AUTOMOTIVE DATA PRIVACY: SECURING SOFTWARE AT SPEED & SCALE
The superhighway of connected car systems is widening, and it’s yielding greater volume and velocity of information across intravehicle and intervehicle networks.
But with speed and scale come new security concerns. Vehicles now boast more than 100 million lines of code, hundreds of task-specific microchips and multiple operating systems. With consumers increasingly prioritizing seamless service and security at scale, automotive data privacy is no longer a downstream concern — it’s a critical deployment.
Security and privacy are intertwined, but they’re not identical. Security focuses on defending internal protocols, such as a car’s operating systems and network components. Privacy focuses on protecting consumers’ personal data as it leaves the vehicle.
However, solving for security or privacy isn’t a binary choice. Companies must incorporate both to ensure automotive safety and attract new buyers.
Security & Privacy: Push & Pull
According to the IBM Institute for Business Value, 56 percent of executives think that automotive privacy and security will drive purchasing decisions. Customers have already made that leap; 62 percent said they would consider one brand over another if it had better security and privacy, according to a recent IBV consumer study.
Concerns around breaches are increasing. Some consumer advocacy groups are pushing for kill switches in connected cars to mitigate the damage a connected car could do if overridden by a bad actor, but, as Vice reports, vulnerabilities in two GPS tracking apps enabled a hacker to remotely cut engines at low speed and potentially cause huge traffic jams.
Consumers, meanwhile, are still willing to share their location, application and usage data in exchange for value-added features. But if pushed by breaches or lack of control, drivers and passengers will pull back data access.
Hard Pass, Soft Censure
The rapid uptake of connected vehicle technologies has prompted manufacturers to improve automotive data privacy controls, but rigor remains lacking. According to a Ponemon study sponsored by Synopsys, 63 percent of auto manufacturers say they test less than half their hardware. Meanwhile, even though automakers have employees charged with handling cybersecurity, the report found that just 10 percent have dedicated, multiperson cybersecurity teams. To bridge the gap between functionality and security, manufacturers must work with multiple software developers, vendors and suppliers.
But that bridged process weakens security. Consumers are willing to give vehicle hardware a pass for common wear and tear — air filters must be replaced, tires checked and engine oil changed — they almost immediately stop using software that doesn’t meet their expectations. Unlike physical components, even occasional software hiccups can dim consumer confidence and drive negative PR.
The Code is the Car
IBM’s Bridget van Kralingen puts it simply: "The last best experience that anyone has anywhere becomes the minimum expectation for the experience they want everywhere." For vehicle manufacturers, this means recognizing that the ubiquity of consumer mobile experience — i.e., the ability to seamlessly connect with services anytime and anywhere — informs their expectation for the in-car experience.
Code is no longer the underlying infrastructure of existing vehicles, nor is it a potential pathway to autonomous automobiles. Instead, the code is the car. To embrace this shift and improve privacy and security in automotive development, manufacturers must:
> Deliver over-the-air updates. Security threats don’t happen in isolation. To ensure that connected cars receive necessary firmware and software updates, continued investment in over-the-air delivery is essential.
> Defend digital footprints. Every digital action leaves behind virtual footprints. Rental vehicles capture smartphone data; eventually, mobile information could be stored on autonomous autos that aren’t owned by individuals but instead rented as a service. Automakers must develop ways to defend digital footprints at all points along the connected car ecosystem to assuage consumers’ privacy concerns.
> Deploy end-to-end security. As vehicles become part of the technology stack, end-to-end security becomes mandatory. This starts with advanced encryption to safeguard both internal data and connected consumer information, but it also demands regular risk assessments to identify vulnerabilities.
> Develop rigorous standards. Manufacturers understand the need for rigor in parts procurement; standards exist to evaluate products from first-, second- and third-tier suppliers and ensure consistent quality.
> Software requires the same approach but follows different rules. Automakers must first define what automotive security and privacy mean to their organization and then create digital supplier standards to ensure that applications meet corporate and consumer expectations.
Auto manufacturers must defend data at speed and scale. Effective adaption means embracing consumer expectations and recognizing that software isn’t just critical. In the quest to deliver automotive data security and privacy, car and code are indivisible.
Author: George Ayres - Client Partner, Automotive Industry, IBM Global Business Services