Oddly seven years after his death (in 1889), Ralph Waldo Emerson was attributed with an even more succinct quote* than his original statement: “Build a better mousetrap, and the world will beat a path to your door” (*his original, long-winded quote talked about corn, pigs, knives and a “broad, hard-beaten road to [the] house”). Also ironically, there subsequently have been more than 4,400 patents issued by the U.S. Patent Office for mousetraps making it the “most frequently invented device in U.S. history.” And so choosing the better mousetrap would, in fact, be difficult, except the whiskered threat is both well-understood and consistent. Therein, 140 years after Emerson’s passing his prediction is accurate: the online shopper’s path is beaten to the door of the highest-rated product per user reviews.
This premise, however, is not as true for automotive cybersecurity providers despite growing demand during a rise in both cybersecurity attacks and certification requirements. The path to a sourced solution has historically been arduous for customers and cybersecurity providers alike. The reasons: the amorphous value proposition and the moving threat definition.
Amorphous Value Proposition
“It’s very vague at times,” states Argus Cyber Security’s co-founder, Oron Lavi. “For cybersecurity and especially automotive, it’s a discussion about what it means to be ‘better’. And ‘better’ has many different aspects. It’s not just about technology and catching an additional attack. It’s about balance. Cost. Complexity. Reliability. Long-term trust. When it comes to the actual security’s value, it can always be debatable and in the eye of the beholder.”
In fact, ‘value’ typically devolves into discussions about either Return on Investment (ROI) or margins, however cybersecurity will never result in additional revenue for the automotive manufacturer and ROI can only be calculated based upon a theoretical cost avoidance assuming associated reliability. For example, per WardsAuto three years ago, the average company’s reported cybersecurity cost was $7.7M with the U.S. more than doubling that ($15.4M), but listing that as a savings requires the leap of faith that A) automotive would be equally attacked as the average company, B) the total clean-up and damage to revenue would be similar, and C) said hackers would be thwarted if protection was purchased.
“In a similar way to quality, the value ultimately is lowering the risk of something undesirable happening,” says Lavi. “Cybersecurity is a similar process, but one that the industry is still learning how to do properly.”
The Moving Threat Definition
The current-versus-future threats are constantly changing, nearly invisible and entirely unclear. It isn’t a semi-predictable, unintelligent mouse, but rather a completely unpredictable, malicious, intelligent hacker with various motives, tools, funding and talent.
“It’s not always clear what we’re protecting against,” states Lavi. “It’s not like we can say, ‘OK, we only have to protect against these ten threats that are occurring around the world.”
Per SecureThings’s CEO, Vishal Bajpai, “Increased threats have made comprehensive cybersecurity a necessity. A consumer-advocacy group is putting it in starker terms: a mass cyberattack against vehicles could lead to September 11th level casualties. But what that attack might be is entirely unclear.”
That said, manufacturers have made several steps to get more intelligent on the matter. They have hired resources – both internally and consultative – to get wiser on cybersecurity design. They have helped formulate a standardized approach to enforce better ways of working within the supply chain. And despite some initial trepidation about exposure, they have begun sharing threat data within an organized forum (a.k.a. the Automotive Information Sharing and Analysis Center or Auto-ISAC).
“The discussion today between OEMs, Tier 1s and cybersecurity providers is much more mature,” states Lavi. “Argus started eight years ago, and the ecosystem was very different. Cybersecurity in automotive sounded like science fiction and was considered a very strange topic. That has changed a lot in the last 2-3 years, especially in having internal talent and understanding. They have much more often had a more proper Threat Analysis and Risk Assessment. Since the release of [the new ISO standards], we see a better formulation and understanding of the importance of what needs to be done.”
The Reality Of Choosing
The craziest part of selection previously had been the need by the cybersecurity supplier to also invent a plausible mouse that’s relevant to the potential buyer and show how his/her mousetrap was effective against the potential threat.
“We are working with many customers,” says Bajpai, “and what I have realized is that the onus is on us as a cybersecurity provider to show the value of our solution. We need to show them the security gaps and how our solution helps them by strengthening the system intelligently.” In the extreme example, that can be a hack of an existing architecture followed by an actual detection or protection. In other scenarios, it might be a theoretical situation followed by testing of slightly-adapted defenses, e.g., calibrated machine learning. No matter what, it traditionally has been well beyond the typical sourcing for a purely-mechanical product.
Now, though, the engineering and sourcing has changed. “In the past, it was much more academic,” states Lavi. “Manufacturers commonly had evaluations or bakeoffs. It was very popular, and also an important part of the learning process.” But customers have hired and learned over time.
And so the risk discussion has transformed from “How can you reduce my undefined risks from amorphous hackers?” to “How can I know that you will be a capable provider that’ll be here 15-20 years from now?” Much of that has to do with following companies that have transitioned from unsourced start-ups to production-proven providers. “We are headed to production later this year with a large, European commercial manufacturer and a large Tier1 supplier,” states Bajpai. “That has enabled a lot of other [Proof of Concept tests] and other discussions.”
“We signed as many agreements during Covid as we did in the years prior and we will be in over 65 million vehicles by 2024,” states Monique Lance, Argus’s Senior Director of Marketing. “The discussion eventually evolves based upon existing relationships and trust. Our customers trust that we’ll be there to help them.”
And so the better mousetrap is, in the end, the one that persists.
Source: https://www.forbes.com/sites/stevetengler/2022/06/07/auto-cybersecurity-companies-challenge-is-now-proving-its-mousetrap-is-better/