How to prove automotive cyber-security ROI

Measuring automotive cyber-security return on investment is tricky. To date, there have been few if any major attacks outside of white hat incursions. This can leave OEMs wondering if they need to invest in large scale cyber-security programs, and if they do, what benefit will they see beyond piece-of-mind?

How do we show the cost-effectiveness of our solutions?

Most of the software industry can easily prove its cost-effectiveness. Take IT as an example. Implementing a remote access system such as a VPN, lets employees work from home or on the move. And although such systems have associated costs, measuring the improved efficiency gained from their adoption swiftly shows that the investment is profitable and that expenses can be recovered in a relatively short time.

It is difficult to compare the automotive and IT cyber-security fields. IT cyber-security was regarded as a commodity for years and was at times perhaps even harder to prove ROI for, yet historically it has still been quite easy to convince management to invest in IT solutions. CISOs need only show how many attacks are prevented using existing protection means, translate this to potential (direct and indirect) damage, and demonstrate how the balance lays in favor of the proposed cyber-security solution.

Additionally, it’s possible to estimate how much damage is prevented by a deterrence measure by analyzing the security means deployed. When you add to this some “flavor of FUD” (Fear, Uncertainty and Doubt) the outcome becomes clear – investment in IT cyber-security can be very profitable, especially from the perspective of the CEO and the board.

Proving automotive cyber-security ROI is hard

Automotive cyber-security is a totally different story, currently. There’s no history of actual attacks causing physical damage or loss of life. The record to date only includes white hat activity that proves that lethal attacks are possible and some minor grand theft auto. And while there has been collateral damage that has resulted in vehicle recalls and reputation damage, this is something OEMs have established systems to deal with. So what can we do to prove ROI for the automotive cyber-security field?

It’s mostly about mitigation

Firstly, we need to realize that cyber-security protection software, like any other security mechanism, is valued by its capacity to prevent loss of life or property, provide risk mitigation, and reduce collateral damage.

This is in opposition to how other software products are deemed to increase revenue. So the question is this: can we quantify and estimate alternative expenditure in lieu of the adoption of a cyber-security mechanism?

This is not a simple question with a straightforward answer as it is with other products such as ERP or CRM software. But it can be calculated by examining the potential savings companies can make or the losses they can avoid:

• Major safety or environmental incidents: If vehicles are induced to collision and accident, the direct costs associated with lost lives, personal injury and damage to property are immense. OEMs can be liable for neglecting the implementation of proper cyber-security protection mechanisms and may be sued by insurance companies, vehicle owners, class actions, and governments among others. In addition, they will incur the direct cost of fleet-wide vehicle recall and the indirect costs of brand impact in the form of loss of reputation, and thus loss of future income. This can total to tens of billions of dollars per incident.

• Fleet crippling and business downtime: Shutting down transportation, by disabling many vehicles at once, will have an immense economic impact. If those are emergency vehicles it can mean loss of life. If this tactic were used during a military conflict it would impair the mobilization or transportation of forces and have strategic implications. Stopping armored vehicles such as tanks in their tracks could lead to the loss of a war.

Of measurable and quantifiable loss

Vehicle downtime cases are a measurable and quantifiable loss. For example, if a fleet of buses generates income of $5 million a day, the direct loss for a 24 hours shutdown is $5 million, and this doesn’t include the further knock-effects to the broader economy.

We might consider here the impact of a ransom attack or blackmail attack. It may be that such an attack would require the payment of additional funds by the bus company, who were not aware of (and thus unable to insure or plan for) the potential damage. In a situation where the vehicles affected are military, the repercussions are much more severe and expensive. All such cases will eventually land at OEMs feet, and their liability will leave them scrambling to cover the damages.

• Privacy and personal information loss: Consumers expect their private information to be well guarded in the vehicle or may not even be aware of any risk of exposure. This data can include phone contacts shared while renting a vehicle, navigation paths, passwords saved on the vehicle infotainment system, access to internet sites such as Facebook, etc. The loss of such information is regarded by individuals and companies as negligence, and those who feel they were offended by such cases will claim damages, ultimately from the OEM.

• Regulatory fines: Regulation and legislation steps demand OEMs comply with the requirements detailed in standards such as UNECE WP.29, ISO/SAE 21434, EU GDPR and others. OEMs not aligning with those regulations will face denial of certification of compliance, preventing sales of vehicles or application of hefty regulatory fines.

• Insurance fees: Insurance companies charge OEMs with fees they consider appropriate for the associated risks of the vehicle, including the cyber-security risks. Those fees can be significantly reduced by proving to insurance companies that the OEM is conducting a process of threat analysis and risk assessment. This results in risk minimization by implementing the relevant cyber-security protection means.

Additional cases can be considered, for example; security controls can assist in the faster identification of operational malfunctions, inefficiencies, and misconfigurations. One such example is chip-tuning, which results in huge losses for OEMs who are often hoodwinked into repairing damaged vehicles that are under warranty but have suffered extensive wear and tear caused by the extreme driving conditions made possible by the unauthorized and illegal manipulation of ECUs.

Automotive cyber-security software might not provide ROI in the traditional sense, but it can certainly help OEMs mitigate risks.

Arilou automotive cyber-security helps OEMs avoid millions of dollars in losses. For more information please, click here.