Smart technologies are now present throughout automotive supply chains. Is enough being done to protect them from possible cyber threats?
On the one hand, new technologies enable more efficient running of automotive supply chains. They make it easier to manage complex processes across a fragmented sector. In addition, manufacturers are producing cars with increased connectivity as ‘smart’ products and digitisation become the norm. The increasing complexity of cars and their software has made them more vulnerable to hacking. Frightening stories about vehicles being hijacked remotely could make consumers demand swift action.
As research identifies vulnerabilities in automotive supply chains, supply chain directors need to act to prevent danger to passengers, as well as threats to revenue.
Keeping up with fast-moving tech is a necessity, so where do the dangers lie and what are the biggest risk factors?
The industry view
Recent research by the USA’s Society of Automotive Engineers (SAE) and Synopsys, a cybersecurity firm, spoke to 593 industry professionals involved in automotive technology security. Their survey highlighted industry fears about its vulnerability. It identified factors like pressure to meet product deadlines (reported by a huge 71% of respondents) as contributors to cybersecurity failings. 50% of respondents reported an absence of quality assurance and testing, while 30% said their organisation had no product cybersecurity team. A lack of understanding of, and training in, secure coding was also pinpointed.
Multinational auditor and consultancy firm PriceWaterhouseCoopers is just one commentator who points to the automotive sector’s supply chains as an ‘entry point’ for hackers (along with factory machines, auto finance arms and 3D printing). Supply chain software is frequently singled out as not keeping pace with the rate of technological change. The SAE survey revealed a general perception that both manufacturers and third-party suppliers were simply unprepared for challenges to their cybersecurity.
What could cyber threats mean to the automotive industry?
A lack of cybersecurity represents a direct risk to car buyers, but there are other ways it could potentially harm profits. Here are a few key concerns supply chain managers need to be aware of, to prevent similar issues happening in their chains:
The ability to hack vehicle systems
Back in 2015, two security researchers took control of a Jeep Cherokee by accessing its internet-connected entertainment system. “They were able to turn the steering wheel, briefly disable the brakes, and shut off the engine.” The result was a US safety recall by Fiat Chrysler, affecting 1.4 million cars. Researcher Charlie Miller tweeted: “I wonder what is cheaper, designing secure cars or doing recalls?”
There is evidence that the theft of hacked vehicles can be an organised and targeted activity. An example is the brand-new Range Rover stolen in London after being tracked from the day it was purchased, in a planned theft enabled by hacking.
In a recent review of keyless entry cars, consumer magazine Which? criticised the continued use of such systems; of 237 cars tested, only three keyless entry systems could not be bypassed via alternative technology.
Factory slowdowns and loss of intellectual property
Being able to access supply chain software illegally could give access to sensitive design and parts information. In a challenging market, supply chains must play their part in protecting the privacy of their automotive partners. Similarly, causing a factory slowdown (or even a shutdown) could have catastrophic effects on revenue.
Theft of customer data
Currently, all eyes are on privacy and data compliance. The automotive sector needs to protect customer records, which it gathers along the supply chain – including sales, servicing and re-sale information.
Some years ago, one of the UK’s top banks famously left unshredded customer documents outside and unsecured while waiting for disposal. The slip caused consternation in the press, even before identity fraud was widely reported. This is an obvious example of a careless mistake, but one with parallels to current challenges: not addressing cybersecurity could make it equally easy to steal customer data.
Where do the risks arise?
If cybersecurity has the potential to become a big problem, where are the flashpoints supply chain managers need to be aware of?
The nature of the chain
In contrast to increasing interconnectivity between machines, supply chains themselves are increasingly fragmented. More parts to the chain mean more potential weak points. The industry needs to take a holistic view of cybersecurity since the effects could apply across the whole chain.
Cloud services make sharing access to files simple, so cloud-based systems are being used more frequently to share information between suppliers. Nonetheless, putting sensitive documents on the web could make them too easily accessible, whether the host service is encrypted or not. In the real world, not everyone follows best practice – another reason to pay attention to processes throughout the chain.
The Internet of Things
Yes, machines using the Internet of Things to communicate can increase efficiency. They can tell us how much room there is in a container for example, where that container is and when it is likely to arrive for reloading. However, communication also needs to be secure.
A recent healthcare conference provided alarming evidence of potential disruption to IoT devices. At the event, the security firm Medigate reported instances of ‘rogue traffic’ between CT scanners and incubators – devices which should not have been communicating. Medigate’s Paul Goldweitz said that he would take this type of unusual activity to be evidence of ‘a live attack’.
Such unforeseen events could also be read as a by-product of swift technological progress since any new device or process could have flaws or bugs. As Les Hatton, Emeritus professor of forensic software engineering at Kingston University, explains, premium car models now use up to 100 million lines of code. Since systems are statistically rarely error-free, this suggests the potential for ‘hundreds of thousands of hidden defects’.
‘Over the air’ updates
For most companies, OTA wireless software updates for vehicles have not arrived yet, but when they do, their security will need to be ensured. OTA remains a difficult area for other reasons too; this article argues that although Tesla recently fixed a brake problem wirelessly within days, such a rapid response would not be legal outside North America. Elsewhere, much more testing would be required. Wireless technology doesn’t just raise questions of security but of whether it is always wise to act with such great speed, even though new technology makes it possible.
The first and last line of defence
Leaving wireless systems undefended is a risky business. From physical dangers to consumers through to the increased risk of car theft and loss of sensitive information, the problems are worth taking seriously. The SAE’s engineers responded to their survey with many criticisms, but will anyone listen?
The automotive industry is often at the forefront of technology, so cybersecurity is not the arena to rest on its laurels. Instead, supply chains are being alerted to where the vulnerabilities are, in order to prevent a perfect storm: unpreparedness, targeted hacking and widespread adoption of inadequately protected digital systems. The sector recognises that multiple layers of threat exist and the best providers are working with partners who can help mitigate those risks.
As a global supply chain specialist with a number of car manufacturers on our customer list, Unipart Logistics is one company seeking to address the cyber risk. We are focused on new ways of removing vulnerabilities from supply chains, including coupling advanced technologies with the best IT security processes. For more information, contact us here.
Did you find this interesting? Read more articles like this on our Supply Chain Insights page.