Smart-vehicle makers are facing supply chain disruption as the US Department of Commerce plans to enforce new regulations banning the import of connected-vehicle technology from China and Russia over cybersecurity fears.
The Commerce Department pursued new regulations after President Biden declared a national emergency over concerns that the United States had become overreliant on China for information and communications technology and services (ICTS). The rule mandates that companies and their suppliers eliminate hardware or software imported from China or Russia in their vehicle connectivity system (VCS) or in their automated driving system (ADS).
It aims to address two concerns: vulnerabilities that would allow a nation-state or criminal organization to implant a backdoor in automotive hardware or software; and the collection of data on US drivers through diagnostic features and other mechanisms, says Yoav Levy, CEO and co-founder of automotive cybersecurity provider Upstream.
“The threat is definitely real,” he says. “There are many cases where cars could be hacked — including the safety elements within the cars — and there were many cases where data was stolen or leaked. … But so far, we haven’t seen something like that on a huge scale.”
The concerns come as software-defined vehicles (SDVs) shake up the automotive market, while also potentially increasing the cyberattack surface area of automobiles. In the past, vehicle makers created a variety of platforms for their different models, and the number of processors — known as electronic control units (ECUs) — quickly climbed. While the post-pandemic chip shortage slowed the shift to new platforms, manufacturers now aim to quickly reduce the number of ECUs and other hardware needed for the VCS and ADS systems. While current models, for example, can have as many as 130 ECUs, Rivian has already reduced the number of ECUs to seven in its second generation R1 vehicles.
Wielding the Cyber-Ban Hammer
Rivian aside, most automobiles have a wide variety of components sourced from China, raising concerns that the United States’ reliance on the technologies could allow future compromises.
Banning technology from China and sanctioning Russia is nothing new, says Ivan Novikov, CEO at API security firm Wallarm. The US government has already raised cybersecurity concerns over telecommunications equipment from Huawei, Chinese-made cargo equipment at US seaports, home routers made by Chinese manufacturer TP-Link, and popular social media app TikTok.
“This is kind of the next logical step,” he says.
The new commerce regulations will prohibit any “transactions involving VCS hardware and covered software designed, developed, manufactured, or supplied” by people or organizations linked to China or Russia, according to a 213-page final rule, which will be put into effect after months of comments.
Yet, many implementation details remain unclear, Novikov says.
“The open question here is who will enforce the regulations, because the usual enforcement of security requirements and crash [safety] tests is under the Department of Transportation,” he says. “It’s unclear how these two agencies can work together, and how this final DoT requirements or restrictions or controls can work.”
Securing Supply Chains & the Economy?
The impact on the supply chain will be significant, experts say. The first tier of OEMs — large US and international companies — are not the problem. Their products, however, often come from suppliers that source their own components from Chinese companies, says Alex Oyler, director for North America at industry consultancy SBD Automotive.
It’s just one more way that the supply chain is currently undergoing changes, he says. Many carmakers are looking to rewrite their relationships with providers as they move to software-defined vehicles.
“We’re in a bit of a different phase of software-defined vehicle in the sense that OEMs are actually starting to become a lot more prescriptive in the specification of the components that they’re sourcing,” Oyler says. “It’s more of what’s called a build-to-print relationship, where they provide not the functional requirements, but requirements for the component architecture — we want this processor, we need this memory, we need this GPU.”
The shift to other sources of supply will take years, with the Biden administration allowing carmakers a grace period to comply with the regulations: Software components can no longer be sourced from China and Russia starting with 2027 car models, while by 2030 car models must contain no hardware from prohibited sources.
Making such changes will not be easy, says Upstream’s Levy.
“It’s not that easy to replace a supplier,” he says. “There are financial implications with the supply chain — maybe it’s going to be more expensive, or there may be some changes to software that they would need to do for the for the new supplier — an adjustment to the architecture. … It really depends on what they are actually going to replace.”
Source: www.darkreading.com