In an interview published on 8 March 2018 by the French weekly business magazine L'Usine Nouvelle, Jean-Marie Letort, head of cybersecurity evaluation and consulting at Thales, outlines the Group's new ambitions in the automotive sector.
L'Usine Nouvelle - In January Thales announced a joint venture with Vector. What do you hope to achieve through this tie-up with a supplier of embedded software and electronics?
Jean-Marie Letort - Forming the joint venture with Vector takes us a step closer to our strategic objective of being a trusted partner for the entire automotive ecosystem. Today's vehicles incorporate around 80 electronic control units (ECUs) that perform both critical functions like braking and steering and non-critical functions like satnav. These embedded systems are connected to the Internet, which makes them potentially vulnerable to intrusion. This is where the joint venture between Vector and our German subsidiary Sysgo comes in. Vector is one of the leading developers in Germany of the functions integrated in the ECUs, while we have the expertise to provide systems to protect these applications. We aim to offer an embedded management solution for safety-critical vehicle functions as early as this year, and new vehicles will progressively be equipped with our solutions between now and 2023, depending on the carmakers' development schedules for different models.
How will the joint venture help you achieve your ambitions in this sector?
The joint venture shows that we are positioned across the entire automotive value chain. We want to be seen as the supplier that secures not only the vehicle itself but also communications between vehicles and with the outside environment. The idea is to team with carmakers and infrastructure operators as well as equipment manufacturers. For the last five years, we have already been working with the two major French equipment manufacturers, and with their German and British counterparts, and with other players like the Williams Formula 1 racing team. We are helping them define embedded systems and integrate software natively into the vehicle architectures. Security testing is carried out to help deploy supervision systems for vehicle fleets so that stakeholders in the automotive sector can react more quickly in the event of a cyberattack. Operational deployment of this type of solution is expected around the beginning of 2019.
How will Gemalto contribute to this new positioning in the automotive sector? Our merger with Gemalto [takeover still subject to regulatory approval, Ed.] will make us a leader in digital security. That will allow us to position ourselves on data encryption and secure data transfer solutions. Our short-term goal is to become the European leader in cybersecurity for autonomous and connected vehicles. Even without Gemalto, Thales expects this business to achieve 20% annual growth in a market that is growing by just 8%. There are plans to hire about 20 new people in France to expand our consulting practice dedicated to vehicle and embedded system cybersecurity. This team of specialists currently includes 80 people based out of France, the UK, Australia, Hong Kong and Dubai.
Can your aerospace expertise be transposed directly to vehicles?
We are working on security for the in-flight entertainment systems that let airline passengers watch movies, listen to music and connect their phones to the network during a flight. These functions operate alongside the safety-critical functions of the aircraft. Our approach involves isolating the aircraft's essential functions from the functions that manage the entertainment, so that vulnerabilities do not expose onboard systems to potential cyberattacks. The same methods can be applied to a road vehicle's embedded systems by isolating the ECUs that manage critical functions. To do that, one of the things that's needed is a secure operating system.
What is your analysis of carmakers' reaction to cybersecurity issues?
Vehicle manufacturers have achieved a certain level of maturity on matters of cybersecurity. The incident in 2015 when two American hackers compromised a Jeep Cherokee was a wake-up call for the general public. The automotive sector had already started to address the issue, even if the media coverage of the incident probably crystallised their positions on cybersecurity more quickly. For our customers, cybersecurity has become a strategic priority. The new generations of vehicles they have been developing in the last four years are all "secure by design", meaning that security solutions are incorporated into the system design process from the outset. One of the reasons for the concern around cybersecurity is the expected arrival of autonomous vehicles, which manufacturers see as a societal cause. They see autonomous vehicles as a way to ease traffic congestion, cut pollution and reduce the number of accidents. But if we believe the findings of a survey by OpinionWay published last year, fewer than one in two French people would agree to ride in a self-driving car. Digging a little deeper, you realise that one of the concerns of drivers and passengers is security-related. End customers worry that the vehicle could be stolen or that someone could control it from a distance and that they couldn't to do anything about it. If autonomous vehicles are going to be accepted, they will need to be secure. It's absolutely critical to be able to trust the system and the vehicle's ability to make the right decisions.
What are the specific characteristics of the automotive sector when it comes to security?
One of the main challenges is cost — how to integrate security solutions for just a few euros per vehicle — because cybersecurity mustn't drive up costs for end customers. The solutions also need to be transparent to drivers. In addition, you need to guarantee system resilience over the entire lifetime of the vehicle. You need to ensure that vehicle security is optimal at all times, which means updating the embedded software "over the air". Here again, the whole system needs cybersecurity solutions to stop infecting the car with a virus when its software is being updated.