Once hacked, twice shy: how auto supplier Harman learnt to fight cyber car hijackers

When researchers remotely hacked a Jeep Cherokee in 2015, slowing it to a crawl in the middle of a US highway, the portal the hackers used was an infotainment system made by supplier Harman International.

Harman, now part of Samsung Electronics, has since developed its own cyber security product, and bought Israel-based cyber security company TowerSec for $70m (just over R1-trillion) to help it overhaul manufacturing processes and scrutinise third-party supplier software.

The expensive efforts have prevented another public breach, and helped it become a key player in automotive cyber security, but they show the strain suppliers and  car makers face in dealing with this new dimension of automotive technology.

"Automotive is a very competitive business with small margins. If a competitor wants to eat the cost to win the business, you have to do the same thing," said Geoffrey Wood, Harman's director of cyber security business development, who joined the company in late 2016.

The automotive cyber security market has seen exponential growth. While global revenue was at around $16m in 2017, it is expected to reach $2.3bn in 2025, according to IHS Markit, driven by Harman, Garrett Motion Inc, German suppliers Continental AG, Robert Bosch and a range of smaller US and Israeli companies.

Securing cars from hackers is a complex task for these companies. Modern vehicles run on 100-million lines of code, are equipped with hundreds of different technologies and can have up to 150 electronic control units using various operating systems.

Unlike consumer electronics, cars can stay in use for decades, long after operating systems and component software cease being supported through updates that patch vulnerabilities - a challenge with which the industry is still grappling.

Automotive cyber security requirements now number in the hundreds of pages from just a page five years ago, according to interviews with a dozen automotive cyber security professionals.

For its 2024 vehicles under development at BMW, for example, suppliers are required to ensure  driving system control units have no direct connection to customers' internet-connected devices, said Michael Gruffke, head of security system functions at BMW, which sources parts from Harman.

Small car suppliers with thin profit margins are often the weakest link for hacks, said Rotem Bar, a cyber security professional until recently at Israeli company CyMotive, which has partnered with Volkswagen.

But car makers are typically still hand-testing and ensuring the security of data systems to their subcontractors, industry experts said.

"It's really shifting the burden on to the suppliers because the car maker is not able to test and verify everything along the supply chain," said Dennis Kengo Oka, senior solutions architect at Synopsys Inc, who conducts research on automotive cyber security.

At BMW, more than 70% of the components in its vehicles are manufactured by suppliers.

"We therefore must expect our partners to take responsibility for implementing cyber security in respective deliveries," the automaker said in a statement.

General Motors says it handles "a significant amount of work" related to security and testing without passing the expense to its supply chain partners.

Ford Motor and Fiat Chrysler did not respond to requests for comment. Volkswagen and Daimler declined to comment.

Building cyber security in business

Harman saw its Jeep hack experience as a viable business opportunity. The supplier today sells cyber security software that allows car makers to monitor their fleets and provide over-the-air software updates. Analysts at IHS Markit consider Harman one of the top players in that segment, with around 20 car makers using its over-the-air services.

Harman does not break out revenue for that business, but the company does try to recover some costs by charging higher prices for advanced security.

"We have to educate our sales people in conversations with car makers' purchasing departments and say 'don't let this go without adding cyber security to your quote'," said Amy Chu, Harman's senior director of automotive product security.

Asaf Atzmon, the Israel-based vice-president and general manager for automotive cybe rsecurity, said Harman has come a long way since he joined in March 2016 as part of the TowerSec deal.

At the time, Harman employed only some security architects. The company later changed its organisational structure, appointing or hiring professionals such as Wood and Chu to oversee cyber security efforts, Atzmon said.

The changes helped Harman consider cyber security issues at every stage of the production process, creating a checklist for engineers that includes scanning third-party software for bugs, increasing Harman's own cyber security defences and creating a risk analysis of potential vulnerabilities for every component.

Instead of simply adding comfort features such as Bluetooth, for example, designers now first have to show how they would secure such a connection.

A particular challenge is securing vehicles over their entire life cycle, said Chu. Cyber security professionals are used to simply issuing software patches, but automotive engineers caution that only a fraction of vehicles can receive over-the-air updates.

During the Jeep hack, costly recalls had to be issued for 1.4-million vehicles to fix software flaws at dealerships. Tesla Inc, which offers over-the-air updates as a standard for even safety-critical functions, is so far the exception.

"Things are just not that easy for us in the auto industry," said Chu.

Conscious of the many challenges, the industry over the past years has come together in a rare show of collaboration. In 2015, soon after the Jeep hack, car makers created a group to share threats and vulnerabilities and companies currently try to define industry-wide cyber security standards that in turn could lower costs to suppliers.

Still, common standards are not expected to be published before next year. Some of the standards might be watered down to protect smaller suppliers and ensure they have the resources to comply, said Victor Murray, a group leader at the Southwest Research Institute, which tests cars and components for cyber security vulnerabilities.

"You want to be careful and not box anybody in because if smaller suppliers get overwhelmed with mandates, they're out of business," Murray said.