Lee Hyun-jung, CTO of FESCARO
Last year, FESCARO achieved a grand slam in the four major international
automotive cybersecurity certifications consulting. In the meeting with CTO Lee
Hyun-jung, who presented practical technological breakthroughs to address
cybersecurity issues in the automotive industry, including the UNECE World
Forum for Harmonization of Vehicle Regulations (WP.29) automotive cybersecurity
regulation coming into effect in July and securing vehicle safety in the SDV
era, she emphasized that automotive security is a complex and multifaceted
issue requiring an overall approach.
by Yoon Beom-jin, AEM (bjyun@autoelectronics.co.kr)
FESCARO
Despite its brief 8-year history, FESCARO has established itself as a
collaborative partner in cybersecurity, an urgent issue for the global automotive
industry, with its capabilities and passion. Founded in 2016 by an automotive
electronic control unit (ECU) developer and a white hacker, FESCARO began
providing customized cybersecurity solutions to both Korean and foreign automakers
and controller developers, and achieved a grand slam in consulting for the
world’s four major automotive cybersecurity certifications (CSMS, VTA, SUMS,
ISO/SAE 21434) in 2023. Additionally, it recently secured 13.65 million dollars
in Series B investment.
I got the impression that your company is young and dynamic. Could you tell us
more about the key members and their abilities?
LEE CEO Hong Seok-min is an automotive electrical system
development expert from Hyundai KEFICO and Hyundai AUTRON, and has developed
and localized the first automotive cybersecurity module in Korea. I have built
my career in IT security, and I met CEO Hong at the Best of the Best (BoB), a
next-generation security leader training program, and we co-founded FESCARO.
Our CSO, Ku Seong-seo, is a veteran who previously worked in HUMAX with over 20
years of experience in embedded software development, including automotive
controllers and security solutions. Our CFO, Lee Young-tak, previously worked
for E-Land and BUDDYBUDDY and has a successful track record of listing several Korean
companies. Additionally, we have carefully recruited veterans from leading Korean
and international companies, each with an average of over 20 years of
experience, to build a solid and broad technology leadership team. Currently,
80% of FESCARO's staff are technical personnel.
I often hear that FESCARO seems like a ‘young’ company. That is actually right
to say since our company has been established for 8 years, but I take it to
mean that our company is full of energy and vitality. I think it’s because both
junior and senior members have a strong desire for growth and are not afraid to
take on challenges. People with these tendencies, in turn, attract like-minded
individuals. We are also serious about nurturing our junior staff. We
systematically discover and nurture new employees with this kind of DNA, so
they are highly proactive and responsive within the organization. At FESCARO,
we encourage everyone to become a ‘bar raiser’ who continually elevates their
own standards. I believe this organizational culture is the key driving force
that enabled us to develop both the software and hardware of a cybersecurity
gateway controller (SGW) from scratch in just two years and achieve cumulative
orders of 1 million units.
Could you please tell us about FESCARO's major achievements and the biggest
challenges the company faces?
LEE When our company was founded, cybersecurity was not a
major concern in the automotive industry. Nevertheless, FESCARO steadily
developed related solutions and acquired various international certifications,
accumulating experience and capabilities along the way. Based on this, we won
our first project from an automaker (OEM), KG Mobility (KGM). Despite limited
resources, we worked closely with KGM to obtain UN R155 and R156 certifications
early. In recognition of our achievements, we were selected as the Best Partner
by KG Mobility at 'KGM PARTNER'S DAY 2024'.
At the core of these achievements is our IT infrastructure solution.
Cybersecurity requires continuous and systematic management. To this end, it is
necessary to leverage SGW and security solutions to establish a
defense-in-depth system and introduce a security information and event
management system based on IT infrastructure. FESCARO's IT infrastructure
solution consists of three organically interconnected systems, which are
applied throughout the entire vehicle lifecycle, from development to customer delivery
and eventually scrapping.
KGM has integrated the management of cybersecurity tasks across the entire
value chain by utilizing this IT infrastructure, improving work efficiency by
linking regulatory compliance tasks with existing operations. Additionally, the
company can track and manage the related impacts of software updates across all
derivative projects, and proactively respond to security issues through a
real-time incident response system linked to SGW, preventing the spread of
damage. Since all tasks are computerized, the record of security-related
activities can be systematically and comprehensively managed, and can be used
as explanatory data in the future, increasing overall satisfaction.
In fact, the current IT infrastructure solution has not yet realized even half
of what we have envisioned. Our next goal is to implement these plans gradually
and ultimately contribute to strengthening the competitiveness of the Korean
automotive industry.
Have you noticed any gap in the field regarding cybersecurity awareness and response in the automotive industry?
LEE Before automotive cybersecurity was
internationally legislated, its necessity and importance were often
unrecognized. However, with the UNECE WP.29 General Assembly's adoption of UN
R155 and the Korean National Assembly's passage of the amendment to the Motor
Vehicle Management Act, which mandates automakers to implement safety
management measures related to cybersecurity and software updates, non-compliant
vehicles can no longer be sold. The prevailing perception is now that
cybersecurity certification is mandatory, not optional. However, many still
believe that simply meeting regulations or obtaining certification is
sufficient.
In
reality, continuous updates are essential for automotive cybersecurity, just
like computer virus vaccines. Since hacking techniques evolve alongside
security technologies, applying security solutions does not guarantee 100%
safety. This is why related regulations require continuous updates and
management. Therefore, I believe that responding to cybersecurity regulations
should be integrated into the core operations to build and maintain safe
vehicle security beyond one-time regulatory compliance. Currently, responses to
cybersecurity regulations are often managed separately from core operations,
but minimizing this gap is crucial for long-term success.
Building continuous vehicle security beyond a simple response to regulationsImproving work efficiency by linking regulatory compliance tasks with core operations
What are the core technologies that differentiate FESCARO? What value does FESCARO provide to customers?
LEE Cybersecurity is a complex and
multifaceted issue that spans the entire automotive industry value chain as
well as the entire vehicle lifecycle. FESCARO takes a holistic approach to
cybersecurity from the OEM perspective, rather than simply providing security
solutions or implementing requirements from a third-party standpoint. This
approach has enabled us to offer a comprehensive all-in-one cybersecurity
solution, including regulatory compliance, and effectively play a practical
Tier 0.5 role in the industry. Our all-in-one solution not only protects the
vehicle’s internal systems and communication channels between the vehicle and
infrastructure but also includes a real-time incident response system based on
IT infrastructure.
In addition, FESCARO aims to provide the most practical
solutions optimized for each client's situation and environment. Our IT
infrastructure solution designs and implements workflows that consider the
interests of both internal departments and external partners. Unlike existing
solutions, where duplicate work is inevitable due to a lack of organic
integration, FESCARO's solution is highly evaluated because it maximizes work
efficiency and synergy. By understanding the entire process and linking
multiple systems at once, our solution drastically reduces time and costs.
Many customers say that FESCARO’s strength lies
in 'making complex things easy.' For example, our IT infrastructure-based
security information and event management is linked to SGW to create a
real-time incident response system, enabling quick recognition and response to
security issues as they arise. After the vehicle is released, the system
collects field operation data through SGW, continuously monitors security
issues by region, vehicle type, individual vehicle, and production line, and
provides visualized data through a user-friendly dashboard for quick and
effective response.
How do cybersecurity responses vary across
companies within the automotive industry ecosystem and value chain?
LEE OEMs must
define their own cybersecurity requirements from a vehicle perspective and
establish and continuously operate a management system. Meanwhile, Tiers must
implement cybersecurity from a controller perspective based on the OEM
requirements.
Since cybersecurity is not limited to a specific
domain but requires a company-wide approach, OEMs often establish and implement
cybersecurity response strategies with the help of professional consulting
firms. From the perspective of Tiers, each OEM has different requirements,
making it challenging to manage derivative projects while responding to each
OEM. Therefore, it is recommended that Tiers establish their own cybersecurity
response strategies that satisfy both international standards and regulations,
allowing them to respond to various OEMs in a unified manner. Kanavi Automotive
(now Kanavi Mobility), with consulting support from FESCARO, became the first
in Korea to obtain certification for a cybersecurity management system based on
ISO/SAE 21434, the international standard for automotive cybersecurity
engineering, in April 2023.
Recently, OEMs have increasingly required Tiers
to build their own Key Management System (KMS). FESCARO’s KMS solution is
differentiated from existing KMS by its ability to manage projects by OEMs and
integrate with the Tier’s production line. We are currently working closely
with HL Klemove on a KMS project.
What should OEMs and Tiers prepare for ahead
of the enforcement to Motor Vehicle Management Act Amendment, and how can
FESCARO’s services and solutions help?
LEE Since
cybersecurity and software updates are a key part of the amendment to the Motor
Vehicle Management Act, we have received many inquiries from our clients. In
early April, we agilely addressed this topic in our ‘Security Counseling
Center’ webinar series, where a panel of experts answered frequently asked
questions, receiving an enthusiastic response. The key point is that since the Motor
Vehicle Management Act amendment is based on UN R155/156, they align in the overall
context. There are two major requirements that the amendment and the UN
regulations have in common:
First, a cybersecurity management system (CSMS)
must be established to protect vehicles from cyber threats and ensure safety.
Second, a system must be established to manage software updates that may affect
vehicle safety, ensuring no issues arise post-update. There are differences in
the required certifications. OEMs wishing to sell vehicles in Korea must obtain
CSMS certification. While UN regulations also require software update
management system (SUMS) certification, Korean law does not mandate
certification for this part. However, essential information on vehicle software
updates must be reported both in advance and afterward.
To effectively respond to the diverse
requirements of OEMs, it is recommended that Tiers establish a cybersecurity
management system that complies with the international standard for automotive
cybersecurity engineering, ISO/SAE 21434. This standard is closely aligned with
the relevant UN regulations.
FESCARO has optimized its existing UN regulatory
compliance solution to fit the amendment to the Motor Vehicle Management Act. Since
the amendment is based on UN regulatory standards, FESCARO, with hands-on success
experience in UN regulations, can effectively assist our customers.
What are FESCARO’s current activities and
plans for overseas expansion?
LEE Since
cybersecurity is an urgent issue for the global automotive industry, we are
exploring and evaluating various markets. In the Chinese market, which presents
many variables but also numerous opportunities, we have commenced full-scale
sales activities since the beginning of this year. Given that the Chinese market
is the fastest in popularizing electric vehicles and is open to new
technologies and methodologies, we believe there are numerous collaboration
opportunities that require creativity. Besides the automotive market, we are
also considering expansion into industries closely related to future mobility,
such as EV chargers.
With the advent of the SDV era, automotive
E/E architecture is evolving from domain architecture to zonal architecture.
How should the response approach change in terms of cybersecurity? What role
can FESCARO play?
LEE In
the SDV era, the vehicle lifecycle is expected to evolve into a circular
structure similar to DevOps, increasing the importance of the post-launch
phase. In this situation, as software technology continues to advance and the
interconnected influence of software also becomes increasingly complex, the
current practice of separating core operations from regulatory responses will
soon become too difficult to manage manually.
Like the IT infrastructure that KGM proactively
built, the importance of an efficient operation management system across the
entire value chain and vehicle lifecycle will likely increase. In addition to
managing all software versions, it is necessary to systematically identify and
manage the impact and potential side effects on all existing certification
items when updating software. Automating these complex work processes through FESCARO’s
IT infrastructure solution will enhance the user experience for internal
stakeholders, ultimately improving productivity, profit efficiency, and future
competitiveness. Furthermore, as the paradigm shifts to SDV, we expect to
maximize synergy by transforming not only product development but also our work
processes and thinking to be software-centric.
In addition, we expect creativity in finding new
breakthroughs when problems cannot be solved with existing methods will emerge
as a key competency. FESCARO's new vision is 'Hack the Mobility,' where
individuals with software-centric thinking come together to creatively approach
the mobility industry and solve its challenges. As part of this vision, we
developed a cybersecurity gateway controller (SGW), which serves as the
foundation for developing SDV's zonal controller, and built a real-time
incident response system by integrating SGW with our IT infrastructure.
What message will you deliver at this year’s
Automotive Innovation Day conference?
LEE This aligns
with what I have been discussing so far. I would like to emphasize the
necessity of a ‘software-centered operation management solution’ that can
create synergy with SDV. I expect the cooperation structure to evolve from the
existing hardware-centered specialization to a matrix structure spanning the
entire value chain. We need an organically linked management system that can
continuously and systematically manage cybersecurity throughout the entire
vehicle lifecycle, even after mass production. I will illustrate this based on FESCARO’s
actual success stories, as I believe this will be a key factor in determining
competitiveness in the SDV era.
CEO Hong Seok-min will give a keynote speech,
where he will discuss broader topics than I do, such as how the competitive
landscape will change in the future, what core competencies will be needed for
future competitiveness, and what changes in perception are necessary within the
industry.
<Source: AEM(FESCARO: A Grand Slam Winner for Vehicle Security in the SDV Era)>