Cybersecurity and the Automobile Industry

In the metro-Detroit area, the primary industry and revenue force is the auto industry. This is clear due to the number and concentration of the vehicle manufacturer headquarters, assembly plants, and admin offices. As these vehicles are designed and engineered, they require cybersecurity testing. This ensures that as much as possible the vehicles are safe and secure from being successfully attacked. Cybersecurity for present connected vehicles and future autonomous vehicles is paramount. Without this in place and the vehicles being actively, directly tested, any vehicle on the road would not be safe itself or from other vehicles which could be hijacked by cybercriminals.

To accomplish this vast task, vehicle manufacturers require qualified people to complete the testing. This does not appear to be a significant issue. There are jobs to fill in a technology area creating a demand for years, and there should be people to fill the open positions. Unfortunately, this is not remotely the case. This is occurring presently in the field for many reasons. The primary reason for this is that the available individuals with cybersecurity skills are limited. The individuals with the skills and experience to test the cybersecurity of embedded, equipment is rather narrow. Of this narrow field, the applicants need to be vetted not only for their technological prowess, but also for their ethics, as there are bad apples present who would not morally do the right thing 100% of the time. Based on this, the need/demand is far outpacing the available pool of talent. This is further exacerbated due to this need being across several industries, not only auto manufacturers.

As an option, the manufacturer may reach out to third parties to complete a portion of the testing. The manufacturer may also incorporate a bug bounty program into their process. Programs like this would pay independent cybersecurity individuals or groups when they find and report a bug in the manufacturer’s product. By using a program as such there are a great number of persons reviewing the product and are paid for their time if a bug is found. GM and FCA’s Bug Bounty programs are well known.

There are a limited number of universities and colleges attempting to train persons for this vast need. There are also contests in which high school and college students may apply to be in to learn the basics. This will assist with increasing the pipeline for the needed cybersecurity talent, and that need to going to grow in the years ahead.

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.