7 minute read 30 May 2019
Young woman holding smartphone, view through parked car.

Five ways to help prevent cars being hacked on the highway

By EY Americas

Multidisciplinary professional services organization

7 minute read 30 May 2019

As connected cars plug into various networks, they become more vulnerable to hackers. How can they be protected against cyber threats?

Technology advances in automobiles are producing amazing opportunities for automakers and consumers alike. There are times, however, when the enthusiasm for technology becomes tempered by fear.

Consumers’ fears of the potential for cyber events to impact their vehicles are well-founded. Intelligent safety systems, increased automation, greater connectivity and the pursuit the autonomous driving all rely on technology. As a result, they present ripe environments for nefarious and potentially deadly cyber activity.

Security exploits of modern vehicles to date have been mostly an area of focus for researchers working to demonstrate the possible cybersecurity implications, and raise automakers’ awareness and investments in product security. As vehicles continue to evolve into modern platforms for service delivery, the amount of personal data that vehicle systems collect and process, with all its monetization potential, is likely to catch the attention of cyber criminals, further elevating modern vehicles into lucrative targets for cyber attacks.

Until recently, cybersecurity was something automakers worried about at head office. Concerns over the security of the perimeter, the protection of intellectual property and the uptime of core systems established cybersecurity as an IT function, largely isolated from the broader business agenda and priorities.

With the advent of connected vehicles and intelligent mobility, cybersecurity is no longer only a risk management function but also a core enabler of innovation and growth. Current market dynamics reward speed to market. The new economy will require this concept to be reversed so that trust that drives customer loyalty becomes the measure of success. Regardless of the tremendous innovations that are rapidly reshaping today’s vehicles, without inherent consumer trust in the product, we may never reach our autonomous-driving ambitions.

Consider cybersecurity across four domains

Whether it is developing new vehicle features, defining new mobility service offerings, improving the vehicle financing experience or exploring strategic partnerships, cybersecurity must be a consideration across four critical domains. These domains tie cybersecurity directly to automakers’ business objectives.

  • Protect employees and consumers. Intuitive, safe user interfaces, seamless authentication, excellent interoperability and dependable performance must deliver differentiated services to consumers. As companies continue to focus on reinventing the consumer experience, cybersecurity plays a vital role in supporting a smooth journey by securing sensitive data and core processes, and by providing services in a way that maintain trust.
  • Protect products and services. Safety is not a new concept for automakers. Cybersecurity must be exposed to the same level of rigor as the safety standards for the physical vehicle. Product design and engineering practices must embed security concepts and controls across the entire product development life cycle. Secure coding techniques and developer training, software update processes, threat modeling, robust application vulnerability discovery, appropriate penetration testing, rigorous supply chain security and third-party risk management practices help to identify issues early so they can be addressed promptly. Automakers also must consider the cybersecurity issues that may evolve in legacy products and have a plan to address them.
  • Protect production and operations. Plant environments, often perceived as isolated from corporate networks, are frequently not. Production historians and other manufacturing process monitoring systems are always in direct communication with corporate systems — feeding valuable production data and receiving production planning input in real time. To stay ahead of threats, auto companies must adopt nonintrusive, technology-enabled and data-driven processes for production floor risk identification, quantification and proactive remediation.

These actions will become even more important as factories and supply chains become more tightly connected with the shift toward Industry 4.0, and as the availability of data that provides unprecedented efficiency and insights increases exponentially. With greater reliance on smart technology, robotics and additive manufacturing, concerns around quality, safety and counterfeits will assume different dimensions, and the lines between our cyber and physical world will become more blurred.

  • Protect business and branding. In an industry where rivals join forces in business joint ventures, where the supply chain is increasing in size and complexity, where cross-sector competition is disrupting automakers, where automakers are constantly experimenting with new business models, and where new connected car features launch with astonishing speed, automakers need to build agile cybersecurity programs capable of keeping pace.

For today’s automakers, strong cybersecurity can mean the difference between evolving the business and being out of business. Given the pervasiveness of technology in every aspect of an automaker's business, cybersecurity must be treated as a business imperative, upon which the automaker’s survival depends.

This, of course, will present resource challenges that automakers must address. Already, dynamic changes within automakers’ talent pools are underway. As automakers simultaneously redefine themselves as technology companies, the need for mechanical and electrical engineers, while still critical, will diminish in favor of software engineers and technology innovation designers. Similarly, automakers will want to consider cybersecurity professionals as equally integral to the business as other technology-inspired roles across the enterprise, rather than seeing them only through the lens of IT.

Five ways to turn risk into value-driven opportunity

Automakers can protect the consumer, the vehicle, the production and the business, and turn risk into a value-driven opportunity through five meaningful approaches:

  1. Secure continuous support and investment from leadership. Cybersecurity is a journey rather than a destination. As such, it’s important to secure ongoing senior leadership support and appropriate resource investments for a sustainable, adaptable cybersecurity strategy.
  2. Create a cyber risk culture that aligns with the business strategy. Cybersecurity is the largest function in any company because every person in the extended enterprise has a role. A successful cybersecurity strategy depends on the company adopting a cyber risk-aware mindset. Cybersecurity should become a consideration in every decision across the organization — from the shop floor to the executive boardroom.
  3. Build a cyber services portfolio. The right cyber services portfolio, one that is aligned with leading practices, business and market needs, regulatory requirements and risk tolerance can deliver value quickly and consistently. Cybersecurity cannot be a check-the-box compliance exercise. Rather, it must provide real capabilities and services that produce defined and expected outcomes that benefit the organization.
  4. Develop a scalable cybersecurity operating model. A cybersecurity operating model should be capable of delivering scalable, consistent, outcome-focused cyber services to the business. It must facilitate the interaction and exchange of information, and the collection of reliable data, as well as the systemic analytics that make sense of the data for good decision-making. It also must support robust reporting and consistent mechanisms to communicate outcomes and value in an easily understood way.
  5. Source talent strategically. Strategic partners can help automakers optimize the use of talent and funding. The right balance of outsourcing, co-sourcing and professional services can augment in-house capabilities for greater impact and cost efficiency. Automakers will benefit more from focusing on outcomes that drive strategic value and innovation while having a trusted advisor they can turn to for the rest.

Together, the five steps can help manufacturers build cybersecurity programs that offer scalable and flexible capabilities in support of evolving business needs — at the heart of which is the desire to protect customer trust.

Cybersecurity is a business imperative

Everyone understands that the future of the automotive industry is less about making parts and more about delivering services. Consumers are moving toward a preference for using vehicles when they need them, and paying only for what they use. This sharing-economy mindset is impacting most industries. Consumer preferences are changing. Automakers must tune into these changing attitudes as well as the ways that related disruptions are impacting other industries. They can learn how other companies are adapting and find opportunities for growth.

An opportunity for partnerships or cross-industry collaboration are two such potential opportunities. These opportunities, and the new business models that flow from them, will also create their own set of security challenges that automakers may not yet be considering. Each new opportunity will require an assessment of the cybersecurity risk.

Ultimately, to thrive, the automotive companies of the future must take a new look at cybersecurity — one that recognizes the distinctiveness of all dimensions of cyber risk as they relate to business objectives and the unique challenges rapidly transforming the automotive industry.

Those who get it right will have the right to compete in the global market. Those who don’t will be left behind.


Each new opportunity that technology brings to the auto industry will have its own set of cybersecurity considerations. 

About this article

By EY Americas

Multidisciplinary professional services organization