With new threat actors appearing every day, cybersecurity is becoming increasingly crucial, particularly in the automotive industry. One of the most well-known applications of the internet of things is connected vehicles. In reality, with between 70 and 100 Electronic Control Units (ECUs) integrated into each vehicle, automobiles have evolved to become the key players in internet-of-things environments. Threat actors are finding it easier to hack and take control of automobiles as IoT devices and ECUs become more reliable.
Manufacturers began working with the United Nations Economic Commission for Europe (UNECE) in 2011 to develop a regulatory framework to support auto cybersecurity, and in 2021, the governing body announced that regulations would go into effect in July 2022 for all new vehicle types, before becoming mandatory for all new cars in 54 countries by July 2024.
Despite the fact that legislation is advancing at a breakneck pace, many argue that it can't happen quickly enough because the risk of hackers abusing linked vehicles is all too real. According to the United Nations Economic Commission for Europe, automobiles already have up to 150 ECUs and approximately 100 million lines of code – four times that of a fighter jet – with that number expected to climb to 300 million lines of code by 2030. Insiders in the industry know that this isn't a minor issue; it's perhaps one of the most significant issues they confront.
3 Unique Automotive Cybersecurity Challenges
1) One Solution doesn‘t Fit All Players
Using a tested method established for another industry isn't going to cut it in the automotive business. Cybersecurity is relatively new to the car industry – it's only been a focus for about 10 years – but IT security as a whole dates back to the late 1980s. As a result, the auto industry frequently lacks the necessary in-house expertise and experience in this area.
When you bring legacy systems like CAN and FlexRay to the mix, you've got a unique and hard route to walk. There's also the matter of how rigorously new laws would be enforced — will giant OEMs and small-scale manufacturers be given the same treatment?
2) Higher Product Life Cycles Increase Worries
The duration of the automotive product lifecycle increases the difficulty for business owners. Consider this: if development cycles range from 5 to 10 years (depending on component), and the average age of a scrapped automobile is 14, you're looking at a lifecycle of 20 years or more.
The cyberthreat will have evolved numerous times throughout this time, prompting OEMs and their suppliers to solve for the fleet's long-term security. Manufacturers may be obliged to provide cybersecurity warranties or after-sales support goods, replete with regular patch updates, at some point in the future.
3) A Time of Seismic Change
We all know that the auto industry is undergoing a major transformation as it switches its business model to alternative fuel sources in order to satisfy government targets and rising customer demand. However, alongside alternative fuel vehicles (AFVs), the cybersecurity vulnerabilities posed by the connected cars pose just as serious, if not more so, concerns.
With growing connectivity comes higher security challenges, and while safety must always come first, new transportation on-demand or MaaS (Mobility as a Service) models will provide new issues to address, such as payment, billing, and personal data security. Despite the fact that many large OEMs are forming their own cybersecurity teams, what about tier 1 and 2 suppliers who will be held to the same standards?
Automotive Cybersecurity in Four Stages
One of the most significant challenges faced by the whole automobile sector is cyber security. We examine it from four perspectives.
- The first is the individual electronic components, which act as mini-computers that control all of the vehicle's activities.
- Second, communication between these various components, which together make up the vehicle's complete system.
- Third, there is a slew of interactions between the car and the rest of the world.
- Fourth, data processing and transfer outside of the vehicle, including the cloud and back end.
Upcoming Automotive Cybersecurity Regulations
As cars become more reliant on software for everything from entertainment to safety and suspension settings, implementing more secure software development and update processes today is likely less expensive than responding to and remediating a significant cybersecurity problem later. Here are a few upcoming automotive cybersecurity regulations that you should be mindful of:
1) UNECE (United Nations Economic Commission for Europe) WP.29 Regulations
The UN Economic Commission for Europe (UNECE) is developing measures to improve automotive cybersecurity and software update management.
Manufacturers will be required to implement steps in four areas under the WP.29 regulations:
- Managing cyber threats to vehicles
- Designing cars to be secure from the start to reduce risk across the value chain
- Detecting and responding to security breaches across the entire fleet of vehicles
- Assisting with secure software updates and ensuring that vehicle safety is not jeopardized.
Regulations on automotive cybersecurity will be necessary for all new vehicles produced in the European Union starting in July 2024. In addition, Japan and Korea have agreed to apply the measures on their own timetables. They do not apply to automakers in North America.
The WP.29 rule establishes the cybersecurity criteria for vehicles of various types (cars, vans, lorries, and buses), as well as the certificate of conformity for the Cyber Security Management System (CSMS). The CSMS stands for the manufacturer's cybersecurity management system. It covers all processes, activities, and persons involved in ensuring the safety of the vehicles.
UN R155 aims to provide a type-approval framework for lowering cyber security risks across the whole product life cycle (i.e., in the development, manufacturing, and post-production phases), as well as the formation of a "cyber security management system" ("CSMS").
The goal of UN R156 is to develop a type-approval framework for automotive software updates, as well as a software update management system ("SUMS"). The phrase "software update" is defined in paragraph 2.3 of UN R156 as "a package used to upgrade the program to a new version, including a change of the configuration parameters."
2) Risk Assessment Standards
Furthermore, the International Organization for Standardization (ISO) is developing cybersecurity guidelines for automobiles. The ISO/SAE 21434 standard mandates "cybersecurity by design" across the vehicle's whole lifecycle.
ISO 21434 specifies specifics on procedures and work products and serves as a blueprint for building a risk assessment system.
The total WP.29 compliance process can be divided into three stages:
- Scoping and status evaluation is a part of the assessment process. The end result should be a framework that is interoperable.
- Implementation includes establishing a cybersecurity organization (based on ISO 21434), defining risks, people, and tools, and completing the orchestration of the organization.
- Monitoring, assessment, and continuous processes are all part of operations. It leads to the implementation of the CSMS, which is followed by some form of approval.
Starting with the Compliance Journey
The following preliminary procedures can assist automotive manufacturers in achieving WP.29 cybersecurity compliance:
1) Conduct a Readiness Assessment: By comparing the existing state of their companies to the WP.29 cybersecurity framework's standards, manufacturers can determine which personnel, capabilities, and procedures they will need to implement in order to achieve compliance.
2) Establish an Internal UNECE Cyber Readiness Program: The readiness assessment should give the data needed to create an effective readiness program. When fully implemented, this program will enforce the WP.29 cybersecurity controls, procedures, and reporting requirements.
3) Conduct a Deep Dive into Ongoing Vehicle Projects: Building a car that cannot be sold is a manufacturer's worst fear. To avoid this, a thorough examination of cars in the development pipeline will reveal any possible WP.29 concerns prior to production.
4) Perform Regular VA+PT Test on the Devices: Penetration testing of connected automobiles entails performing an end-to-end vulnerability assessment and penetration testing of all devices on the network in order to ensure that every security hole is detected and solved with next-generation solutions. Businesses are taking advantage of the benefits offered by connected devices to gather business analytics and use AI/ML to automate specific operations.
Future of Automotive Cybersecurity
The industry needs standard procedures and international regulations for automotive cybersecurity since cyberattacks on automobiles are becoming more common and posing a greater risk.
In the end, automakers in the impacted nations will have to comply with the new UNECE regulations and adjust their business practices. The ISO 21434 standard is designed to make the compliance process more visible and to lay the groundwork for general standardization.
The automotive sector is undergoing major technological changes. Many automakers will have to comply with international legislation and standards when it comes to linked car data security. They will have a better chance of implementing the necessary changes to comply with the new norms and standards if they start preparing sooner rather than later.