Supplier Delocalization: A Threat to Automotive Cybersecurity Knowledge Sharing?

Soumis par Garikayi Madzudzo, HORIBA-MIRA, Ltd, Nuneaton, England, United Kingdom le 26 févr. 2018 - 13:22

Type de publication:

Conference Paper

Auteurs:

Garikayi Madzudzo; David Morris; Alexeis Garcia-Perez

Source:

Gerpisa colloquium, Sao Paulo (2018)

Mots-clés:

automotive supply-chain, connected vehicles, cybersecurity knowledge

Résumé:

Supplier Delocalization: A Threat to Automotive Cybersecurity Knowledge Sharing?

Garikayi Madzudzo (PhD Research Student)
Professor David Morris
Dr Alexeis Garcia-Perez

Centre for Business in Society
Faculty of Business and Law
Coventry University

February 2018

Presenting Author:
Garikayi Madzudzo
Centre for Business in Society (CBiS).
Faculty of Business and Law
Coventry University

Email: madzudzg@coventry.ac.uk
Tel: +44 (0)7415101547

Supplier Delocalization: A Threat to Automotive Cybersecurity Knowledge Sharing?

Computing technologies have transformed the automotive industry, forcing vehicle manufacturers and component suppliers to develop and integrate ever more technologically complex components into the modern connected vehicle. In the unrelenting search for sustainable competitive advantage, automotive manufacturers must develop more reliable and safer products, at the same time as promoting personalisation, higher quality and lower costs. The creation of new digital products in the automotive industry is a complex task, characterised by uncertainty, variability and the threat of cybersecurity breaches. It requires the cooperation across multiple fields of expertise, some of them new to automotive design, development and production. Globalisation and delocalisation continue to introduce new opportunities, but increase competition. Delocalisation of suppliers occurs both physically and virtually, globally dispersed component suppliers jealously guard intellectual capital (component specific knowledge and component integration processes) but do not have access to the product architectural knowledge of OEMs. At the same time the knowledge domains which are critical in the modern automotive industry are remote from those which have historically been core to competitive success.

The consequences of a cyber-vulnerable connected or autonomous vehicle affects all stakeholders in the automotive industry from vehicle manufacturers to vehicle users. Research into component specific and architectural knowledge sharing between vehicle manufacturers and their globally dispersed supply chains highlight several cybersecurity knowledge sharing challenges. This paper argues that the challenge of cybersecurity knowledge sharing is magnified by globalisation and the delocalisation of suppliers. As vehicle manufacturers try to incorporate the same scalable architecture for chip-based systems and software that has been built into computer systems for many years, the need for cybersecurity knowledge sharing has never been greater. However, in practice it has not been easy to capture cybersecurity knowledge and to apply it effectively in component design, development and integration processes for cyber-vulnerable components.

The paper draws on the results of survey which focused on automotive cybersecurity knowledge sharing approaches employed by component suppliers in the design and development of digital components for connected vehicles. The key areas of investigation were the ways component suppliers shared component specific information with vehicle manufacturers, how they acquired relevant architectural knowledge from OEMs and the identification and analysis of the barriers to cybersecurity knowledge sharing contingent on the current structure of the automotive supply chain.

Keywords: Cybersecurity knowledge, connected vehicle, automotive supply-chain.

Texte complet:

Supplier Delocalization: A Threat to Automotive Cybersecurity Knowledge Sharing?

Garikayi Madzudzo (PhD Research Student)

Professor David Morris

Dr Alexeis Garcia-Perez

Centre for Business in Society

Faculty of Business and Law

Coventry University

May 2018

Presenting Author:

Garikayi Madzudzo

Centre for Business in Society (CBiS).
Faculty of Business and Law
Coventry University

Email: madzudzg@coventry.ac.uk

Tel: +44 (0)7415101547

Abstract

Computing technologies have transformed the automotive industry, leading vehicle manufacturers and component suppliers to develop and integrate ever more technologically complex components into the modern connected vehicle. In the unrelenting search for sustainable competitive advantage, automotive manufacturers are driven to develop more reliable and safer products, at the same time as promoting product personalisation, higher quality, increased functionality and lower costs. The creation of new digital products is a complex task, characterised by uncertainty, variability and the threat of cybersecurity breaches. These innovations require cooperation across multiple fields of expertise, some of them new to automotive design, development and production. Globalisation and delocalisation continue to introduce new opportunities, but increase competition. Delocalisation of suppliers occurs both physically and virtually, globally dispersed component suppliers jealously guard intellectual capital (component specific knowledge and integration processes) but do not have access to the product architectural knowledge of OEMs. At the same time the knowledge domains which are critical in the modern automotive industry are remote from those which have historically been core to competitive success.

The potential risks inherent in a cyber-vulnerable connected or autonomous vehicle affect all stakeholders in the automotive industry from vehicle designers and manufacturers to vehicle end-users. Component specific and architectural knowledge sharing between vehicle manufacturers and their globally dispersed supply chain brings cybersecurity knowledge sharing challenges to the fore. This paper argues that the challenge of cybersecurity knowledge sharing is magnified by globalisation and the delocalisation of suppliers. As vehicle manufacturers try to incorporate the same scalable architecture for chip-based systems and software that has been built into computer systems for many years, the need for cybersecurity knowledge-sharing has never been greater. However, in practice it has not been easy to capture cybersecurity knowledge and to apply it effectively in component design, development and integration processes for cyber-vulnerable components. This maybe particularly the case where supply chains are characterised by delocalisation.

This paper draws on the results of survey which focused on the automotive cybersecurity knowledge sharing approaches employed by component suppliers in the design and development of digital components for connected vehicles. The key areas of investigation were the ways in which component suppliers shared component specific information with vehicle manufacturers, how they acquired relevant architectural knowledge from OEMs and the identification and analysis of the barriers to cybersecurity knowledge sharing contingent on the current structure of the automotive supply chain.

Keywords: Cybersecurity knowledge-sharing, connected vehicles, automotive supply-chain, delocalisation.

1.

Introduction

For much of the 21^st century, the idea that the automotive industry could develop intelligent vehicles capable of connecting to the internet has been an aspiration rather than a reality, and the idea of autonomous vehicles (AVs) seemed futuristic rather than a realistic possibility in the short or medium term. Traditionally, the automobile had been seen as an extension of a person’s ambulatory system, docile to the driver’s commands. However, recent proliferation of computable devices, and advances in ICTs, vehicle controls and embedded systems, has seen the automotive industry experiencing possibly its greatest technological transformation to-date (Sagstetter et al., 2013; Studnia et al., 2013). In the wake of these innovative advances the auto-industry has responded by developing connected vehicles, and is now on the verge of providing fully autonomous vehicles (Gerla et al., 2014; IEEE Spectrum, 2017). Connected vehicles and AVs can be seen as two separate but overlapping technologies, AVs or “driverless cars” reduce the need for input from human operators, while connected vehicles (CVs) interface with the internet, transport and road infrastructure and other intelligent vehicles to facilitate information sharing. While almost all AVs are in some sense “connected”, not all connected vehicles are automated (Glancy, 2015).

Manufacturing smart intelligent vehicles capable of absorbing information from the environment and other vehicles and then feeding it to drivers and infrastructure to assist with safe navigation, pollution control and traffic management, is an expensive, competitive complex task requiring cooperation across multiple fields of expertise. As noted by Morris and Donnelly (2004), OEMs do not have the necessary knowledge and expertise to construct modern cars on their own, nor the knowledge to manufacture the smart digital products found in modern automobiles (Autobusiness, 2004). The design, development and production of modern vehicles (AVs & CVs) is on the one hand, affected by a desire for strong and often elusive cooperative OEM-supplier relationships (Allmann et al., 2006), and, on the other, security from cyber-threats demands an effective sharing of cybersecurity knowledge between vehicle manufacturers and component suppliers as well as between suppliers themselves. At the same time, in a bid to apply downward pressure on operating costs and to satisfy an overarching need to remain competitive, the industry has turned to delocalisation (Woolliscroft et al., 2013) to countries with a lower cost base to benefit from FDI incentives (Bloodgood, 2009). With the automotive industry’s new-found resident status in the cyber-world now fully granted courtesy of the recent hacks that have occurred within the domain (Koscher et al., 2010; Checkoway et al., 2011; Miller and Valasek, 2013; Yadron, 2014), the purpose of this study is to investigate the effects of supplier delocalisation on automotive cybersecurity knowledge sharing.

In order to gain a deeper understanding of the role of cybersecurity knowledge sharing as a key factor for the creation of cyber-resilient digital products, the paper will assess changes to the automotive supply chain structure. Although, the focus is on the effects of delocalisation on cybersecurity knowledge sharing in the automotive industry, the challenge of cybersecurity knowledge sharing cuts across many industries such as oil and gas (Clayton and Segal, 2013; Mackinnin et al., 2013; Onyeji et al., 2014), transport (Jensen, 2015; Kaewunruen et al., 2016) and beyond.

To do so, we draw on existing literature and theory from the disciplines of knowledge management and, supply-chain management. The paper will present results from a survey which focused on automotive cybersecurity knowledge sharing challenges faced by suppliers of digital components for the automotive industry.

2.

Literature Review

Automotive Supply-chain

Developments in the automotive supply-chain have been fundamental to the transformations that have occurred in the automotive industry. The automotive supply-chain stretches from producers of raw materials through to the assembly of the most sophisticated electronic and computing technologies (Tang and Qian, 2008). The major components of the supply-chain now include component suppliers (Tiers 1-3), OEMs, distribution centres, dealers, customers, and global technological and idea innovators such as Google, Apple, Microsoft, and NVidia. Effective development and management of the supply-chain is acknowledged as a sustainable source of competitive advantage in the automobile industry (Gunasekaran and Ngai, 2004; Wei and Chen, 2008; IBM, 2009; Hugo et al., 2010). The supply-chain has responded to transformations in the auto-industry by undergoing major processes of consolidation resulting in a hierarchy with a small number of large transnational suppliers (Tier 1) at the top, followed by several tiers of smaller companies (Michalos et al., 2009). Tier 1 suppliers have evolved into manufacturers of the more complex systems and modules that exist in modern vehicles, resulting in a strong OEM dependency on supplier development knowledge and support. Coincident with the transformation of the auto-supply chain has been a long term move towards cooperation and away from adversarial relationships resulting in stronger knowledge sharing approaches between OEMs and suppliers due to the need to remain technologically relevant and competitive (Teece et al., 1997; Takeishi, 2000; Hugo et al., 2004; Hong et al., 2014).

Delocalisation

Delocalisation is a contested topic due to the implications for all involved stakeholders. The process cannot be totally dissociated from globalisation, and there is very little theoretical knowledge that provides a definition that separates the two concepts. However, according to Arthuis (2005), delocalisation consists of all decisions that are unfavourable to the existing location of activities and employments in a national territory, Aubert and Sillard (2005) define delocalisation as the substitution of national production by foreign production resulting from the decision of a producer to give up production in the country of origin for the purpose of manufacturing or outsourcing some or all of its products in a foreign territory. Here, delocalisation is defined as the creation and or change of location for a production facility from a developed to a developing country essentially to benefit from lower operating costs (Feinberg et al., 1998; Grignon, 2004; Hammami et al., 2008; Cârstea, 2013) or locating closer to rapid developing end-markets.

Delocalisation in the Automotive Industry

In today’s challenging world, the trend towards delocalisation has seen many enterprises from a wide range of industries re-configure their operations in the search for alternative strategies to remain competitive in an increasingly global market. This trend has been very prominent in the automotive industry whereby manufacturers have switched production to countries with potentially lower production costs (Jürgens and Krzywdzinski, 2008). The current shift towards delocalisation dates as far back as the early 1990s with the establishment of firms in low production cost countries such as Australia, Korea, Mexico, Poland, Slovakia, Czech Republic, Brazil, China, India and South Africa to name a few, and this trend continues unabated to this day (Woolliscroft et al., 2013). However, lower production cost is not the only disruptive agent accelerating delocalisation, common features such Foreign Direct Investment (FDI), increased out-sourcing, global production and cross-border trade, and deterioration in labour standards (Woolfson, 2007), have all played their part in accelerating delocalisation. Additionally, there is an increasing number of countries that have mastered the skills of producing cars with acceptable levels of quality, and often at a much lower cost compared with the US, Europe or Japan (Holweg, 2008). Furthermore, new suppliers have increased their skills and capabilities in both design and development (Holweg and Phil, 2005).

Component suppliers have not been left unscathed by the delocalisation and globalisation of automotive manufacturers. The 1990’s saw a number of takeovers of motor assembly plants around the world, such as BMW in Rosslyn South Africa, Honda in Mexico, VW (Volkswagen) in the Czech Republic, Slovakia, and Poland, Renault in Slovenia, Fiat Chrysler in Brazil, then in the mid-2000s Nissan in South Africa, BMW in Brazil and China, Toyota/PSA (Peugeot Société Anonyme) in the Czech Republic, Nissan in Brazil, PSA in Slovakia, Kia in Slovakia, Hyundai in the Czech Republic, Renault’s takeover of Dacia in Romania, and General Motors in Poland and Brazil. This structural change attracted a surge of suppliers to feed the local demand created by OEM delocalisations (Jürgens and Krzywdzinski, 2008). This trend has continued unabated with major industry actors such as Peugeot-Citron relocating from Coventry, England to the Slovak Republic, French automotive manufacturer Valeo from Neuses, Germany to Chrzanow in Poland and Ford Transit from Southampton, England to Turkey.

In the wake of these acquisitions, mergers and relocation trends, the supplier industry adapted its business models to remain relevant, futureproof and to maintain strong inter-firm relationships with OEMs (Morris and Donnelly, 2004). Suppliers responded by increasing their production and, R&D capabilities, and by rethinking their physical and economic geography (Frigant and Layan, 2009). The general transformation of the supplier industry’s economic geography saw suppliers relocating in carmakers’ new home countries to cut costs. Prime examples include Lear, one of the biggest US automobile suppliers relocating production from the USA to Mexico and from Western to Eastern Europe, Delphi Automotive, a global automotive parts technology company relocated from north-east Ohio, USA and into Mexico and China, and Bosch, one of the world’s original equipment and innovation leader closed its car-parts plant in Miskin, Wales and relocated to Hungary. Delocalisation has allowed suppliers to weave globalised productive networks that operate on a worldwide basis and generate huge financial savings.

It is tempting to think that delocalisation is, overall, a positive force which brings financial benefits to vehicle manufacturers and, component suppliers, economic growth to the receiving countries (Cârstea, 2013), and lower costs to auto consumers and users. However, this is not an unambiguous case, for example, developed countries are disfavoured by the loss of investments. A less obvious consequence of the delocalisation process is the heightened difficulty of developing cybersecurity knowledge sharing approaches that encompass information about the system environment (architectural knowledge) into which suppliers’ products are integrated (Sturgeon et al., 2009). This demands sharing of specific information relating to the component to be integrated into the automotive architecture. The potential delocalisation impacts on supply-chain cybersecurity knowledge sharing approaches have not received the attention they demand or deserve, such impacts are not well identified and not considered partially as a consequence of the novelty of the cybersecurity phenomenon (Hammami et al., 2008; Morris et al., 2018). Instead efforts expanded in making delocalisation work better have concentrated on reducing additional costs, improving transportation and logistics and making technological acquisitions.

3.

Method

Selecting Survey Participants and Data collection

Following Bryman and Bell (2015), and Etikan et al. (2016), a deliberative and flexible purposive approach was employed to recruit survey participants from automotive component manufacturing firms who have an understanding of automotive cybersecurity knowledge sharing and automotive digital product development. Potential participants had to satisfy the following criteria:

First and foremost, participants had to provide consent to participate in the research study.

Secondly, the participants had to be involved in automotive cybersecurity knowledge sharing approaches or management and/or were involved in relevant knowledge transfer processes within their organisation.

Thirdly, the participant’s organisation was required to have some form of involvement with either connected vehicle or AV development research and/or automotive cybersecurity research.

An online questionnaire was used given the geographical spread of the automotive industry, the time and resources available, and the high non-response rates associated with postal questionnaires (Gelder et al., 2010). The questionnaire was designed and distributed via the online application Qualtrics. Qualtrics is a powerful web-based research suite used to build and conduct survey research, evaluations, analyse responses and other data collection activities. Twenty-three participants from a total of six organisations whose focus is to manufacture and supply digital components for connected and autonomous vehicles participated in the study; the participant’s classification data is displayed in Table 1 below. The participants’ organisations were located in the UK, Luxembourg, Germany, India, China, Hungary and the US. A brief description of the organisation from where the participants were sought is provided below.

Organisation A: a leading global supplier of technologies for the automotive market, which provides more connected solutions for connected vehicles than most other component manufacturers. Organisation-A employs over 400,500 and has manufacturing plants in every continent with a bulk of its branches located in Germany. It is one of the world’s largest and most diversified automotive parts manufacturer, employing personnel with skill and experience in component integration, software integration, automotive software development and, software testing and validation.

Organisation B: one of the leading global suppliers of automotive technology and services. It offers the automotive industry innovative solutions and expertise in connected mobility through its expertise in sensor technology, sensor software, and services. Organisation-B employs over 147,000 personnel and has been in existence for over 100 years, with its legacy dating as far back as 1888. Its biggest automotive technology centre offers innovative solutions and develops components, subsystems and systems for engine management.

Organisation C: an organisation focused on delivering highly developed intelligent technologies for mobility and transporting materials. It is also a leading supplier in the development of vehicle electronics and cabin control systems. Organisation-C has a number of Research and Development locations around the world allowing for a global reach to nearly every market.

Organisation D: this organisation’s objectives are creating and establishing open standardized software architectures for automotive control units (ECUs). It works with different vehicle manufactures, supplying scalable vehicle platform variants, transferable software and innovative designs for control system components. Founded in Germany in 1871, it has helped to turn mobility ideas into reality for more than 145 years. Organisation-D employs over 235,473 employees in 61 countries over 554 locations across all five continents.

Organisation E: designs and engineers highly integrated software, connected products and solutions for automakers, they are the leading manufacturer of connected car systems, audio, infotainment and visual products. Organisation E employees specialise in vehicle system integration projects, automotive software engineering, in-vehicle security, automotive infotainment and telematics projects. Although still a relatively young organisation, founded in 1997, organisation-E’s innovative designs and superior manufacturing abilities have earned the trust of some of the leading vehicle manufacturers.

Organisation F: leaders of virtual reality design and development. Organisation-F employs its ability to intersect virtual reality, high performance computing and artificial intelligence (AI) to give the connected vehicle “sight and a brain”. Although organisation-F has its roots in the PC gaming market, it has become a major player in the automotive playground through revolutionised parallel computing and modern computer graphics. Located in America, Asia and Europe, organisation-F has 40 offices and plans to expand further.

Table 1 gives more information on individual survey participants by employer (organisation) and job role.

Job Title	Respondent	Company	Brief Job Description
Senior Project Manager	A1	Org-A	Connected vehicle development.
Technical Manager	A2	Org-A	Responsible for cross functional teams working on developing automotive electronic components.
Senior Manager	A3	Org-A	Working with the integration team to support the integration of new and existing electrical systems into multiple environments such as prototypes.
Integration Engineer	A4	Org-A	Support system integration and packaging topics for the driver assistance domain control unit.
Cybersecurity Architect	A5	Org-A	Incident analysis.
Software Engineer	A6	Org-A	Application (Apps) Engineer.
Technical Project Manager	A7	Org-A	Technical manager for Driver Assistance Systems
Software Engineer	A8	Org-A	Software development for engine management systems and ECUs
Automotive Cybersecurity Specialist	A9	Org-A	Developing cyber-secure automotive solutions
Project Manager	B1	Org-B	Currently leading a product management function for connected and autonomous vehicle electronic component development.
Cybersecurity System Specialist	B2	Org-B	Job involves developing security and privacy solutions around electronic control units (ECUs) and the associated interfaces and networks.
Company Director	B3	Org-B	Director of Engineering in automotive electronic components and systems.
Project Manager	B4	Org-B	Involved with ECM development and deployment.
Integration Supervisor	B5	Org-B	Managing component integration of electronic automotive components.
Automotive Technology Specialist	C1	Org-C	Designing and developing the latest automotive technology for connected and autonomous vehicles.
Project Manager	C2	Org-C	Lead on a cybersecurity technology and innovation team. Manages a team focused on embedded IoT and cloud security and development of security concepts for connected and autonomous vehicles.
Integration Engineer	C3	Org-C	Software developer for automotive devices and mobile applications
Senior Software Engineer	C4	Org-C	Detailed Design, Coding and module testing of specific SW modules in accordance to ADAS processes and conventions
Automotive Engineer	D1	Org-D	Responsible for automotive infotainment validation.
Head of Connected Car Technology	D2	Org-D	Development of connected car electronic component solutions.
Infotainment System Specialist	E1	Org-E	Software development for autonomous and connected vehicles.
Software Engineer	E2	Org-E	Embedded Software lead, FOTA development
Software Engineer – Connected & Infotainment	F1	Org-F	Leading early integration workshop to implement up new technologies and interfaces.

Table 1: Participants’ classification data

The Survey Instrument

The questionnaire comprised forty items separated into five sections. The first part of the questionnaire requested the participant’s consent, and comprised closed questions. The second part collected the participant’s demographic and related information such as job role, title, duties and the length of time they had been employed in their current role. Demographic questions provided essential participant information (DeWalt and DeWalt, 2011; Saldana, 2015). The third part contained open-ended questions on cybersecurity awareness. Part four of the questionnaire contained open-ended questions that focused on challenges, if any, encountered by the participant’s organisation in sharing cyber-related knowledge. The final section focused on component integration strategies and, contained a mixture of both closed and open-ended questions. The analysis in this paper focuses on section four, which contained eight open-ended questions on cybersecurity knowledge-sharing challenges introduced by the trend towards delocalisation.

Data Analysis

Content analysis is the preferred approach to analysing the data; when analysing textual data unobtrusively where no prior studies have been conducted, it is capable of identifying emergent themes and patterns, structures and discourses of communication, frequencies of words and their relationships (Krippendorf, 2004; Hsieh et al., 2005; Neuendorf, 2016 ). First, an inductive manifest level of analysis was performed. Inductive manifest level process is concerned with what the participants actually say and stays very close to the text, describing the visible and obvious in the text. The process aimed to identify continuous patterns and regular themes that emerge from the data as suggested by Elo et al. (2008). Additionally, to ensure that the data collected was not misinterpreted or misconstrued, the inductive manifest process was complemented by a latent level of analysis. The latent level process, is a more interpretive analysis concerned with the responses per se rather than what may have been inferred or implied (Strauss and Corbin, 1998; Gillman, 2000; Elo and Kyngas, 2008; Yin, 2009). This process assisted in identifying emergent themes and the formation of clusters. Coding was performed through the use of computerised software as suggested by Gilbert et al. (2014); and Silver and Lewis (2014). Nvivo, a powerful efficient analytical tool, was used to code, categorise, reshape, reorganise and examine relationships, and to compare coding nodes. Data reliability and validity was catered for by (a) providing a personalised link to the online survey for each participant in-order to minimise bias, (b) using data collection tools and processes that are appropriate to the study, (c) carefully considering the suitability of the methodological approach to the research, (d) applying appropriate data sampling and data analysis techniques suitable for the study and (e) pre-testing of the questions for the online questionnaire was conducted prior to presenting the questions to the participants.

Results

The results of the survey show that cybersecurity knowledge sharing approaches in use by component suppliers have been evolved from traditional knowledge management and transfer approaches and mechanisms that have long existed within the automotive ecosystem. Knowledge sharing (KS), knowledge management (KM), and knowledge transfer (KT) mechanisms in component manufacture highlighted by, for example Nonaka and Takeuchi (1995), Teece et al. (1997), Prahalad and Hamel (2000), and Takeishi (2000), provide the base on which current cybersecurity knowledge-sharing approaches are built. As indicated in Table 2 below, suppliers are yet to design and develop a mechanism specific to sharing cybersecurity knowledge.

CSK Sharing Approach	Name of Organisation
	Org A	Org B	Org C	Org D	Org E	Org F
Working group Publications	X	X	X
Disseminating Best Practice	X	X	X		X
Published Industrial Standards	X	X	X
Training sessions				X	X	X
Knowledge sharing sessions		X		X	X	X
Secondments/ Placements	X				X	X
Specialised Recruitment				X	X	X
Joint Projects with Lower Tier Suppliers	X	X	X			X

Table 2. Approaches employed in Cybersecurity knowledge-sharing by Component Suppliers.

Source: Author (2018)

The main challenge to cybersecurity knowledge sharing highlighted by the survey was a lack of awareness of CSK sharing approaches. Study participants were asked if they were aware of any mechanism their organisation employed in sharing cybersecurity knowledge. As shown in Table 3 below, 83% of participants were not aware or familiar with CSK approaches used by their organisation to share cybersecurity knowledge with other suppliers, 87% of the participants were not familiar with CSK approaches employed by their organisation to share cybersecurity knowledge with OEMs, while 75% were not familiar with inter-departmental CSK sharing approaches in their own organisations.

Supply Chain

OEMS

Inter-departmental

Overall Totals

Aware

Unaware

4 (17%)

19(83%)

3 (13%)

20(87%)

5 (25%)

18 (75%)

17%

83%

Table 3: Component Suppliers Awareness to CSK Sharing Approaches

Source: Author (2018)

Other CSK sharing challenges introduced by supplier delocalisation are presented in Table 4 below along with a brief explanation derived from some of participant’s comments.

CSK Sharing Challenges Due to Supplier Delocalisation	Brief Description
Competition	Suppliers are locked in a race to design, develop and bring the latest technology to market, this creates competition amongst suppliers, which in turn ensures that suppliers do not engage in CSK sharing initiatives.
Lack of Trust	Lack of trust created by competition and the need to remain relevant.
Inadequate Industrial Standards	Current and existing standards do not cater for cybersecurity knowledge sharing challenges.
Restrictions	Restrictions imposed via Non-Disclosure Agreements (NDAs), Contractual Agreements and design contracts affect CSK sharing. Although the primary purpose of these restrictions is to protect Intellectual Property (IP), they do not encourage CSK sharing within the auto-domain.
Communication Structures	Existing communication mechanisms are deemed incompatible and insufficient for cybersecurity knowledge sharing. Participants highlighted the need for a safe and secure environment whereby cybersecurity information can be shared without fear and concern that it will accessible to potential hackers.
Legislation and Law	Differences in legislation and laws between countries affects and restricts sharing of relevant cybersecurity knowledge. Legislation and laws in some countries determines how much and which type of information can be shared.

Table 4: Cybersecurity Knowledge Sharing Challenges according to Suppliers.

Source: Author (2018)

Discussion

The automotive industry is one of the most competitive industrial sectors in the global economy, and has been so even before the delocalisation trend began. With every vehicle manufacturer working towards designing and developing new vehicles that are designed to offer more comfort, incorporate new innovative technologies and better styling, OEMs rely on their existing suppliers to deliver, or they switch suppliers. Of course, many factors play an important role in this equation, including cost and time. In the context of designing and manufacturing such components, and in order to offer components at competitive prices within required time scales, suppliers have to redesign or reconfigure their business strategies, with a frequent outcome being delocalisation. However, this analysis is over-simplistic and makes a number of assumptions about the growing trend of supplier delocalisation. Although, this article does not focus on the existence of supplier parks or their inadequacies, an attempt is made below to highlight the shift to delocalisation, and the advantages delocalisation holds over supplier parks, before reverting back to the problems introduced by delocalisation on CSK sharing.

Prior to the trend of delocalisation, supplier parks existed and serviced the industry sufficiently, so when did supplier parks fall short? Initially, supplier parks were designed as a solution to problems of reliability in logistics and transportation (Larsson, 2002), to lower capital and labour costs (Morris and Donnelly, 2004), to fulfil customer orders in short lead times through responsive manufacturing and information exchange (Howard et al., 2003; Holweg and Pil, 2004; Gunasekaran, 2005), and closely tie supplier production schedules into customer production schedules (Howard et al., 2006). If supplier parks were successfully delivering on these expectations, then what drove suppliers and OEMs to look to delocalisation? What is it that delocalisation offers that supplier parks fail to provide? Which technological advances and innovations have caused vibrations within the automotive domain? Is physical proximity vitally important in component design and manufacture? Could it be that supplier parks were a “village of warehouses” containing firms that could only contribute to the regional industrial system and not globally? Or could it be that supplier parks created an unhealthy OEM dependency on the supplier’s components? Do supplier parks create a regional imbalance with many suppliers surrounding the OEM in one region? The list of questions seems endless.

Benefits of Delocalisation

Delocalisation offers suppliers opportunities such as the opportunity to exploit new markets and discover new ways of manufacturing products. Automotive suppliers operate increasingly more in international networks and value chains (Kilvits and Purju, 2008). They locate procurement, production, distribution, marketing, sales and service in different countries across the world. They perform operations where the price-quality ratio is best. In short, delocalisation allows suppliers to produce where it is cheaper and sell where there is purchasing power. We assume that advantages such as the availability of human capital, proximity to OEMs, competitive labour costs, manufacturing cost reduction, manufacturing country where buyers are located and lower logistics costa are some of the potential advantages of delocalisation. However, for such complementarities to be realised, governments assist in attracting organisations seeking to delocalise. Governments play important roles through economic regulation and polices in shaping patterns of industrial upgrading, regionalisation and delocalisation (Radosevic, 2002; Dickens, 2007; Coe et al., 2008). Space is not homogenous. Different economic activities take place in different locations. The type of business that dominates today’s global economic market operates on the basis of finding the cheapest production cost, in particular labour. In the context of automotive cybersecurity, those businesses must manufacturer products capable of withstanding cybersecurity threats.

Challenges of Delocalisation

After presenting some of the benefits of delocalisation enjoyed by both manufacturers and consumers, it is important to highlight some of the challenges introduced by delocalisation of suppliers from a cybersecurity knowledge sharing viewpoint. Prior to the trend of delocalisation, suppliers were based in close proximity to the OEM plant (Chew, 2003; Morris & Donnelley, 2004) facilitating timely knowledge sharing processes (Howard et al., 2006). The effects of delocalisation involve current practices and supporting technologies (secure communication and information systems) limiting the ability of component manufacturing organisations to share cyber-related information. Supplier delocalisation appears to be another nail in the cybersecurity knowledge-sharing coffin. The survey results highlight that delocalisation enhances the problems of trust, intensifies competition and does not encourage cybersecurity knowledge sharing. As highlighted by the survey, the industry is lacking in communication structures adequate enough to support sharing cybersecurity knowledge, and with suppliers using different coding practices, styles and language, which are not shared with other geographically dispersed suppliers manufacturing components to be integrated into a system. This difference in coding language, coding practices and coding styles creates cybersecurity vulnerabilities when the components are integrated into system or sub-system. This problem is exasperated by lack of trust of seismic portions between suppliers. This lack of trust with cybersecurity solutions and mitigation processes has seen the rise in use of NDAs (non-disclosure agreements), design contracts and design by contract agreements being signed before joint projects and collaborations as noted by participant D2 who stated that

“There is no trust been us as suppliers, to the point that when we have meetings during a joint collaboration, the meetings are heavily restricted to the point where it is almost useless, no one wants to share anything that they think will give them an edge over the other suppliers”.

This lack of trust that exists within the auto-industry is born out of a very competitive environment that does not permit cybersecurity knowledge sharing. Along with supplier delocalisation, the transformation of the automobile, competition in the automotive sector is at an all-time high. The challenge posed by the competitive nature of the industry is captured by participant B3, a company director, who stated that

“Due to the competitive nature of the industry, it’s a race to see who is going to bring the next innovative product to market, I remember the first man on the moon, l don’t know who the second was, so we are in a very competitive industry, a very fast moving industry, and the only way to try and stay ahead is to keep your cards close to your chest”.

This statement was supported by participant A2, who stated that

“When it comes to cybersecurity knowledge sharing, there is none, there is none simply, because every player is trying to protect themselves in order to make sure that they will introduce into the market, that trend or that highly innovative product before their competitors and at the end of the day everyone is trying to make money”.

The overarching conclusion comes in the form of lack of cybersecurity knowledge, and a lack of awareness of cybersecurity knowledge sharing mechanisms. Safety and comfort remain as the primary concerns in vehicle manufacturer, with some suppliers confident that cybersecurity vulnerabilities will not be exploited to cause harm. The threats posed by cybersecurity are yet to send shivers down the automotive spine. The threat of cybersecurity is not fully appreciated as a reality with a potential to kill, maim or destroy human life, as noted by participant C2

“We are more concerned with safety because obviously safety kills, cybersecurity threats will only target people’s identity and personal data, which is harmless to a certain extent, but l cannot foresee that happening in the near future as there is no reason or monetary benefit in hacking vehicles”.

If cybersecurity knowledge sharing failed to fully materialise when suppliers were located around OEMs, then what hope is there in a delocalised supply-chain that lacks mechanisms to govern and control cybersecurity knowledge sharing (Dandurand and Serrano, 2013).

Conclusion

This paper, focuses on the challenges of sharing cybersecurity knowledge in a delocalised supply chain environment. We proposed and adopted a precise definition for the term delocalisation in the context of automotive component manufacture, and we reviewed the theoretical background on why suppliers in the automotive industry adopt delocalisation as a means to apply downward pressure on operating costs and to satisfy an overarching need to remain competitive and relevant. We identified the characteristics of the delocalisation phenomena that impact product, cost, labour and revenue while emphasizing those characteristics that distinguish delocalisation from supplier parks. We then identified cybersecurity knowledge sharing challenges introduced by delocalisation through the use of an online survey presented to suppliers involved with the manufacture of digital automotive components for connected vehicles and autonomous vehicles. A discussion of supplier parks versus delocalisation was conducted in a bid to understand the reasons why delocalisation is viewed as a solution to the issues that supplier parks fail to address, while highlighting how delocalisation presents a threat to cybersecurity knowledge sharing.

References

Allmann, C., Winkler, L., and Kölzow, T. (2006) 'The Requirements Engineering Gap in the OEM-Supplier Relationship'. Journal of Universal Knowledge Management 1 (2), 103-111

Amin, M. and Tariq, Z. (2015) 'Securing the Car: How Intrusive Manufacturer-Supplier Approaches can Reduce Cybersecurity Vulnerabilities'. Technology Innovation Management Review 5 (1), 21

Bloodgood, L. (2009) 'Inbound and Outbound US Foreign Direct Investment, 2000-2007'. Journal of International Commerce and Economics. 2, 149

Bryman, A. and Bell, E. (2015) Business Research Methods.: Oxford University Press, USA

Cârstea, V. (2013) 'Delocalization-the Automotive Industry's Answer to Cost Reduction'. Romanian Economic and Business Review, 180

Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., and Kohno, T. (eds.) (2011) USENIX Security Symposium. 'Comprehensive Experimental Analyses of Automotive Attack Surfaces.': San Francisco

Dandurand, L. and Serrano, O. S. (eds.) (2013) Cyber Conflict (CyCon), 2013 5th International Conference. 'Towards Improved Cyber Security Information Sharing': IEEE

DeWalt, K. M. and DeWalt, B. R. (2011) Participant Observation: A Guide for Fieldworkers.: Rowman Altamira

Feinberg, S. E., Keane, M. P., and Bognanno, M. F. (1998) 'Trade Liberalization and'Delocalization': New Evidence from Firm-Level Panel Data'. Canadian Journal of Economics, 749-777

Gerla, M., Lee, E., Pau, G., and Lee, U. (eds.) (2014) Internet of Things (WF-IoT), 2014 IEEE World Forum on. 'Internet of Vehicles: From Intelligent Grid to Autonomous Cars and Vehicular Clouds': IEEE

Glancy, D. J. (2015) 'Autonomous and Automated and Connected Cars-Oh My: First Generation Autonomous Cars in the Legal Ecosystem'. Minn.JL Sci.& Tech. 16, 619

Gunasekaran, A. and Ngai, E. W. (2004) 'Information Systems in Supply Chain Integration and Management'. European Journal of Operational Research 159 (2), 269-295

Hammami, R., Frein, Y., and Hadj-Alouane, A. B. (2008) 'Supply Chain Design in the Delocalization Context: Relevant Features and New Modeling Tendencies'. International Journal of Production Economics 113 (2), 641-656

Holweg, M. (2008) 'The Evolution of Competition in the Automotive Industry'. In Build to Order. ed. by Anon: Springer, 13-34

Holweg, M. and Pil, F. K. (2005) 'The Second Century: Reconnecting Customer and Value Chain through Build-to-Order Moving Beyond Mass and Lean in the Auto Industry'. MIT Press Books 1

Hong, P., Doll, W. J., Nahm, A. Y., and Li, X. (2004) 'Knowledge Sharing in Integrated Product Development'. European Journal of Innovation Management 7 (2), 102-112

Hugo, W. (2010) Supply Chain Management: Logistics in Perspective.: Van Schalk

Jürgens, U. and Krzywdzinski, M. (2010) Die Neue Ost-West-Arbeitsteilung.: Campus Verlag

Kilvits, K. and Purju, A. (2008) 'The Impact of Public Procurement on Foreign Trade: The Case of Estonia'. International Journal of Public Policy 4 (1-2), 159-177

Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., and Shacham, H. (eds.) (2010) Security and Privacy (SP), 2010 IEEE Symposium. 'Experimental Security Analysis of a Modern Automobile': IEEE

Larsson, A. (2002) 'The Development and Regional Significance of the Automotive Industry: Supplier Parks in Western Europe'. International Journal of Urban and Regional Research 26 (4), 767-784

Miller, C. and Valasek, C. (2014) 'A Survey of Remote Automotive Attack Surfaces'. Blackhat Usa

Morris, D., Donnelly, T., and Donnelly, T. (2004) 'Supplier Parks in the Automotive Industry'. Supply Chain Management: An International Journal 9 (2), 129-133

Morris, D., Madzudzo, G., and Garcia-Perez, A. (2018). Connected cars and cybersecurity: a perfect storm? 25th Gerpisa International Colloquium. http://gerpisa.org/node/3693

Neuendorf, K. A. (2016) The Content Analysis Guidebook.: Sage

Nonaka, I. and Takeuchi, H. (1995) The Knowledge-Creating Company: How Japanese Companies Create the Dynamics of Innovation.: Oxford University Press

Prahalad, C. K. and Hamel, G. (2000) 'The Core Competence of the Corporation'. in Strategic Learning in a Knowledge Economy. ed. by Anon: Elsevier, 3-22

Radošević, S. (2002) 'The Electronics Industry in Central and Eastern Europe: An Emerging Production Location in the Alignment of Networks Perspective'

Sagstetter, F., Lukasiewycz, M., Steinhorst, S., Wolf, M., Bouard, A., Harris, W. R., Jha, S., Peyrin, T., Poschmann, A., and Chakraborty, S. (eds.) (2013) Proceedings of the Conference on Design, Automation and Test in Europe. 'Security Challenges in Automotive hardware/software Architecture Design': EDA Consortium

Saldaña, J. (2015) The Coding Manual for Qualitative Researchers.: Sage

Studnia, I., Nicomette, V., Alata, E., Deswarte, Y., Kaâniche, M., and Laarouchi, Y. (eds.) (2013) Dependable Systems and Networks Workshop (DSN-W), 2013 43rd Annual IEEE/IFIP Conference on. 'Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks': IEEE

Takeishi, A. (2002) 'Knowledge Partitioning in the Interfirm Division of Labor: The Case of Automotive Product Development'. Organization Science 13 (3), 321-338

Tang, D. and Qian, X. (2008) 'Product Lifecycle Management for Automotive Development Focusing on Supplier Integration'. Computers in Industry 59 (2-3), 288-295

Woolliscroft, P., Caganova, D., Cambal, M., Holecek, J., and Pucikova, L. (2013) 'Implications for Optimisation of the Automotive Supply Chain through Knowledge Management'. Procedia CIRP 7, 211-216

Yin, R. K. (2009) Case Study Research, Design & Methods 4th Ed.

Thème: Production models and strategies, new and traditional players: between incremental and disruptive innovation