Cars are becoming more connected than ever. This makes them a potential target for malicious actors. In fact, cyberattacks on connected cars have become more common. Automotive security hence has evolved from securing door locks to secure communication, data protection, intrusion prevention, and much more.
Security vulnerabilities
The attack surface on connected cars has become broader given their growing connectivity (vehicle-to-infrastructure, vehicle-to-vehicle, vehicle-to-cloud, vehicle-to-pedestrian, and vehicle-to-everything communications). This makes automotive products, systems and their components vulnerable to different attacks. Security vulnerabilities can occur in various aspects of connected cars, particularly:
- In communication channels, e.g., spoofing of messages, interference with sensor signals, manipulation of keyless entry, and GPS spoofing
- In the update process, e.g., fabricating the system update program or firmware
- In thirdparty software components, e.g., insecure third-party libraries
- In backend servers, e.g., unauthorized access and information leakage
- In unintended human actions, e.g., defined processes are not followed
Privacy Risks
Privacy of connected cars means more than just tinted windows. Particularly, data collection (vehicle data, driver data, sensor data) is a vital part of connected cars. It enables many useful advanced features such as safety-critical driving control, personalized (driving) assistance, voice commands and remote diagnostics. Such features require extensive data. But data collection comes with a cost, namely, user privacy. Without proper security and privacy mechanisms, the user (e.g., driver) privacy could easily be violated. For example, data protection rights of the user get violated by collecting information in non-transparent ways, by not having secure data storage (i.e., results in data leakage), by not providing user’s choice of opt-in (or opt-out) of data collection, etc.
Regulations and Standards
To holistically tackle the issues of automotive security and privacy, related organizations and governments aim to make security an essential part of the automotive development lifecycle. Therefore, standards and regulations for automotive security have been introduced. Compliant cybersecurity management hence becomes an important goal for automotive makers.
Specifically, both the UN ECE WP.29 and the ISO/SAE 21434 require securing vehicles throughout their lifecycle. They additionally require a well-defined cybersecurity management system inside the organizations as well as thorough threats analysis and risks assessment (TARA). While the UNECE WP.29 will be legally binding, the ISO/SAE 21434 standard is becoming the norm in the industry.
With UN ECE WP.29 being legally binding, starting from July 2022 onwards, newly produced vehicle lines must obtain type approval as a sub-component of the process of vehicle type approval. Additionally, approval for system type for cybersecurity will become mandatory for all vehicle “first registrations” after July 2024. All manufacturers and suppliers are racing toward compliance with such a regulation. Rapid implementation of products compliant with different security and privacy regulations is therefore becoming a key competitive factor.
Are you ready?
It is not just about building automotive products that are compliant with security and privacy regulations and standards but also providing end-to-end cybersecurity management across the product’s entire lifecycle. This is an exciting time to see organizations shaping themselves toward the incoming era, namely connected cars, where the security of the cars and privacy of end-users will be the top priority. Is your organization ready for this journey?
References
