While the digitalization of vehicles and in-vehicle systems is transforming the industry in its entirety, we must keep the security (and safety) of these systems in mind; connectivity and the added complexity it brings will inevitably lead to additional cybersecurity risks.
Consumers demand more open eco-systems to allow their devices or cloud services to connect seamlessly into the vehicle systems. For example, Volkswagen is combating the complexity in its software supply chain by bundling that knowledge in house, with a stated goal to move at least 60% of software development in house by 2025.
COVID-19 has also introduced additional disruptive trends, such as:
- Increased criticality of over-the-air (OTA) updates to avoid visits to dealerships for software updates (which in itself will become more frequent, bringing added complexity from faster deployment cycles).
- New focus on services based on voice and facial recognition to avoid physical contact.
- New connected services to track hygiene in cases of shared mobility.
- Anonymized track and trace services as instruments to prevent and fight against pandemics.
All of these trends highlight the need for comprehensive cybersecurity management and the implementation of technical mitigations to thwart attacks… and the industry is listening. It is projected that investments to strengthen automotive cybersecurity will increase from USD4.9 billion in 2020 to USD9.7 billion by 2030.
Regulations & Automotive Cybersecurity
The World Forum for Harmonization of Vehicle Regulations (WP.29) has just adopted two new UN regulations that will help tackle these cybersecurity risks by establishing clear performance and audit requirements for car manufacturers through internationally harmonized and binding norms across four disciplines:
- Managing vehicle cyber risks
- Securing vehicles by design along the value chain
- Responding to security incidents across the vehicle fleet
- Providing safe and secure software updates
The WP.29 regulation does not only contain a practical approach to automotive cybersecurity, with concrete examples of threats, and specified mitigations, but also a holistic approach to automotive cybersecurity, with a process and governance perspective, considering Information Technology (IT) and Operational Technology (OT).
In the European Union, the new regulation will be mandatory for all new vehicle types from July 2022 and will be mandatory for all vehicles produced from July 2024
The International Organization for Standardization (ISO) and Society of Automotive Engineers (SAE) are working on a joint standard (ISO/SAE DIS 21434) that will serve as the basis to meet the new regulatory requirements regarding cybersecurity. It is currently scheduled to be released in 2021. A different ISO working group is working on a standard to provide a similar basis regarding software updates (ISO 24089).
Both standards, along with regulation, aim to guarantee the vehicle’s proper (safe and secure) functioning during the entire vehicle lifecycle while accounting for changes to address malfunctions, cybersecurity incidents, potential tampering, and other deviations, ensuring the vehicle functions as intended.
The regulation covers what needs to be done, but intentionally does not include an explicit definition of how the regulatory requirements can be met, nor does it mandate detailed technical measures, as these likely would be outdated the moment they are printed. The use of relevant standards (such as the ISO/SAE 21434) are encouraged to define and implement appropriate mitigations.
This approach will allow the industry to address these challenges along the supply chain by placing new requirements with OEMs and tiered suppliers. At the same time, the approach ensures coverage of the cybersecurity lifecycle for the duration of the (connected) car lifecycle by placing focus on security by design and by default.
There is a lot of work still to be done by the different entities in the industry to ensure continued public trust in connected, and eventually connected and automated, vehicles. The current level of regulation and standardization provides a good basis for the industry to evolve and meet new challenges; it also provides the opportunity to innovate for both incumbents and new entrants in the field.
What these regulations and standardization do not address sufficiently is information sharing regarding threats and attacks. The Automotive Information Sharing and Analysis Center (ISAC) sets a good foundation there, and the ongoing discussions to share globally in a singular organization are the right path forward.
At Irdeto, we believe that connectivity should not be feared or increase the risk of a cyberattack. Security should be an opportunity to differentiate, enable new business models, and earn customer confidence. Regulations and standardization cannot provide that alone; all parties in the value chain need to maintain a proper security posture in their products, IT, and OT, and continually evolve this posture to account for new threats. With that in mind, OEMs and Tier-1 suppliers will have the opportunity to unlock new business models while maintaining or increasing customer trust and comfort.
Let us show you how to meet the new regulatory requirements, be ready for evolving requirements and enable new business models at the same time.
To learn more how Irdeto can help you navigate the cybersecurity landscape please contact us here.