – or the impact on the industry, on brands, on individuals’ livelihoods and lives could be so much worse than a fast-approaching 18 wheeler. Pessimistic and hyperbolic? Take a look in your rear-view mirror…


Martin Kahl is Editor, Automotive World

The AutomotiveWorld.com Comment column is open to automotive industry decision makers and influencers. If you would like to contribute a Comment article, please contact editorial@automotiveworld.com

Close
Close