While the digitalization of vehicles and in-vehicle systems is completely transforming the industry, we must keep the security (& safety) of these systems in mind; connectivity and added complexity (software in vehicles is projected to rise to 300 million lines of code by 2030) will inevitably lead to additional cybersecurity risks.
Consumers want their devices or cloud services to connect seamlessly into vehicle systems.
The COVID-19 pandemic has also introduced additional disruptive trends, such as:
- The criticality of providing software updates (which will be more frequent with added complexity) over-the-air to avoid visits to dealerships
- Focusing on services based on voice and facial recognition to avoid physical contact
- Tracking hygiene with new connected services for shared vehicles
- Securely tracking and tracing vehicle use to prevent and fight against pandemics
All this highlights the need for comprehensive cybersecurity management and the implementation of technical mitigations. It is projected that investments to strengthen automotive cybersecurity will increase from 4.9 billion USD in 2020 to 9.7 billion USD in 2030.
Regulations & Automotive Cybersecurity
The World Forum for Harmonization of Vehicle Regulations (WP.29) has adopted two new UN regulations to help tackle risks. They provide internationally harmonized and binding performance and audit requirements across four disciplines:
- Managing vehicle cyber risks
- Securing vehicles by design and by default along the value chain
- Responding to security incidents across the vehicle fleet
- Providing safe and secure software updates
The WP.29 regulation contains both a practical and holistic approach to automotive cybersecurity. In addition to concrete examples of threats and mitigations, it makes process recommendations as well.
In the European Union, the new regulation will be mandatory for all new vehicle types from July 2022 and will be mandatory for all new vehicles produced from July 2024.
ISO and SAE are working on a joint standard (ISO/SAE 21434) that will be able to serve as the basis to meet the new regulatory requirements regarding cybersecurity. The standard covers what needs to be done without mandating how to do it. It is currently scheduled to be released in 2021. A different ISO working group is working on a standard to provide the similar basis regarding software updates (ISO 24089). Both standards, along with regulation, aim to guarantee the vehicle’s proper (safe and secure) functioning during the entire vehicle lifecycle while accounting for changes to address malfunctions, cybersecurity incidents, potential tampering, and other deviations.
There is a lot of work still to be done by the different entities in the industry to ensure continued public trust in connected, and eventually automated, vehicles. The current level of regulation and standardization provides a good basis for the industry to evolve and meet new challenges; it also provides the opportunity to innovate for both incumbents and new entrants in the field.
At Irdeto, we believe that connectivity should not be feared or increase the risk of a cyberattack. While security is mandatory it also enables new business models to offset the investment.
Regulations and standardization cannot accomplish this alone; all involved parties must consider security in all aspects of their products and continually evolve to address new threats. What regulations and standardization do not address sufficiently is information sharing, e.g. regarding threats and attacks. The Automotive ISAC (Information Sharing and Analysis Center) sets a good foundation there, and the ongoing discussions to share globally in a singular organization are the right path forward.
To learn more about how Irdeto can help you navigate the cybersecurity landscape please contact us here.
 (Automotive Cybersecurity: New Regulations in the Auto Industry, 2020)
 (ABIresearch Connected Vehicles 1Q2020 Update)
 (Ondrej Burkacky, Johannes Deichmann, Benjamin Klein, Klaus Pototzky, Gundbert Scherf , 2020)
 (unece.org, 2020)