IoT Cybersecurity Startup Landscape (Part 1) — Connected Vehicles
State of the Market
The automotive industry is continuously transforming under 3 major trends: autonomous driving, electrification and smart mobility. Increased connectivity has made it possible to meet new demands through business model and technology innovation, as well as making driving experiences safer and more enjoyable. Nowadays, millions of vehicles on the road are already connected via telematics or by in-vehicle apps, and this number keeps growing. New vehicles rolled out to the market by the top automotive brands are all connected now. At the same time, autonomous driving has moved beyond testing and simulation to pilot programs, which requires high levels of connectivity, navigation capabilities and data processing.
The internal computational structure of autonomous and connected vehicles is largely coordinated through electronic control units (ECUs), which are frequently connected via a controller area network (CAN) “bus,” which acts as a type of backbone for electrical signals to pass between ECUs. A modern vehicle operates dozens of ECUs that manipulate everything from wipers, breaking and even steering. With the application of partial vehicle autonomy, computers increasingly perform a number driving functions for the driver.
Jus to give you an idea — an average vehicle nowadays typically run on 20–30 million lines of code on 50–60 electronic control units (ECUs) and more than 80 microprocessors within a vehicle, controlling everything from the infotainment system to critical software and powertrain functions. Luxury vehicles may contain up to 50 million lines of code and 100 ECUs.
Technology advancements have created new problems
Unfortunately, the connected car ecosystem has given rise to a variety of new cybersecurity risks, as a result of improved internet connectivity and overabundance of complex software. The risks are both throughout the value chain as well as in the car components themselves. Each component of the vehicle can be at risk of cyberattack, resulting in a variety of related safety, security and privacy concerns — the diagram below illustrates some of the main vulnerabilities so far.
Popular attack vectors include remote keyless entry systems, manipulation of control car systems and data breaches. While some introduce low physical risk, such as the unlock function which is mainly responsible for theft or damage to the vehicle, others are categorized as critical safety and can have a real and devastating impact on human lives (i.e. taking remote control of a car while it is driving at really high speeds).
Upstream Security’s repository of reported automotive cyber incidents targeting the smart mobility ecosystem shows a rapid growth in cyber-attacks in the last few years.
Stakeholders are unprepared
Without effective cybersecurity measures in place, the number of cyber attacks on the connected car ecosystem will keep increasing at a very fast pace. Important stakeholders are aware of this problem, but are struggling to secure the technologies in their products — this includes OEMs and their suppliers. Unfortunately, cybersecurity practices have not kept pace with the ever-evolving security landscape. Not all automakers have a software update delivery model that addresses critical security vulnerabilities in a timely manner. Many security patches and updates are still delivered through procured software, components and systems, while others are through wireless communications technology connected to personal computing devices. Most companies use key management systems (the management of cryptographic keys, including generation, exchange, storage, use, and replacement of keys), but about half of companies still use a manual process to secure their vehicles.
A big problem is that security vulnerabilities are being assessed far too late in the product release process, with less than half of companies assessing them in the design phase or the development and testing phase. Most common security activities in industry shows that cybersecurity isn’t being fully integrated throughout the system development life cycle. Over a third of the industry is not using accepted secure software development life cycle (SSDLC) practices, leading to vulnerabilities in new technologies and components
Automotive cybersecurity regulations have been introduced due to interest from different stakeholders, including governments, industries and end-users. There is a clear demand for increased security, and regulations are an effective way to enforce change.
The recently passed UNECE/WP.29 regulation demands automotive organizations to secure software updates and detect them within the lines of code of each vehicle software. This requires manufacturers to understand their software’s behavior and present data to comply with regulation. OEM’s that don’t comply with the new regulation will face a wide range of consequences including trade barriers.
Nevertheless, since UNECE/WP.29 doesn’t include specifically how regulatory requirements need to be met, OEMs can implement different mitigation strategies and use standards such as the ISO 21434 to showcase regulatory compliance. The ISO/SAE 21434 is a baseline for vehicle manufacturers and suppliers to make sure cybersecurity risks are effectively managed. The standard provides a cybersecurity framework with the goal of ensuring user safety and driver security.
What are the solutions offered by startups?
There’s a wide range of startups working to improve the security of the connected car ecosystem, and they can be categorized into primarily two main sectors:
- Pre-Market: solutions that help secure firmware, hardware-level components and supply chains for connected vehicles. This includes providing compliance, licensing and governance to stay up-to-date with the latest market changes.
- Post-Market: post-deployment solutions that provide ongoing monitoring of cyber risks in connected vehicles. These detect and protect networks and devices against threats by using real-time threat intelligence, continuous monitoring and risk mitigation strategies.
Successful startups will have working models that are synergistic to the established processes in the more conservative automotive market, while offering software solutions that are easily integrated into existing and future automotive systems and architectures.
Unfortunately, this market hasn’t taken off. The automotive cybersecurity industry is still at its infancy as corporations are still in the education phase. Still, I expect to see more consolidation of the market as it matures in the upcoming years, as we’ve already seen so far. Some important past acquisitions include the following:
These acquisitions have been undertaken by organizations looking to secure their own smart mobility ecosystems. Moving forward, I believe acquisitions will be led by IoT cybersecurity companies looking to expand their footprint into the automotive cybersecurity sector, once this market matures more. Similar to enterprise security, this won’t be a winner-take-all market. Instead, there will be category winners for different layers of the connected car. Since automotive cybersecurity technology is still at its infancy, it remains unclear what type of approach will get good market traction.
In Part 2 of this four-article series, I’ll be covering the state of the medical device cybersecurity startup market.
Special thanks and shout-out to my colleague Ravi Mulugu, who provided me with insights to bring this piece together.
Feel free to add me and message me via LinkedIn — I’m always happy to exchange thoughts: https://www.linkedin.com/in/dennisfromperu/
Disclaimer: This blog represents solely my own opinions, not my employer’s.