In an ever-evolving connected world, digital transformation is gaining momentum in every aspect of daily life.
The automotive industry is no exception to this evolution: our cars are becoming our best copilots, allowing us to plan trips using real-time data or to read and reply to our texts with voice commands.
This change extends to other vehicles. The entire sector is equipping its buses, trucks, tractors and infrastructure with new features that allow them to become increasingly autonomous, connected, electric and shared.
More integrated into each piece of equipment, these new features are interconnected with each other, as well as with other vehicles and road infrastructure.
These integrations multiply potential attack entry points — each vehicle representing a larger attack surface — and increase the threat level and significance of potential impacts.
Like other critical sectors, the automotive industry faces repercussions such as physical damage and financial impacts.
Cyber threat actors — whether states, criminal organizations or individuals — are becoming increasingly sophisticated in achieving their objectives. They aim in particular to destabilize operations, to increase their wealth through ransomware or thefts, and to tamper with vehicles to alter their performance or functionalities.
"Almost every automaker has been hacked" [1]
- Steve Tengler, Forbes
In response to these growing challenges, regulatory entities are stepping in to guide and enable manufacturers and suppliers in the production of safe and sustainable vehicles:
- WP.29 Regulation R155 of the UNECE for the cybersecurity management system, and
- ISO/SAE 21434 for road vehicles — Cybersecurity engineering.
Fromour cybersecurity experience and by referring to these documents, we will discuss in this article the main takeaways to begin preparing for cybersecurity engineering and to increase your resilience.
#1 – The challenges are not just in the future
With an estimated 86% of vehicles connected in the global automotive market by 2025[2], automotive cybersecurity can easily be mistaken for a futuristic concern.
While risks increase with the growth of autonomous and connected vehicles, vulnerabilities already exist in the vehicles we use every day.
As early as 2015, cybersecurity researchers demonstrated that they were able to control the air conditioning of a Jeep Cherokee, and more dangerously, to take control of the braking and acceleration systems.
With more than 200 attacks reported in 2020, nearly 80% of which were triggered remotely[3], experts and hackers have shown that threats must be taken into account from the start of this decade. Let us not forget that the remaining 20% represent attacks activated locally, with or without the intervention of the attacker.
#2 – An impact on market access — within a one-year horizon
As mentioned, the automotive industry has seen new regulations and standards targeting the sector's cybersecurity since last year.
Since June 2020, the United Nations Economic Commission for Europe (UNECE) has published WP.29 Regulation R155 relating to the cybersecurity management system. The UNECE document makes numerous references to the ISO/SAE 21434 standard which, upon its release expected at the end of 2021, will provide a reference framework for complying with the regulation's requirements.
From June 2022, compliance with WP.29 R155 will be mandatory to access the market of the 56 UNECE member states, including Canada and the United States.
These requirements ask manufacturers to apply cybersecurity measures to future vehicles and to adapt these tools and techniques to prior models over the coming years.
Regarding the ISO/SAE 21434 standard, while its goal is not to legally compel industry players, it is positioned to become an important differentiator in the future of mobility.
It guarantees a high level of security and proof that the vehicle was developed according to the industry standard and best practices.
#3 – Responsibility throughout the vehicle lifecycle
In the ISO/SAE 21434 standard, which aims to guide organizations through the processes they must implement to meet cybersecurity requirements, manufacturers are responsible for the entire vehicle lifecycle: from the design phase to decommissioning.
Given that the average longevity of a car is about 200,000 miles or 12 years[4], post-production processes such as software updates and incident management must be given strong consideration.
Manufacturers are not the only stakeholders targeted by the document: suppliers will also have to comply with the security requirements.
To facilitate the management of this knowledge and data, the standard details the governance aspects to put in place, including supplier and update management, continuous improvement and risk assessment methodologies.
#4 – The role of fleet operators
From local buses to freight trucks to shared cars, vehicle fleets represent attractive opportunities for malicious groups. Particularly in the current pandemic context, an attack could impact the distribution of medical supplies or vaccines.
Fleet-scale cyber threats should be monitored, especially for fleet operators who will have to bear the costs and operational impact of service interruptions. From procurement to daily operations, management teams have a role to play in the overall fight for a cyber-secure industry.
As buyers and fleet managers introduce cybersecurity requirements into their tenders, clearly indicating their importance, this will have a significant impact on the overall security of our mobility.
It is essential to ensure that cybersecurity requirements are met, evaluated and, above all, managed throughout the product lifecycle.
#5 – A golden rule: do not pay the ransom
That may be easier said than done, but paying a ransom helps perpetuate the risks of cyber-attacks, as it finances criminal organizations. It is not a solution either, because even after paying the ransom, you have no guarantee that your organization will recover its data or assets.
Not resorting to paying the ransom means you must protect yourself in advance with the help of cybersecurity experts.
Assess your vulnerabilities
Whether you manufacture or operate vehicles, take the first step toward the resilience of your operations and vehicles by conducting an assessment of your cybersecurity maturity.
With the right experts, you will identify the weaknesses to secure in order to comply with recent regulations and provide reliable experiences to your customers.
As a cybersecurity leader, Thales's multidisciplinary team based in Quebec can support you in assessing, organizing and implementing a standards-compliant framework according to your needs.
For mobility you can have confidence.
[3] https://upstream.auto/2021Report/
[4] https://www.aarp.org/auto/trends-lifestyle/info-2018/how-long-do-cars-last.html
This blog article is made possible thanks to our major partner Thales as part of the Cybersecurity and Safety in Transportation Forum, an initiative of Propulsion Québec and supported by the Government of Quebec.
