All Security Issues Are Safety Issues

Last month I spoke at the IQPC Safety and Security week event in Munich. It became clear to me that our semiconductor community is really paying attention to these issues now, not just to comply with standards, and not just because of the potential liability – but because it simply makes good business sense.

The cost of recalling a single vehicle is estimated to be between $400 and $900 USD, and that’s before any liability, brand and reputation damage, etc. are taken into account. In the infamous case of the Jeep Cherokee (Miller & Valasek) attack, 1.4M vehicles were recalled, causing a $1Bn USD financial hit… It’s estimated that the cost of recalls will reach $24Bn by 2023 – an enormous financial burden for the automotive industry supply chain to carry. So there is every incentive to get things right! (Upstream security global automotive cybersecurity report 2019.)

The other side of the same coin is that there is actually significant competitive advantage to be gained in the marketplace with more secure and safer vehicles. The UltraSoC presentation (which is accessible via our Resources page here) showed how anomaly detection in hardware can be done several orders of magnitude faster than post-processing in software (which is best practice today) – providing the fastest possible means to identify potential malicious intrusion or other threats and hazards.

Our customers who move to incorporate this change in approach – moving detection and prevention of attacks into hardware – will benefit from enhanced, more robust security measures underpinning competitive advantage.

I’ve written before that “there is no safety without security.” It is frustrating that there still seems to be a divide between “safety experts” and “security experts” throughout our industry. During the IQPC event, on more than one occasion I heard people say, “ah, yes but that’s a security issue, not a safety issue…” In fact the very structure of the event reinforced this divide – with separate tracks for security and safety. This siloed thinking is dangerous. Security and Safety are inextricably linked, and we must take a holistic view. SAE J3061 shows that safety critical systems are a subset of security-critical systems.

With the pending emergence of the ISO21434 standard, based significantly on J3061, I hope to see more attention paid to closer links between the safety and security functions, as the industry moves to embrace the next wave of technological progress.