Hacks Happen: Garrett’s Cybersecurity Solutions Help Safeguard Connected Vehicles
Having a strong cybersecurity solution is essential in today’s connected world.
In 2019, millions of people who live in certain major U.S. cities, including New Orleans(1) and Baltimore, were impacted by major cyber-attacks that have even led to the declaration of a state of emergency as the hackers held vital city systems and information hostage to ransom payments. This same situation could happen on a car or an entire fleet of vehicles, endangering drivers and exposing automakers and end users to various safety and financial risks. The entire digital world today is vulnerable.
Within the next five years, it is expected that all vehicles manufactured globally will be connected and interacting with varying digital ecosystems, yet the question has been raised whether vehicles appropriately shielded from hackers and malicious software. The amount of data produced and exchanged is expected to skyrocket and so, too, are the security concerns.
Garrett Motion recently secured a contract to implement its cyber solution on a mass-market production vehicle to be launched in the coming months with a major global automaker. Garrett on-board and off-board software solutions help to safeguard vehicles from cyber-attacks while simultaneously identifying other relevant vehicle defects, and understanding their root causes.
Below is a Q&A with Garrett Senior Vice President & Chief Technology Officer Craig Balis about the company’s cybersecurity approach and its importance to the future of safe and reliable connected vehicles.
Why does vehicle cybersecurity matter and are vehicles protected today?
It has been demonstrated that today’s cars can be hacked. Hackers take advantage of unprotected entry points – like a key fob, Bluetooth connection or the diagnostic port that exists on every modern vehicle – to gain access to the vehicle’s on-board computer and inject malicious software that can mimic normal commands. This means a stranger near your car, or even on the other side of the world, can potentially unlock doors, roll the windows down, or even manipulate the brakes and other essential safety systems. But the risks extend past the physical realm – location data, personal information and more can be compromised if hacked.
High-profile “white hat” hacks, which are typically done by cybersecurity specialists to expose vulnerabilities, in recent years have prompted OEMs to address their vehicle’s cyber weaknesses. Although some automotive players have patched some vulnerable components, today’s vehicles were not designed with security in mind, and may not be technically capable of adopting the on-board cyber solutions needed to fully protect cars, as recommended by several standards around the globe.
Implementing an effective cybersecurity solution is not a one-off action – it requires constant updates and monitoring. In the same way a PC requires regular upgrades to its anti-virus software, vehicles require the same level of attention. Understanding the auto industry’s development cycles, sensitivity to cost and complex ecosystem, it will take several years before full detection, protection, reporting and update mechanisms could be in place on all vehicles.
What does it take for vehicle and its ecosystem to be cyber-secure?
In the past, automotive cybersecurity typically focused on protecting a company’s vital internal files, like intellectual property, employee information, and customer data. Vehicles and ecosystems were not designed with security in mind, but this is changing. As connectivity brings many new use cases and applications that serve the entire ecosystem (predictive maintenance, use-based insurance, additional on-board streaming, etc.), automakers are now looking at cybersecurity holistically. This spans from the facilities where the vehicles are designed, the plants in which they are assembled, dealership tools and inventory systems, the communication channels to the vehicles, and finally, to the vehicle itself.
Several standards exist around the world today and they all converge on the same point – for effective cyber protection, vehicles need to adopt a multi-layer security system made of core ECU (Electronic Control Unit) functions protection, detection of new anomalies within the ECU or the vehicle networks, reporting and update mechanisms.
Cyber-securing a vehicle is an immense task, and the industry is getting more organized to address it on an individual basis and also collectively through groups like Auto-ISAC, which take aim at sharing information related to cybersecurity. Although the spirit of competition is high in the automotive world, cyber security can be an area where the key players opt to collaborate on generalized areas like best-practice industry standards as well as specific areas like emerging threat detection.
Is anything being done at the regulatory level?
In many places in the world we see standards and regulations coming into play. First, it focused on customer data protection, and now it is shifting toward vehicle security and safety. The California Consumer Privacy Act (CCPA), Europe’s General Data Protection Regulation (GDPR), China’s Cyber Act, the United Nations, International Organization of Standardization (ISO), Society of Automotive Engineers (SAE), all focus on cybersecurity regulations and standards definition for development and application to better protect drivers, passengers and vehicle manufacturers. Some regulations and industry standards are already in place, while more will be enforced starting in 2022 in Europe.
What is Garrett’s role and expertise in vehicle cybersecurity?
As an automotive technology supplier for more than 65 years, Garrett has relationships with nearly every global automaker. This global reach and experience provides our team with a deep understanding of how the industry works, from passenger automobiles to commercial on- and off-highway vehicles. Garrett’s legacy as an innovator and problem-solver contributes to its current role for taking on the underserved industry need for monitoring vehicle health, including cybersecurity. Garrett’s history has given the company access and means to translate cyber solutions applied in numerous industries, from homes and buildings to aerospace and, now, automotive, where we offer Intrusion Detection System (IDS) and Security Operation Center tools.
We are unique in this regard; not many Tier 1 suppliers, if any, bring our cross-industry experience and are able to accurately translate vehicle data into something actionable. Garrett has developed a unique methodology to understand the nature of an issue and its root cause, allowing it to be quickly addressed by the automaker or fleet owner.
Other industries have addressed the cybersecurity problem for a long time – can the automotive industry use those solutions?
Yes, of course. The key question is “how?” A car is not a personal computer nor a server. It is very complex even in just considering the number of models within a single carmaker’s brand. Additionally, the application of different driving styles and operating conditions, as well as vehicles changing hands across multiple owners and drivers all create variation. So, monitoring in real-time is not an easy accomplishment as the computing capabilities are still growing. It’s also important to point out the automotive industry is extremely sensitive to cost; any additional content or features on a vehicle must be effective and efficient.
Garrett’s software history trickles down from across industries, such as aerospace, defense, and oil and gas refining. Garrett’s foundation is built upon this ability to translate existing intrusion detection, protection, reporting, monitoring, and updating mechanism for the automotive world. These IT solutions covering back-end servers, manufacturing plants, and sensitive ground-to-air communication channels are absolutely applicable – and critical – to the automotive industry.
To learn more about Garrett’s cybersecurity offerings, see below.