By Pete Bigelow, AUTOMOTIVE NEWS

October 21, 2019

https://www.autonews.com/mobility-report/cybersecurity-firm-attracts-oe…

There hasn't been a high-profile car hack since researchers commandeered a Jeep Cherokee by remote control four years ago. That doesn't mean the threats have diminished.

On the contrary, cybersecurity analysts say they've observed a steady uptick in breaches related to car theft and ransomware-style attacks on vehicles. Automakers are continuing to address vulnerabilities and bolster their defenses.

The latest in those efforts came Monday, when multiple OEMs said they had invested in Israeli firm Upstream Security. Volvo Group, Hyundai and the venture capital arm of the Renault-Nissan-Mitsubishi alliance participated in the $30 million funding round.

Upstream's security measures are entirely cloud-based. Its platform ingests vehicle data, helping automakers detect and respond to breaches. The company says it has analyzed 332 incidents reported throughout the industry since 2010.

"A massive doomsday attack still hasn't occurred, and that's a good thing," said Dan Sahar, vice president of product for the company. "However, you look at more minor incidents, and there's a constant rise. You look at keyless fob entry, relay of key signals, hacking into mobile applications, GPS spoofing, things like that are ongoing and increasing in volume."

An Upstream analysis conducted this year provided new context for automotive cybersecurity. Researchers at the company say that more than 30 malicious attacks were detected in the industry in 2018, the first year that criminal-minded attacks outnumbered research- minded hacks.

While competitive pressures usually curb cooperation in other aspects of the auto industry, cybersecurity may be one area where OEMs are interested in sharing information.

More than 50 companies have joined the Automotive Information Sharing and Analysis Center, or Auto-ISAC, an industry-led consortium to establish best practices and share intelligence. It includes automakers, suppliers and autonomous-vehicle developers such as Waymo and TuSimple. Auto-ISAC holds its annual summit this week in Plano, Texas.

Though Upstream's platform and dashboards are customizable for individual clients, investments from multiple OEMs in the company's funding round may further signal a willingness to share threat information.

"In transportation, they do not historically discuss cyber risks openly," said Norma Krayem, senior policy adviser and chair of global cybersecurity and privacy policy at Washington, D.C., law firm Holland & Knight. "I do think we're at a point where it's perfectly fine to have a conversation, because it's an overall risk that everybody knows."

Those risks became apparent in February 2015, when Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., issued a report that said only two of 15 automakers surveyed had the means to detect and respond to an infiltration in real time. In July 2015, researchers Chris Valasek and Charlie Miller showcased the potential danger, controlling a Jeep Cherokee that was traveling along a Missouri interstate.

Cybersecurity concerns further crystallized this past summer, when California nonprofit Consumer Watchdog released a paper titled, "Kill Switch: Why Connected Cars Can Be Killing Machines And How To Turn Them Off." Among the conclusions, the authors said an attack "targeting transportation infrastructure is a growing possibility," yet automakers aren't doing enough to safeguard their fleets.

In a May report, Upstream found that, with hundreds of millions of connected cars expected to be on the world's roads by 2023, the automotive industry faces $24 billion in risk exposure. That figure may help explain why the venture-capital division of Nationwide Insurance has joined the OEMs in funding Upstream.

Down the road, autonomous vehicles present another potential target that insurance companies want to better understand and protect.

"This is the beginning of the change," Sahar said. "You have to understand how to insure autonomy, and what happens when one autonomous system is at fault compared to another, and how to factor that into risk. The common denominator in those areas is data, and this is an area where we've started to see a lot of insurance companies look into this space."

Although the autonomous future is years down the road, Krayem said automakers can start addressing cybersecurity concerns today.

"That future does require a safety-centric focus, and though we're many years off from full artificial intelligence and full autonomy, the pro here is that they can build autonomous vehicles under security-by-design principles," she said. "They can bake in cybersecurity protection now, and not bolt it on after the fact."

Beyond the automakers and Nationwide, venture-capital firms Maniv Mobility, Charles River Ventures and Glilot Capital invested in Upstream's Series B funding round. The money brings the company's investment to date to $41 million.