February 28, 2021 - Digital transformation has catalysed a big paradigm shift in the automotive industry with market drivers and dynamics now favouring technology new entrants including startups. However, certain technology areas lag in market adoption, most notably in cyber. The question is – what will it take for automotive cyber startups to win in this space?
Autonomous, Connectivity, Electrification and Shared mobility (ACES) have driven automotive market growth and position software as a critical cornerstone for innovation (Elon Musks calls connected cars computer on wheels). If software is king, cybersecurity is paramount and as fundamental to safety as car brakes.
However, auto OEMs and IT Security Vendors have been slow to innovate, preferring to wait for standards or can’t invest in order to preserve cash in the face of pandemic induced market uncertainties. This presents startups a window to seize market share, with some successful in securing strategic partnerships directly with OEMs as customers and investors. Yet we do not see automotive cyber solutions gaining market traction. What does it take (the right DNA?) to establish the right to win?
The problems in automotive cybersecurity have been threefold. Firstly, it’s complex with connected cars having more than 150 ECUs and 100 million lines of code due to legacy of designing electronics systems in automotive. To put things into perspective, a consumer PC and aircraft has about 40 and 15 million lines of code respectively. Secondly, this complexity is compounded by the lack of standards, rendering any effective cyber solution challenging in the bid to align across the supply chain between OEM and suppliers. Lastly, the economics of car cybersecurity is inherently unfair. Attacks are relatively affordable, low effort endeavours whereas mounting a cohesive defence across a complex value chain requires significantly more effort and investment.
Furthermore, these problems are adjudged to be business priorities. They are critical being associated with the high cost of recalls , urgent with imminent regulations and growing, driven by market forces in “ACES” increasing the threat surface. Not all problems are priorities and not all priorities become painful enough to drive actions but clearly, the problems here are a priority that has become an unaddressed pain which OEMs must have a solution today. So why hasn’t this happen?
Persisting perennial practices – what worked then doesn’t work now.
Looking at the top 15 funded automotive cyber startups globally, there was a clear trend that stood out amongst them; inordinately, the startups focus on a protect solution integrated on the car. Investor side (both venture and corporate) insider insights suggest a first mover ambition to become industry accepted “standard” and anchor “locked in” status as the preferred solution in a high barrier entry Industry. The largest recurring revenue in IT cyber market for firewalls with a. strong posture on protection may have also pushed rationalisation towards where market upside and expertise converge. Instead, as we have observed, the complexity of the automotive supply chain without common standards, coupled with misconceived buying personas of a new industry (automotive vs enterprise IT decision making culture vastly differs), has deterred any meaningful commercial adoption. However, if we turn our lens to successful new entrants in other emerging verticals (OT cyber in critical infrastructure, IoT cyber in enterprise IT) for cyber solutions, we find foundational and critical cyber capabilities as beachheads into new markets that side stepped the challenge of missing standards across complex supply chains :
Identification : You can’t protect what you don’t see.
While cyber protection on the car is critical, it is preceded by identification to give visibility to what are the assets you need to protect, which is also alluded to in existing standards and expected in imminent regulations. Whist most current cyber solutions embedded in the car optimises protection efficacy, it lacks visibility of data telemetry specially threat surfaces external to the car. What’s missing and needed, both today and eventually at scale, would be supply chain and fleet-wide visibility beyond the individual car.
Detection : You can’t detect what you don’t know.
The visibility to know what you need to protect is only as useful as knowing what you are protecting against. Coupled with the increasing adoption of a zero trust posture which assumes any asset can and will be eventually compromised, the emphasis shifts from protection towards detection of anomalies which requires relevant threat intelligence to start. Most threat intelligence today are non industry specific and those that are need to go further to augment researched with real world, real time threat insights.
Response : You can’t respond…to everything.
Without acute identification and detection, response becomes a low ROI investment with high false positives that can be only partially remediated by scarce cyber expertise. The diversity of multi-vendor, multi-genre detection-response tools today further adds to incident noise and implementation complexity, specially those requiring integration of agents in the customer environment. A non-intrusive, vendor agnostic, industry purpose built single pane of glass (aka mobility SIEM) is needed to augment identification and detection to accurately automate incident response.
The market opportunity today.
The need for untapped critical cyber capabilities (identification, detection, response) to meet unaddressed imminent regulations and reduce manpower dependency creates a great opportunity for vSOCs (Vehicle Security Operation Centers) to bridge the gaps. Anecdotal evidence has pointed to market leading automotive OEMs seeding call for tenders to build vSOCs (even through the pandemic). This has seeded the needed impetus for traditional enterprise IT SOC Operators and MSSPs to pivot into this adjacent market by cementing strategic partnerships with cyber startups to seize new market share, with the total addressable market estimated at circa US$1b. What’s not gone unnoticed is the market opportunities emerging today are universal and across U.S, Europe and Asia headquartered OEMs, indicating a clear, present and dire need. What may have gone unnoticed is potentially the opportunity that comes next after a vehicle SOC, that may have already arrived.
DNA to orchestrate the ecosystem as the right to win in Smart Mobility.
If vehicle SOC is the opportunity today, then a mobility SOC that goes from monitoring private cars to public buses, vehicles to fleets, road to rail, will be a clear growth path in the future. This takes planning, commitment and investment from both government and enterprises, to orchestrate an effective execution at the industry level. It is no simple endeavour to keep competitive ambitions in check in the short term and align interest across various mobility stakeholders to agree that the eventual whole can and will be much greater than the sum of parts.
A market signal that may have gone unnoticed amidst the pandemic is that in Singapore earlier this year, autonomous bus services have started operations in various locations from commercial to industrial parks with critical infrastructure. The hard work to plan, align and subsequently execute on a smart city level amongst mobility incumbents and new entrants in Singapore started more than 2 years ago pre-Covid. The commitment to push ahead in spite of the pandemic is clear in their actions to roll out the world’s first successful autonomous automotive service. Automotive cyber startups with unique differentiators needed in a vehicle and mobility SOC will do well to partner Singapore-based SOC Operators and MSSPs to seize first mover advantage towards building the first end to end mobility cyber platform. Notably, Israel which is accountable for more than one third of the global cyber unicorns has been active on this front to produce a strong crop of mobility cyber startups. The DNA of this startup nation with Singapore’s innate design as a scale up nation, is a natural fit for market partnerships. Who knows, the next Israeli mobility cyber unicorn could emerge from the springboard of Singapore’s smart mobility ambition.