Rising demand for connected and automated vehicles to drive collaborations in the industry, presents big opportunity for cybersecurity solutions developers

Automakers are offering greater connectivity features in new vehicles to make driving safer and more enjoyable. Ford, for example, announced last week that all its new vehicles sold in the United States will have connectivity features by 2019; for other major markets the automaker expects 90% of new vehicles to have connectivity features by the end of this decade. Other major automakers are also focusing on offering greater connectivity in vehicles driven by to growing consumer demand for features such as Wi-Fi hotspot, turn-by-turn navigation, emergency response notification, remote vehicle controls, telematics services and more.

According to an estimate by IHS Markit, there were more than 112 million vehicles connected around the world in 2016. In the United States alone, more than half of the new vehicles sold come equipped with connectivity features. With growing focus on connectivity, it is just a matter of few years when most, if not all, vehicles will be connected. The emerging trends such as vehicle-to-everything (V2X) communication, virtual personal assistant and autonomous driving are expected to result in strong growth in connectivity in the coming years.

Greater connectivity increases exposure to cyber threats

Greater connectivity features in modern vehicles has increased their exposure to cybersecurity threats like other device such as computers or mobile phones. Telematics and embedded modems are some of the most vulnerable attack surfaces for cybersecurity threat. Cyber hackers can gain access to a vehicle through its telematics control unit (TCU) through a cellular connection. In recent years, hackers have demonstrated the capability to remotely start and unlock vehicles.

Growing complexity of in-vehicle architectures also increases cybersecurity risks in vehicles. Today’s vehicles feature up to 100 electronic control units (ECUs) and more than 100 million lines of codes to control various complex functions, from the infotainment system to critical safety and powertrain functions. The ECUs are connected via an internal network. If hackers manage to gain access to a peripheral ECU, for instance, a cars Bluetooth or infotainment system, from there they can take control of safety critical ECUs for brakes or engines. The vulnerability also arises from the fact that automakers source these ECUs from different suppliers and no one player is in control of or even familiar with all of the vehicles source code.

There have been few instances of cybersecurity risk in the recent past. In July 2015, two ‘white hat’ hackers remotely took control of a moving Jeep Cherokee and turned off its transmission. The incident, later, led FCA to recall 1.4 million vehicles globally. Experts believe such cyberattacks could become more frequent in future unless automotive industry starts working proactively in the area of cybersecurity.

Government prods industry to develop strong cybersecurity solutions

Governments and regulatory bodies of many countries are coming forward to push automotive industry to work proactively in the area of cybersecurity. In December 2015, United States government enacted Cybersecurity Act of 2015, which establishes a mechanism for cybersecurity information sharing among private sector companies, including automakers and supplier, and federal government entities.

Last year, the United States National Highway Traffic Safety Administration (NHTSA) issued a non-binding set of guidelines on best practices for automotive companies to address cybersecurity challenges. The guidance focuses on layered solutions to ensure vehicle systems are designed to take appropriate and safe actions, and recommends identification and protection of critical vehicle controls and consumers’ personal data. It also expects automakers to consider full life-cycle of their vehicles and promote rapid response and recovery from cybersecurity incidents.

This year, in August, the UK government came up with guidelines for connected and automated vehicles, which require manufacturers of smart vehicles to put in place tougher cybersecurity system to protect vehicles from hackers. The guidelines expect developers of smart vehicles to build a robust security system that feature several stages, providing protection against hackers who can try to access information or control vehicle’s control hardware such as throttles and brakes. 

Automotive industry banks on collaborations to develop solutions

Automakers are increasingly becoming aware of cybersecurity risk and are taking initiatives to deal with the challenge. Many automakers already have dedicated cybersecurity departments. However, for most of these companies, cybersecurity is a fairly new area requiring new type of expertise and highly skilled employees. Apart from strengthening their in-house cybersecurity team, automakers are looking to address the problem through collaborations.

In August 2015, light vehicle manufacturers in the United States came together to establish Automotive Information Sharing and Analysis Center (Auto-ISAC), a global information sharing community to address vehicle cybersecurity risk. Auto-ISAC, whose members account for more than 99% of light-duty vehicles sold in the North America, operates as a central hub for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities and incidents related to the connected vehicles. Auto-ISAC recently expanded its members to heavy duty vehicle manufacturers, auto parts suppliers and commercial fleet operators.

Last year, Auto-ISAC released a set of automotive cybersecurity best practices for automakers and suppliers. The best practices, developed with the help of more than 50 automotive cyber-security experts, are expected to serve as a guidance in the development of automotive cybersecurity in seven key areas: governance, training and awareness, risk assessment and management, security by design, threat detection and protection, incidence response and recovery, and collaboration and engagement with appropriate third parties. Auto-ISAC is also developing supplemental materials, including a reference model and practice guides to benefit members and stakeholders.

Cybersecurity threats create new set of suppliers

The cybersecurity risk in the automotive industry has created a new set of suppliers. Many of these start-ups, including Argus Cyber Security, Karamba Security and TowerSec Automotive Cyber Security, are from Israel and were established by former cyber defense experts. These start-ups have emerged as key players in automotive cybersecurity in very short span of time. Argus, founded in 2013, provides risk assessment, embedded software, protection and constant threat monitoring for vehicles. Karamba focuses on providing deterministic scrutiny, implying once the technology is embedded in the vehicle, it will require no additional monitoring or updates. TowerSec specializes in network protection for connected vehicles. Last year, the company was acquired by Harman International to strengthen its offering in automotive cybersecurity. The US-based supplier will integrate TowerSec technology into its 5+1 security architecture to protect critical points of vulnerability in connected vehicles, including in including hardware, network and over the air (OTA) updates. 

Traditional suppliers gearing up for challenge

Traditional suppliers are also gearing up to address cybersecurity challenges through collaboration. Last month, Lear and Honeywell teamed up to jointly develop automotive cybersecurity solutions. The collaboration will pair Lear’s automotive electrical distribution systems and connected gateway with Honeywell’s know-how in intrusion detection technology software and security operations centers to provide automakers with technologies to address vehicle prognostics and ensure their safety and security. September also saw Ricardo and Roke Manor Research joining forces to develop cybersecurity solutions for autonomous and connected cars. The partnership will leverage Ricardo’s knowledge in technology and innovation within the mobility sectors, and Roke’s experience in cyber-security for government and corporate clients.

Earlier in July, Japanese supplier Calsonic Kansei partnered with France-based Quarkslab to jointly establish a new company called White Motion LLC, which will focus on automotive cybersecurity solutions. The new company will leverage Calsonic Kansei's and Quarkslab's expertise in functional safety and cybersecurity. White Motion will mainly focus on developing in-vehicle security software, security evaluation of vehicle and components, security education and security consulting. The company will also work on integrating security measurers within vehicles to prevent hacking, cracking and computer viruses.

IHS Markit sees strong growth for cybersecurity solutions market

The rising cybersecurity concern in automotive industry offers tremendous growth potentials for the companies catering to this budding segment. Last year, IHS Markit published Automotive Cyber Security and Connected Car Report that also includes detailed demand forecasts for cybersecurity software and solutions.  According to the report, the unit sales for cybersecurity software are forecast to grow from 5.4 million in 2016 to more than 176 million in 2023. Most cars will have more than one cybersecurity software program and the unit per car will grow steadily. Overall, IHS forecast automotive cybersecurity revenue to grow from USD11 million in 2016 to USD759 million in 2023, at a CAGR of 73%.

Automotive cybersecurity market forecast

Automotive cybersecurity market is forecast to grow at CAGR of 73% between 2016 and 2023

Contacts

Copyright © 2025 S&P Global Inc. All rights reserved.

These materials, including any software, data, processing technology, index data, ratings, credit-related analysis, research, model, software or other application or output described herein, or any part thereof (collectively the “Property”) constitute the proprietary and confidential information of S&P Global Inc its affiliates (each and together “S&P Global”) and/or its third party provider licensors. S&P Global on behalf of itself and its third-party licensors reserves all rights in and to the Property. These materials have been prepared solely for information purposes based upon information generally available to the public and from sources believed to be reliable.
Any copying, reproduction, reverse-engineering, modification, distribution, transmission or disclosure of the Property, in any form or by any means, is strictly prohibited without the prior written consent of S&P Global. The Property shall not be used for any unauthorized or unlawful purposes. S&P Global’s opinions, statements, estimates, projections, quotes and credit-related and other analyses are statements of opinion as of the date they are expressed and not statements of fact or recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security, and there is no obligation on S&P Global to update the foregoing or any other element of the Property. S&P Global may provide index data. Direct investment in an index is not possible. Exposure to an asset class represented by an index is available through investable instruments based on that index. The Property and its composition and content are subject to change without notice.

THE PROPERTY IS PROVIDED ON AN “AS IS” BASIS. NEITHER S&P GLOBAL NOR ANY THIRD PARTY PROVIDERS (TOGETHER, “S&P GLOBAL PARTIES”) MAKE ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE PROPERTY’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE PROPERTY WILL OPERATE IN ANY SOFTWARE OR HARDWARE CONFIGURATION, NOR ANY WARRANTIES, EXPRESS OR IMPLIED, AS TO ITS ACCURACY, AVAILABILITY, COMPLETENESS OR TIMELINESS, OR TO THE RESULTS TO BE OBTAINED FROM THE USE OF THE PROPERTY. S&P GLOBAL PARTIES SHALL NOT IN ANY WAY BE LIABLE TO ANY RECIPIENT FOR ANY INACCURACIES, ERRORS OR OMISSIONS REGARDLESS OF THE CAUSE. Without limiting the foregoing, S&P Global Parties shall have no liability whatsoever to any recipient, whether in contract, in tort (including negligence), under warranty, under statute or otherwise, in respect of any loss or damage suffered by any recipient as a result of or in connection with the Property, or any course of action determined, by it or any third party, whether or not based on or relating to the Property. In no event shall S&P Global be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees or losses (including without limitation lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Property even if advised of the possibility of such damages. The Property should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions.

The S&P Global logo is a registered trademark of S&P Global, and the trademarks of S&P Global used within this document or materials are protected by international laws. Any other names may be trademarks of their respective owners.

The inclusion of a link to an external website by S&P Global should not be understood to be an endorsement of that website or the website's owners (or their products/services). S&P Global is not responsible for either the content or output of external websites. S&P Global keeps certain activities of its divisions separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain divisions of S&P Global may have information that is not available to other S&P Global divisions. S&P Global has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process. S&P Global may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P Global reserves the right to disseminate its opinions and analyses. S&P Global Ratings’ public ratings and analyses are made available on its sites, www.spglobal.com/ratings (free of charge) and www.capitaliq.com (subscription), and may be distributed through other means, including via S&P Global publications and third party redistributors.