Focus: Once hacked, twice shy: How auto supplier Harman learned to fight cyber carjackers

Garrett Motion. (Delaware)

20/09/2019 12:00

By Tina Bellon
    LAS VEGAS, Sept 20 (Reuters) - When researchers remotely
hacked a Jeep Cherokee in 2015, slowing it to a crawl in the
middle of a U.S. highway, the portal the hackers used was an
infotainment system made by supplier Harman International.
    Harman, now part of Samsung Electronics  005930.KS , has
since developed its own cybersecurity product, and bought
Israel-based cybersecurity company TowerSec for $70 million to
help it overhaul manufacturing processes and scrutinize
third-party supplier software.
    The expensive efforts have prevented another public breach
and helped it become a key player in automotive cybersecurity,
but they show the strain suppliers and automakers face in
dealing with this new dimension of automotive technology.
    "At the end of the day, automotive is a very competitive
business with small margins. If a competitor wants to eat the
cost to win the business, you have to do the same thing," said
Geoffrey Wood, Harman's director of cybersecurity business
development, who joined the company in late 2016.
    The automotive cybersecurity market has seen exponential
growth. While global revenue was at around $16 million in 2017,
it is expected to reach $2.3 billion in 2025, according to IHS
Markit, driven by Harman, Garrett Motion Inc  G02.F , German
suppliers Continental AG  CONG.DE , Robert Bosch  ROBG.UL  and a
range of smaller U.S. and Israeli companies.
    Securing cars from hackers is a complex task for these
companies. Modern vehicles run on 100 million lines of code, are
equipped with hundreds of different technologies and can have up
to 150 electronic control units using various operating systems.
    Unlike consumer electronics, cars can stay in use for
decades, long after operating systems and component software
cease being supported through updates that patch vulnerabilities
- a challenge the industry is still grappling with.
    Automotive cybersecurity requirements now number in the
hundreds of pages from just a page five years ago, according to
interviews with a dozen automotive cybersecurity professionals. 
    For its 2024 vehicles under development at BMW AG  BMWG.DE ,
for example, suppliers are required to ensure that driving
system control units have no direct connection to customers'
internet-connected devices, said Michael Gruffke, head of
security system functions at BMW, which sources parts from
Harman.
    Small auto suppliers with thin profit margins are often the
weakest link for hacks, said Rotem Bar, a cybersecurity
professional until recently at Israeli company CyMotive which
has partnered with German automaker Volkswagen AG  VWOG_p.DE . 
    But automakers typically still hand off testing and ensuring
the security of data systems to their subcontractors, industry
experts said. 
    "It's really shifting the burden onto the suppliers because
the automaker is not able to test and verify everything along
the supply chain," said Dennis Kengo Oka, senior solutions
architect at Synopsys Inc  SNPS.O , who conducts research on
automotive cybersecurity.
    At BMW, more than 70% of the components in its vehicles are
manufactured by suppliers. "We therefore must expect our
partners to take responsibility for implementing cybersecurity
in respective deliveries," the automaker said in a statement.  
    General Motors  GM.N  said in a statement that it handles "a
significant amount of work" related to security and testing
without passing the expense to its supply chain partners. 
    Ford Motor Co  F.N  and Fiat Chrysler  FCHA.MI  did not
respond to requests for comment. Volkswagen and Daimler AG
 DAIGn.DE  declined to comment. 
    
    BUILDING CYBERSECURITY BUSINESS
    Harman saw its Jeep hack experience as a viable business
opportunity: the supplier today sells cybersecurity software
that allows automakers to monitor their fleets and provide
over-the-air software updates. Analysts at IHS Markit consider
Harman one of the top players in that segment, with some 20
automakers using its over-the-air services. 
    Harman does not break out revenue for that business. But the
company does try to recover some costs by charging higher prices
for advanced security.
    "We have to educate our sales people in conversations with
carmakers' purchasing departments and say 'don't let this go
without adding cybersecurity to your quote'," said Amy Chu,
Harman's senior director of automotive product security.
    Asaf Atzmon, the Israel-based vice president and general
manager for automotive cybersecurity, said Harman has come a
long way since he joined in March 2016 as part of the TowerSec
deal.
    At the time, Harman employed only some security architects,
and the company later changed its organizational structure,
appointing or hiring professionals such as Wood and Chu to
oversee cybersecurity efforts, Atzmon said. 
    The changes helped Harman consider cybersecurity issues at
every stage of the production process, creating a checklist for
engineers that includes scanning third-party software for bugs,
increasing Harman's own cybersecurity defenses and creating a
risk analysis of potential vulnerabilities for every component. 
    Instead of simply adding comfort features such as Bluetooth,
for example, designers now first have to show how they would
secure such a connection.
    A particular challenge is securing vehicles over their
entire lifecycle, said Chu. Cybersecurity professionals are used
to simply issuing software patches, but automotive engineers
caution that only a fraction of vehicles can receive
over-the-air updates.
    During the Jeep hack, costly recalls had to be issued for
1.4 million vehicles to fix software flaws at dealerships. Tesla
Inc  TSLA.O , which offers over-the-air updates as a standard
for even safety-critical functions, is so far the exception. 
    "Things are just not that easy for us in the auto industry,"
said Chu.
    Conscious of the many challenges, the industry over the past
years has come together in a rare show of collaboration.
Automakers in 2015, soon after the Jeep hack, created a group to
share threats and vulnerabilities and companies currently try to
define industry-wide cybersecurity standards that in turn could
lower costs to suppliers. 
    Still, common standards are not expected to be published
before next year. And some of the standards might be watered
down to protect smaller suppliers and ensure they have the
resources to comply, said Victor Murray, a group leader at the
Southwest Research Institute, which tests cars and components
for cybersecurity vulnerabilities.
    "You want to be careful and not box anybody in because if
smaller suppliers get overwhelmed with mandates they're out of
business," Murray said.

 (editing by Edward Tobin)
 ((Tina.Bellon@thomsonreuters.com; +1 646 573 5029; Reuters
Messaging: tina.bellon.thomsonreuters@reuters.net; Twitter
@TinaBellon))