Cybersecurity in automotive: Mastering the challenge
With the software content of cars increasing, what do automotive players need to know about cybersecurity?
his article was written collaboratively by the McKinsey Center for Future Mobility. The authors include Ondrej Burkacky, Johannes Deichmann, Benjamin Klein, Klaus Pototzky, and Gundbert Scherf.
The four ACES disruptions—autonomous driving, connected cars, electric vehicles, and shared mobility—have dominated the agenda of automotive industry leaders in recent years. These innovations, built on the digitization of in-car systems, the extension of car IT systems into the back end, and the propagation of software, turn modern cars into information clearinghouses while also making them tempting targets for cyberattacks. In our report Cybersecurity in automotive: Mastering the challenge, we worked with the Global Semiconductor Alliance to explore the consequences of this shift. We focused on providing a perspective on three key questions for the automotive industry:
What are the specific trends and drivers of cybersecurity in the automotive industry, and why will this represent a paradigm shift for the industry?
How are these drivers going to affect the automotive industry’s long-established value chains?
How can players inside and outside the industry prepare and position themselves for the upcoming market developments and anticipated segment growth?
Cybersecurity is becoming a new dimension of quality for automobiles
Over the last few years, the cyberrisk of connected cars has become clear with security researchers revealing various technical vulnerabilities. In these cases, the attackers disclosed their findings to OEMs to help them fix the issues before malicious attackers caused harm.
Currently, only narrow standards and guidelines exist for specific technical procedures for securing hardware and software in vehicles, such as standards for hardware encryption or secure communication among electronic control units (ECUs). That will soon change, however. The World Forum for Harmonization of Vehicle Regulations (WP.29), under the UN Economic Commission for Europe (UNECE) is planning to release new regulations on cybersecurity and over-the-air software updates. These will present cybersecurity as nonnegotiable for securing market access and type approval across UNECE WP.29 member countries (Exhibit 1).
While the UNECE WP.29 regulations on cybersecurity and software updates set a regulatory framework and minimum requirements for automotive players along the value chain, they do not include detailed implementation guidance for translating the requirements into concrete operational practices. However, the new International Standardization Organization (ISO)/Society of Automotive Engineers (SAE) 21434 standard, “Road vehicles—cybersecurity engineering,” (still in draft) and ISO 24089, titled “Road vehicles—Software update engineering” (24809) lay out clear organizational, procedural, and technical requirements throughout the vehicle life cycle, from development to production to after-sales in terms of cybersecurity and software updates.
These standards will allow the industry to implement common cybersecurity practices specific to vehicle development and manufacturing. They will also allow an assessment of adherence to the practices and attestation by third parties, which can be used between industry players to demonstrate adherence to the standards, for example, in contracts between OEMs and suppliers.
Securing hardware and software in modern vehicles will require new skills and talent
To secure hardware and software while meeting regulatory requirements and customer expectations, current automotive employees will need new skills and ways of working throughout the entire development cycle, including the phases involving specification, design, development, integration, and testing (Exhibit 2). Employees in other areas, such as procurement, project management, dealerships, and customer communications, will also need upskilling related to cybersecurity.
In addition to upskilling employees, OEMs and other companies along the value chain must establish stricter cyberrisk-management processes and compliance documentation. The decision to modify systems or adopt new ones often depends on a company’s organizational structure and maturity. Companies may also need to adjust roles, responsibilities, and formal processes for assessing and managing cyberrisks to vehicles.
In the new environment, OEMs will need to respond immediately to security incidents, including those in which companies discover a new or potential vulnerability, or in which their vehicles are attacked by malicious hackers. This will require organizational, procedural, and technical capabilities for detecting and addressing cybersecurity events. Providing security patches throughout the full vehicle life cycle will also be essential for safe vehicle operation. Vehicles are often driven for ten years or even longer, requiring regular updates over a very long period. This makes them more akin to aircraft or vessels, which see software updates provided over longer periods than those for consumer products, such as PCs, smartphones, tablets, and smart appliances.
Automotive cybersecurity is expected to nearly double in the coming decade
We have broken down the automotive cybersecurity market into three elements: cybersecurity hardware, cybersecurity-related software-development efforts, and cybersecurity processes and solutions. Based on external expert interviews, McKinsey analyses, and predictive modeling, we estimate that the total cybersecurity market will increase from $4.9 billion in 2020 to $9.7 billion in 2030, corresponding to annual growth of more than 7 percent (Exhibit 3).
To capture value in this growing cybersecurity market, players along the value chain are following different strategies. We expect to see a significant amount of change in the following areas in particular:
OEMs are pursuing vertical integration (for instance, by building their own cybersecurity components or even software stacks).
Suppliers are pushing their way up and down the value chain, such as by offering specialized cybersecurity-consulting services.
Start-ups are entering the market with innovative solutions, including specialized threat-detection applications or vehicle security operations centers (SOCs) as a service.
IT and operational-technology (OT) companies are expanding into the adjacent automotive-cybersecurity market (for instance, by offering back-end solutions or cybersecurity components).
Semiconductor companies are pushing their way up the value chain through various measures, such as by providing software that is optimized for their chips.