Having sustained a pandemic, a geopolitical crisis, and the subsequent chip shortage, it is remarkable for the Indian auto sector to emerge as the third largest market globally. A powerful customer base, government-supported Production-Linked Incentive (PLI) schemes, a strong focus on Industry 4.0, and a burgeoning ecosystem for electric mobility herald a new era of growth and possibilities for the sector.
This comes alongside the changing consumer behaviour, wherein experience, trust, and safety are increasingly being prioritised. Access to the latest technologies and features is the top reason for choosing new vehicles, with consumers factoring in product quality, features, and brand image while transitioning from one brand to another. This shift further builds on the momentum for smart and autonomous vehicles, while putting a significant onus on the provider ecosystem to prioritise safety and security.
Cybersecurity is at the heart of this conversation
As vulnerable Bluetooth, Wi-Fi components, and applications become an integral part of the connected vehicle architecture, auto hacking becomes more prevalent. The attack surface continues to expand, as seen in CASE vehicles, with sensors, telematic control units, multimedia, and even charging stations. Dark web forums and marketplaces, alongside AI-powered tools, make tutorials and information readily available for even rookie attackers, to hack into vehicles and take control, eavesdrop, or engage in other malicious activities. In a recent incident, a group of researchers conducted a proof-of-concept hack by just getting their hands on the Vehicle Identification Number.
A car is hacked in the middle of nowhere, and a ransom is demanded or a car is hacked, and its advanced driver assistance system (ADAS) is manipulated – in all these scenarios, cybersecurity is akin to safety.
While vehicle security discussions have relatively become mainstream, one must note that vehicle manufacturing involves an intricate network of third-party manufacturers and suppliers, working in a distributed production environment. Any breach within the network has the potential to impact the whole supply chain, causing downtime, impacting operations, and the overall brand reputation, which the consumers are already taking note of.
In this tech-enabled future of vehicles and mobility, cybersecurity is not just ‘good-to-have’ but is foundational for security, safety, enablement, and scale. It must be seamlessly embedded across the whole ecosystem, from plants, products, and workforce, to suppliers and consumers.
Securing the future of auto with cyber
1. Securing the vehicle: Embedding security throughout the life cycle is key - from R&D and production to post-production and disposal. Secure software development life cycle (SDLC), third-party risks and control assessments, data protection and privacy, compliance assurance, and vulnerability management are just a few considerations. As per estimates, by 2033, level 3 autonomous passenger vehicles would amount to 50 million cars sold globally. Each of these cars, with Vehicle-to-Everything connectivity, generating copious amounts of data, and with 5G, communicating real-time with servers, are like computers on the road. For the safety of millions of such vehicles, a managed vehicle security operations centre (V-SOC), with real-time information and event management, incident response management, and forensic readiness are a must.
2. Securing the plant: Auto factories are getting modernised with AI-driven asset intelligence, IoT-enabled operations, and digital twin for simulations. With technology and digitalisation, the barrier between the IT and the Operational Technology (OT) environment is getting dissipated. OT assets with legacy systems and software and insecure protocols have inherent vulnerabilities, which must be noted while strategising for plant security. This calls for a comprehensive security assessment to understand maturity levels and existing gaps amid any transformation initiative and to take stock of all assets and IT-OT interfaces. A secured network segmentation model, privilege access management, data back-ups, third-party risk management, and end-to-end visibility and monitoring with incident response playbooks are crucial.
3. Securing the workforce: The auto workforce handles cutting-edge technology on a day-to-day basis with modern factories, product development on the cloud, and software/firmware updates happening over the air (OTA). Securing the data and the devices they handle, the access they are provided, communication channels and networks, with a strong focus on zero trust access are central to robust enterprise security. At the same time, the workforce must be cyber-savvy, and engaged through intuitive training and positive enforcement. Recognition of cyber-first behaviour and a strong cyber culture that’s promoted top-down goes a long way.
4. Securing the value chain: Inter-dependent value chains in the auto sector require every stakeholder to uphold the highest standards of security. Shared objectives and cyber KPIs for the partner ecosystem can bolster supply chain security. Consumer awareness is also key, with the need for cyber and privacy awareness around applications, connectivity, phishing campaigns, data sharing and consent. OEMs and suppliers have the responsibility to build trust and manage customer data in a safe and ethical manner, balancing privacy, and innovation.
5. The regulatory imperative: The global regulatory environment is highly dynamic and proactive. The UNECE, R155, and R156, the broad set of data protection requirements in various countries, the rising mandates on incident reporting (CERT-In, SEC, etc.), and auto regulations and regulators in India and globally (AIS, ARAI, BIS, NHTSA, TISAX, AutoSar, Aspice, etc.) make regulatory compliance a strong consideration for security leaders. The Indian regulatory environment is also changing with the forthcoming data protection law, which must prompt organisations to consider a privacy-first outlook.
The future of auto is expected to be hyper-connected, automated, and powered by 5G. As technology continues to unlock endless possibilities for this sector, cybersecurity will continue to play a paramount role in fostering safety and trust, and in shaping the future of mobility.
Praveen Sasidharan is Partner, Risk Advisory, Deloitte India, and Manishree Bhattacharya is Manager, Risk Advisory, Deloitte India