OTA Will Drive Cybersecurity Programs

ZF’s Brian Murray and GM’s Kevin Tierney listened as Dr. Andre Weimerskirch of Lear discussed OTA’s role in cybersecurity at the 2018 WCX. (Terry Costlow)

Connecting vehicles with the Internet means that cybersecurity is now a necessity that must be designed into nearly every piece of automotive hardware and software. Security schemes will have to include techniques for updating security software as threats evolve.

Vehicles are becoming part of the Internet of Things (IoT), but they’re also joining the Internet of Threats, Faye Francy told WCX attendees during a panel dubbed “CyberSecurity 2.0 – Collaboration, Incident Response and Automation.” Francy heads up the Auto-ISAC (Information Sharing and Analysis Center), which was formed by many OEMs and Tier 1s to work together to thwart hackers.

Panelists agreed that over-the-air (OTA) updating is a critical aspect of any cybersecurity program, since hackers will continually find new ways to attack connected products.

“OTA updating is absolutely the most important things you can do in cybersecurity,” said Justin Cappos, a cybersecurity expert from New York University.

OEMs have been updating software through dealerships for years. That model probably won’t work given the need to regularly update cybersecurity software as hackers try new techniques for exploiting vulnerabilities. Some companies plan to start OTA programs in areas like infotainment before moving into powertrains and safety systems.

“We’re starting with modules that aren’t in the critical path,” said General Motors’ Chief Product Cybersecurity Officer Kevin Tierney. “We need to make sure those connections are secure. Over time, we will go into safety critical modules.”

Many automotive companies have relied on proprietary technologies to safeguard software, but that approach may not work for cybersecurity. Do-it-yourself architectures for protecting over-the-air updates might have more vulnerabilities than protective schemes that have been reviewed by hundreds or thousands of engineers who attempt to breach the barricades.

“There are ways to do it right, and ways to do it wrong, so why not use a standard way that’s used by a lot of people?” said Dr. Andre Weimerskirch, VP Global Cyber Security at Lear Corp. “Companies need to have a software architecture that lets them update the majority of software without needing to recertify it.”