October is the perfect month to scare you.

And unfortunately, the data from Kaspersky’s 2023 “Automotive Threat Intelligence” report where two hundred (200) C-level automotive executives were interviewed will accomplish exactly that. But the scary part is not the conclusive state of automotive designs. Quite the contrary. The scary part is we are nearly a decade beyond the artist-formerly-known-as-FCA having 1.5 million vehicles hacked, and there is still palpable confusion, ignorance and unaddressed-yet-known gaps in cyber-readiness.

For example, 64% of the interviewees believed that the automotive supply chain is currently vulnerable to cyber-attack, however there wasn’t a conclusive understanding of who is responsible to address this: 34.5% suggested the management team, 33% stated the compliance team and 32.5% said the technical department.

Not shockingly, such confusion translates into another disturbing statistic from the study: 42% of the automotive C-suite respondents admitted to not having a plan in place to meet the new, stringent cybersecurity certification requirements imposed by the United Nations Economic Commission for Europe (UNECE). “Because it’s such a complex area, it seems to be unclear who should be responsible,” states Clara Wood, Kaspersky’s Global Business Development and Partnership Strategy Executive. “Part of the confusion is that everybody in the company has a role to play in cybersecurity.”

And unfortunately, such confusion at the highest levels can also create or amplify the downstream chaos for the supply base. “Small auto suppliers with thin profit margins are often the weakest link for hacks,” said Rotem Bar, a former cybersecurity professional at the Israeli company CyMotive. “To make matters worse,” expounds Jeff Lemmer, a former Chief Information Officer for Ford and now a Senior Advisor to Envorso, “Many of these suppliers are forced to move manufacturing to low-cost regions of the world, where training, skills and preparedness are scarce.”

“Not only do manufacturers typically not have visibility into or control over the supply base’s policy, processes and control mechanisms,” asserts David Emm, a Principal Security Researcher at Kaspersky, “but smaller suppliers don’t even have expertise on security.”

The hope would be that such confusion (e.g., 35% of respondents “… stated that jargon or confusing terms represent the biggest barrier they face …”) would lead industry leaders to seek clarity, however nearly a third (29.5%) of the executives fail to see the value from their current intelligence investments.

“The key issue: they can get massive threat information, but unless they have a mechanism for processing that, it just becomes data rather than intelligence,” asserts Emm. “They need a mechanism for making it actionable and relevant to them.”

And maybe they will. But first, there’s a chicken-and-egg problem of ignorance requiring training requiring budget requiring value-prop, which cannot be understood in ignorance. And so time plods along. Cybersecurity hacks increase (e.g., per Upstream, hacks increased 225% between 2018 and 2021), and the cost shall rise as well (e.g., “By 2024, the automotive industry is predicted to lose $505 billion due to cyberattacks.”).

And here we all thought that placing your hand on the hot stove teaches you.

Author’s Note

Three years ago, I published the Top 25 Unspoken Automotive Cybersecurity Questions with the genuine hope that uttering such queries might inspire executives to seek clarity. The article continues to be amongst the most read of my publications even years later …

… but the reality is that few of the questions have been answered. And how could they? Unless these corporations really address the confusion on responsibility, jargon and value, the harder questions cannot get addressed.

But hey, the good news: Halloween is just a few short days away, and comparatively not that frightening.

Follow me on Twitter or LinkedIn.