In its meeting on July 22, 2022, the Supervisory Board of Volkswagen AG announced that the Chairman of the Board of Management, Herbert Diess, would be leaving the organisation by the end of August.
VW gave no specific reason for his departure, with the supervisory board saying it was decided by ‘mutual agreement’. Nonetheless, in view of the goings-on at the group in recent years, it is understood that the decision was driven by Diess’ inability to bolster the group’s software development, which set back the scheduled launch of new Porsches, Audis, Bentleys as well as the debut of VW’s initial rollout of ID models.
Reports from Europe suggest that Diess failed to turnaround Cariad, the VW Group’s software unit, and that may have eventually led to his downfall.
In an industry where the automobile is fast transforming from a hardware-based product to a software-centric electronic device on wheels, being ahead of the game is critically important. Even as the megatrends of electrification, automation, connectivity and digitalisation reshape customer expectations, manufacturers are turning to software to address them.
In the context of electric vehicles, for example, security risks are higher than they are for conventional vehicles as their reliance on software systems, network connectivity and wireless technologies makes them vulnerable to hacking.
Readers might recall a series of tweets by 19-year-old cybersecurity expert David Colombo in January this year, who discovered and exploited software vulnerabilities in over two dozen Tesla vehicles across 13 countries. He claimed he could remotely command those vehicles to open windows, unlock doors, and start keyless driving, among others. Although he clarified his experiment was not to demonstrate security flaws in Teslas – there weren’t any – but to highlight vulnerabilities in owners.
Clearly, with increasing complexities in vehicle architectures, the millions of lines of software codes, hundreds of ECUs and a growing range of sensors, cameras, RADAR and LiDAR in vehicles have made cybersecurity a top agenda in boardrooms.
Driving The Cybersecurity Agenda
One organisation, although just six years old, is doing industry-leading work in this domain, and is dedicated to provide the automotive industry end-to-end in-vehicle cybersecurity protection.
Provider of a cybersecurity DevOps platform, Jerusalem, Israel-based C2A Security is focused on the electric vehicle ecosystem, including the vehicle as well as the infrastructure around the vehicle. Roy Fridman, CEO, C2A Security is mindful of the challenges at hand, and believes manufacturers must focus on managing software at scale.
Most of the traditional processes that were good to develop a vehicle over the past hundred years is not applicable anymore, argued Fridman, and that would mean drastic and rapid change for manufacturers. Unfortunately, he laments that the pace they’re changing at isn’t fast enough, even though the development times in general are being pushed down.
“The industry is moving pretty slow, but at the end of the day, managing software at scale will be the key element in almost every aspect of the future of mobility. And a big part of it is to be able to manage cybersecurity software at scale,” Fridman says.
Manufacturers are aware they need to have leading-edge software to address the challenges of future mobility – and they need to ramp up real fast – but the reality is, the automotive industry is a very traditional mechanical industry and not a software-driven industry. And the transition isn’t going to be quick.
Building A Scalable Solution
The way to solve that, Fridman says, is utilising things that are well known and used in the IT sector. “That is the whole idea of DevSecOps of security as part of the DevOps platform – from development to operations and monitoring and back. The idea is to have a single pane of glass solution, a centralised system to manage the whole development and operation process,” says Fridman.
Essentially, C2A’s solution – EVSec – is an automated DevSecOps platform for cybersecurity designed to address the needs of the electric vehicle ecosystem, while also being compatible with combustion engine vehicles. Fridman says the system seamlessly identifies weaknesses and protects vehicles, chargers, charging stations, the electric grid and communications protocols.
Secondly, it is able to manage EV cyber complexity through automation. Fridman explains this is done from the standpoint of life cycle management, as the life cycle of DevOps requires a lot of planning.
“The last part is the problem is the multi-vendor ecosystem. We’re trying to allow the users of this platform to be able to share information and delegate information between the different vendors that are involved in the ecosystem, whether it’s the charging station provider, vendor, payment provider, and so on,” Fridman says.
Essentially, EVSec is a super set of C2A Security’s previous solution called AutoSec, which was also a life cycle management system or a DevOps system that was not uniquely focused on the challenges of the EV ecosystem or EVs. Terming EVSec a better, more capable product, Fridman says the next-gen solution can support more communication protocols, and hence, the ability to distribute protection is far broader.
The electric vehicle use case is 10 times harder, Fridman says, because they are actually more connected with more communication – with the need to have a vehicle-to-grid (V2G) communication beyond V2I and V2V. Imagine the complexities of having to ensure seamless communication across the entire ecosystem, including vehicles, OEMs, Tier 1 suppliers, software integrators, charging station vendors, payment providers, and the charging station operators.
A single cyber issue across this ecosystem could potentially wreak havoc, making it very hard to understand where it came from. This is where EVSec comes in, Fridman says.
Notably, the solution can be offered to all forms of vehicles – including three-wheelers, passenger and commercial vehicles. Flexibility, in fact, is one of the solution’s main benefits, claims Fridman, saying it adapts and supports different types of use cases.
C2A hasn’t done much work on the two- and three-wheelers yet, but has received some interest from companies on cybersecurity for smaller vehicles. In fact, it has engaged with a company that provides smaller off-road vehicles, Fridman confirms without letting out any further information.
“We haven’t had the pleasure yet of working on motorcycles, but I hope that someday we will also get there. There are companies working on advanced rider assistance systems and V2X solutions for motorcycles with their limited field of view. These are connected, software-based solutions. So, software is certainly coming to the small vehicles,” he says.
Go To Market Strategy
While it continues to scale up the technology solution, C2A has also been ramping up its global network – stitching together partnerships with bigger organisations.
One such partnership is with China-based operating system products and technologies provider ThunderSoft. The collaborators intend to provide cybersecurity solutions for the Chinese automotive industry – including OEMs and suppliers – to enable the development of intelligent connected and electric vehicles.
Likewise, in Brazil, the Israeli company has collaborated with the Stefanini Group to bridge the gap between product security and security monitoring. Stefanini's advanced Security Operations Centre (SOC) services and C2A Security's vehicle lifecycle cybersecurity solution is expected to offer a robust cybersecurity solution to the automotive industry, Fridman says.
The company continues to scout for more such strategic partnerships with big integration companies across the globe to resell and distribute its product.
Focus On India
In India, C2A is helping accelerate innovation within the Reliance group as a portfolio company of Reliance Industries. It is working very closely with Jio-BP on the aspects of EV charging security. Fridman is gung-ho about the unlimited potential of the Indian market, yet he knows – considering India is largely a small car market – the technology adoption in terms of speed, will be slower compared to a market such as China.
Having said that, once the software defined vehicle era kicks in in the Indian market, it will also offer a huge business opportunity. While Fridman didn’t to divulge more details owing to non-disclosure agreements, it is understood that C2A is talking to a “very big car manufacturer” in India; although these are initial discussions.
C2A is also in discussions with software companies in India to support its internal development. Although no concrete decisions have been made yet, Fridman is open to the idea of C2A partnering with some software companies in India, and would certainly consider setting up an office in the country in the future.
After much deliberations, the automotive cybersecurity regulations took effect in July this year. The adoption of UNECE WP.29 R155, and the ISO/SAE 21434 standard puts the responsibility over cybersecurity squarely on the manufacturer’s shoulders, requiring them to manage the risks associated with suppliers, service providers, and other organisations.
Fridman says this is a big milestone for this industry, and will help advance cybersecurity aspects of vehicles significantly. Although new software and cyber regulations are right now focused on the vehicles, but very soon the focus will be on the entire ecosystem – charging infrastructure, in particular.
The automotive industry continues its digital transformation, making the vehicle – whether small or big – more connected and automated. Amid such advances, the need to be able to manage software and be able to do proper cybersecurity software management is something that will need to happen across all types of vehicles. That is where C2A Security plays and hopes to deliver solutions irrespective of the size of the vehicle, or the segments they play in.