Published
The (Cyber) Security of Global Supply Chains: Is this a Blind Spot for Industry 4.0?
By: Lucian Cernat
Subjects: Digital Economy European Union
We hear a lot these days about the need to guarantee the security of global supply chains (GVCs) across a number of critical sectors. This is most visible in the automotive industry. Car manufacturers all over the world are halting or reducing their production due to a shortage in semiconductor components that are essentials nowadays for a modern car. As these shortages may not dissipate that quickly, industry experts and national governments are considering various responses to address the security of automotive supply chains.
The shortage of semiconductor components may lead to a different type of security issue: press reports indicate that, due to shortages of semiconductor components, some manufacturers have had to deploy car models that did not have all the modern, safety features (e.g. “intelligent” rear-view mirrors that monitor for blind spots). A quick visit to your local car dealer can confirm that these press reports are not just isolated incidents.
Growing safety concerns also affect the security of the “soft” components (e.g. embedded software) that are now sourced from complex global automotive supply chains. The automotive industry is a leading example of the Industry 4.0 revolution[1], involving complex global supply chains and a growing need for semiconductors and embedded software.
The cars of today (and even more so, those of tomorrow) are “computers on wheels”. Nowadays, cars have more embedded software than planes. The 787 Boeing Dreamliner has only around 6 million lines of software code while the Mercedes S-Class has around 100 million lines of code, 100 electronic control units, and 10 operating systems. By 2030, electronics are projected to make up around 50 percent of the cost of a new car (especially for electric cars with autonomous driving functions).
Source: Bloomberg, based on IHS and Deloitte analysis.
Electronic products within cars also “talk” to each other, storing and sending information about their performance and key functional parameters of your car. This is the Internet of Things (IoT), one of the key Industry 4.0 technologies. Overall, IoT spending is set to increase exponentially in the coming years and most of the spending will be on embedded software and services (also known as mode 5 services).
This significant increase in IoT related software is also triggered by potentially serious risks and major cybersecurity challenges. If one of the multiple embedded software components nowadays present in your car is vulnerable to online hacking, your life may be in danger. The famous 2015 Jeep Cherokee hacking by two researchers already demonstrated that a car could be controlled remotely via its IoT functionalities, often using the vulnerabilities found in electronic components provided by one of the many suppliers engaged in the complex automotive global supply chains.[2] This example is not unique and, if multiplied, this brings us close to a systemic problem in the classical sense of national security. A cybersecurity problem somewhere in the global supply chains may allow entire car fleets to be controlled remotely, due to a breach in the cybersecurity of just one car components. A small breach can easily become a “big hack”.
Securing the global automotive supply chains: the need for cyber crash-test standards
As they become critical components, embedded electronics can become the “Achilles’ wheel” for the car industry in the future. And this is not just a problem for the automotive sector. Despite continuous efforts and progress, industry experts consider that the vast majority of IoT systems worldwide are not yet cyber proof. There has been a 67% increase in security breaches in the last 5 years, according to Accenture. Experts also suggest that companies need to consider cyber-proofing both hardware and software components at the same time. This dual cybersecurity challenge stems from the fact that the hardware-software boundaries in the electronics supply chain are disappearing. In a world where billions of interconnected devices use various electronic systems, your product is only as good as your mode 5 embedded software!
While the automotive industry is working hard to cyber-crash test their embedded electronic components, these efforts alone may not be enough. National regulatory agencies responsible for product safety and regulatory compliance see the need to cover automotive cybersecurity. Due to its growing importance and potential vulnerabilities, automotive embedded software requires certification and regulatory compliance against several industry standards in the EU, US, and in Asia. Industry experts argue that purchasing decisions and the selection of key suppliers along GVCs are already being made based on the strength of their cybersecurity credentials. This leads to a double challenge for car manufacturers. Not only do they need to worry about the availability of chips and electronic car parts but they also need to ensure the compliance of their suppliers along the global production chain with new, emerging cybersecurity regulatory requirements.
However, the proliferation of different standards and regulatory approaches will make life more difficult for semiconductor and car manufacturers. For instance, new regulations targeting cyber-security risk management, like the ones developed under the aegis of the United Nations Economic Commission for Europe (UNECE), address such risks and will be mandatory in many major car manufacturing producers, including the European Union, Japan and Korea. At the same time, the International Electrotechnical Commission (IEC) tries to set international standards for IoT devices requiring semiconductor suppliers to protect their devices from a range of cyber-attacks, such as ransomware and hacking. The International Standards Organisation (ISO) joined these efforts and also developed several ISO/IEC joint standards for the safety of road vehicles that also apply to software safety requirements. These new cyber-security standards introduce new requirements for companies to mitigate cyber-risks along their global value chain, ensuring that no supplier becomes the weak “cyber link” in complex global supply chains. These regulatory efforts are welcome but they can have important trade implications: a lack of regulatory cooperation on cybersecurity standards and certification requirements may become one of the biggest non-tariff barrier of the 21st century.
What can policymakers do?
The future of cybersecurity in the automotive supply chains will depend to a large extent on the business community and the new technological solutions developed as part of their adaptation to such disruptive technologies. However, industry alone does not always choose the optimal cyber solutions. There is still a lack of international consensus on the best industry standards or on interoperability requirements between various standards and products. This can lead to a complex technological patchwork hiding potential security blind spots, ultimately to the detriment of the consumer.
The multiple requirements and regulatory aspects of cybersecurity also tend to be quite onerous. According to industry estimates, the cost of integration, testing, verifying and validating all the embedded software and electronic equipment to meet these requirements can easily amount to 40% of production costs (from the start of development to the start of production). To reduce these high compliance costs and ensure the best cybersecurity results, stronger cooperation between various international standard setting organisations would be a logical way forward. As embedded software will continue to “eat into” the automotive world, there will also be a need for stronger regulatory cooperation efforts as part of trade policy as well, to ensure an adequate response to growing cybersecurity threats.
Promoting advanced industry standards as part of global supply chains can also be facilitated by strong rules in trade agreements that remove unnecessary technical barriers to trade in this emerging field. For instance, the motor vehicle annex of the EU-Korea FTA introduced an obligation for the recognition of equivalence of international standards. This covers a broad range of issues (e.g. emissions, tyres, engine power, safety standards) and reduces the cost of testing and conformity assessment for car manufacturers. The annex also includes a commitment to apply these regulatory cooperation disciplines to new standards. Other more recent EU FTAs (e.g. CETA) also contain trade rules aimed at promoting regulatory cooperation and international automotive standards.
Building on these successes, the recent EU trade policy review indicates that the EU is committed to stepping up its regulatory cooperation efforts with interested partners across a wide range of issues that will be critical for the future of global supply chains. Cybersecurity is clearly one of these critical aspects. In the past, we managed to agree on car anti-theft and door locks standards with our trading partners. It is time to cooperate on cybersecurity now!
[1] Industry 4.0 (or the 4th Industrial Revolution) refers to a whole range of new technologies (big data, AI, 3D printing, IoT, robotics, machine learning, etc.) that will affect both the manufacturing process and the type of functionalities that “smart” products will possess. Inter alia, Industry 4.0 uses large numbers of electronic control systems that rely on embedded software and often have an Internet address to connect automatically to other machines via IoT (the Internet of Things) protocols.
[2] As a result, Fiat (the Jeep’s parent company) had to recall 1.4 million vehicles to fix the vulnerability. https://www.nytimes.com/2021/03/18/business/hacking-cars-cybersecurity.html
Disclaimer: The views expressed in this blog are personal and do not necessarily reflect an official position of the European Commission.