Vehicle safety, which has long been a top concern for automotive companies, today equates to cybersecurity. That's because now more than ever, vehicles run on software.
They are fast-moving, highly connected data centers, part mainframe, and part mobile device, loaded with Internet of Things (IoT) devices. They are effectively mobile nodes operating at the edge of massive cloud infrastructure. And they will increasingly become targets for cyberattackers.
Over the past decade, auto manufacturers have steadily moved toward electric vehicles, while the industry has also introduced new mobility initiatives, such as ride sharing, car sharing, and changes to traditional ownership models. Over-the-air (OTA) updates to computer systems regularly deliver new features, improving the driving experience or fixing issues without recalling vehicles. And IoT devices laced throughout a vehicle gather, transmit, and receive information. Autonomous vehicles, taxi fleets (Uber, Lyft, Waymo), and trucking operations are around the next bend.
All of this adds urgency to vehicle cybersecurity. In June 2020, United Nations Regulation (UNR) 155 established cybersecurity requirements for members of its WP.29 group of countries, including the EU, UK, Japan, and South Korea. And while the US, Canada, and China are not members, adherence to UNR 155 is mandatory for access to those markets.
Combined with other cybersecurity requirements such as ISO/SAE 21434 — and the real threats of cyberattacks — cybersecurity will overtake functional safety among automakers' priorities — or at least gain equal footing with it. Auto companies need to be aware of a few important factors.
Identify the Threats
Cyberwarfare, already very expensive for targets, is becoming increasingly dangerous as well. Attacks on the energy sector, for example, can endanger lives if power is cut off to hospitals, nursing homes, or other care facilities. In May, the Colonial Pipeline attack didn't quite rise to that level but demonstrated how far-reaching a successful attack — achieved by compromising a single password — can be.
The risks are amplified for the auto industry by the very nature of driving at high speeds on crowded roads. Vehicle hacking, already more common than many people may think, could soon become more widespread, with the potential for life-threatening incidents on a large scale.
The economic impact of such hacking also would be considerable, adding another reason for automotive companies to focus on ensuring cybersecurity. Building trust, which is essential for any business, is paramount in transportation. Boeing's ongoing problems with its 737 Max airliner, which was grounded for 20 months in 2019 and 2020 after two crashes attributed to software failures, clearly illustrate the point. Cybersecurity efforts in the auto industry should focus on five key areas.
1. Zero-Day Exploits
The number of exposed ports in vehicles makes them vulnerable to attack. In addition to protecting against known vulnerabilities, security teams should be aware of new developments and attack vectors, perhaps by teaming with efforts such as the vendor-agnostic Zero Day Initiative.
2. Supply Chain Attacks
Auto companies need to avoid introducing vulnerabilities via OTA updates by securing Software Development Life Cycle (SDLC) processes and the transmission of updates.
3. Shared Mobility
The rise of ride- and car-sharing applications, along with expanded traditional methods such as rentals and company carpools, create questions of user identity and access privileges that the industry needs to address.
Securing communication channels requires visibility into the cloud environment, encryption of transmissions and data, continuous monitoring, and the application of technologies such as artificial intelligence to avoid snooping and tampering.
The procedures required to secure vehicles necessarily raise issues of privacy, so that secure, encrypted data storage is essential.
Put Security at the Forefront
As vehicles become increasingly connected — and autonomous features become more prevalent — cybersecurity will likely become the most critical element of vehicle safety, a field that remains tightly regulated.
UN Regulation (UNR) 155 and ISO/SAE 21434 provide the framework for incorporating Cyber Security Management Systems (CSMS) for the life cycle of a vehicle, including its design and development, but auto companies will have to implement the most effective security measures they can according to those mandates. And as with cybersecurity in any other sector, risk management is key.
Among the important areas of focus, auto companies should build access models into a vehicle's design rather than adding them as an afterthought. Companies need the ability to manage a shared mobility model, remote access, maintenance access, and so on, by identifying the various roles that interact with the vehicle.
They must also implement a scalable identity warehouse to store all the identity information related to a vehicle, along with the history of associated vehicles and usage. This is necessary both for security and compliance purposes.
In tandem, they'll need to balance information sharing with privacy protections. There will be ecosystems that auto companies interact with — such as rental car companies, insurance providers, supply chain, or technology companies — looking at a vehicle's data. We'll need guard rails on what information can be shared and get the necessary consent from individuals in order to comply with regulations such as GDPR and CCPA/CPRA.
The auto industry's reliance on software and connectivity will only become more pronounced in the years to come. Building effective cybersecurity into all aspects of new vehicles and systems is essential to ensuring the future success of the automotive industry.