New cyber threats pose a risk to an automotive industry in transition.
Our cars have long become driving computers. As a result, advancing digitization, autonomous driving, and increased connectivity pose new challenges for cybersecurity.
Alarming security gaps uncovered
Digitalization also affects the automotive sector. Developments such as autonomous driving and an increasing connectivity between vehicles and with the transport infrastructure are improving safety, but also create new threats.
For instance, American cybersecurity experts have uncovered alarming security gaps in the backend and business IT systems of well-known car brands such as BMW, Porsche, and Mercedes. These gaps not only affected private vehicles, but also emergency vehicles such as police cars and ambulances. The experts were not only able to control the lights and horns, but also open and close the car doors and start the engines. Furthermore, they were able to copy vehicle data, reset settings and, in some cases, even access the manufacturers' internal networks.
Software-defined vehicles create new risks
Increasing connectivity, autonomous driving and complex software technologies are radically changing the threat scenarios. Where once it was necessary to be physically present at the vehicle to carry out attacks, now, with the installed wireless modules, attacks can also be carried out from the Internet or via other communication interfaces.
One reason for the growing threat is the increasing connectivity of our automobiles. Making cars part of a global network offers convenient features such as over-the-air updates of vehicle software, but it also opens up new attack vectors.
Autonomous driving requires a constant information exchange with the environment. IT and software systems ensure communication with various endpoints, comfort functions and mobility services such as telematics. This turns modern cars into information hubs and, at the same time, makes them attractive targets for cyberattacks.
In the future, the greatest added value will no longer come from the engineering work involved in developing the engine and powertrain, but from providing and updating the software for the vehicles on the road as quickly as possible. A high complexity increases the risk of security gaps.
Increasing regulatory requirements
To address the growing threat head-on, the United Nations Economic Commission for Europe (UNECE) has drafted new regulatory requirements such as R155 and R156 under the 1958 Convention. These are aimed at ensuring cybersecurity across the entire supply chain and lifecycle of motor vehicles.
Concurrently, the ISO/SAE 21434 (Road Vehicles – Cyber Security Engineering) standard was published in August 2021, providing organizations with an implementation option for the new regulations. For the first time, this provides a unified and binding regulatory system for manufacturers. And since the entire supply chain must be audited, suppliers are also subject to the requirements.
TISAX® (Trusted Information Security Assessment Exchange) offers a testing and exchange mechanism for information security within the automotive industry developed by the German Association of the Automotive Industry (VDA). It is based on the VDA ISA requirements, which in turn are based on ISO/IEC 27001. In the automotive industry, TISAX® is often a prerequisite for business relationships, in particular where sensitive information is involved. The goal is to avoid redundant audits and to ensure an industry-wide security standard.
Necessary protective measures
The implications for the safety requirements as well as for the E/E architecture of a vehicle can be far-reaching. It is primarily a matter of implementing the requirements across the supply chain to make the new generation of vehicles "more secure" and to update the old processes to reflect the new reality. The following measures are recommended over the entire lifecycle:
Security updates: Just as with any computer or smartphone, it is important to apply relevant security updates to the vehicle's systems to close known and potential security gaps.
Network segmentation: Separating critical system functions from less critical functions can help minimize the impact of an attack.
Hardware security mechanisms: These can include hardware-based firewalls or special chips that make sure that only signed and trusted software is running on the vehicle.
Penetration tests: Regular testing by security experts can help identify and address vulnerabilities in vehicle systems.
Education and awareness: Vehicle manufacturers and suppliers should invest in cybersecurity training for their developers and engineers.
Collaboration across the industry: Automakers and suppliers should collaborate and share information on threats and best practices.
Be careful with third-party devices: Vehicle owners should use caution when connecting third-party devices or apps to their cars. Not all are secure and they could be potential entry points for attackers.
Driving safely into the automotive future
Digitalization and autonomous driving are revolutionizing the automotive industry, but they also present new cyber threats. That is because security vulnerabilities in vehicles from well-known brands and the increasing software complexity make cars attractive targets for cyberattacks.
Now more than ever, the automotive industry must develop a new cybersecurity awareness and collaborate across the industry to maintain the balance between innovation and security.
Learn more about our automotive cybersecurity services
When it comes to your cybersecurity, there is no one-size-fits-all solution. That's why we offer you a flexible range of services – tailored to your individual needs and requirements.