Connected car data security becomes key as automakers enable advanced communications and safety features.

With this increased connectivity comes greater automotive cybersecurity risks, too. In fact, the number of automotive cyberattacks has risen sharply. The average car today contains up to 150 electronic control units and about 100 million lines of software code. That number is projected to reach 300 million lines of code by 2030.

In response, regulators have begun to take action to address the growing vulnerabilities in connected car data security.

Upcoming Automotive Cybersecurity Regulations

For example, the United Nations Economic Commission for Europe (UNECE) is working on regulations to improve automotive cybersecurity and software update management.

The WP.29 regulations will require manufacturers to implement measures in four areas:

  • Managing vehicle cyber risks
  • Securing vehicles by design to mitigate risks along the value chain
  • Detecting and responding to security incidents across vehicle fleet
  • Providing secure software updates and ensuring vehicle safety is not compromised.

In the European Union, the regulations on automotive cybersecurity will be mandatory for all new vehicles produced from July 2024. Japan and Korea have also agreed to implement the regulations according to their own timeline. They do not apply to North American automakers.

The WP.29 regulation defines the automotive cybersecurity requirements to approve vehicles based on type (cars, vans, trucks and buses) and the certificate of compliance for the Cyber Security Management System (CSMS). The CSMS refers to the system that supports the cybersecurity of the manufacturer. It includes every process, activity, and personnel to make sure the vehicles are secure.

Risk Assessment Standards

In addition, the International Organization for Standardization (ISO) is developing automotive cybersecurity standards. The ISO/SAE 21434 standard establishes “cybersecurity by design” throughout the entire lifecycle of the vehicle.

ISO 21434 provides the model for developing a risk assessment system and specifies details on processes and work products.

The overall process for WP.29 compliance can be broken down into three phases:

  • Assessment, which includes scoping and the evaluation of status. The result should be a compatible framework.
  • Implementation, which covers the cybersecurity organization (based on ISO 21434), definition of the risks, people and tools and finalization of the organization orchestration.
  • Operations, which consists of monitoring, evaluation and continuous processes. It leads to the launch of the CSMS, which is followed by a type approval.

How To Get Ready

In response to the COVID-19 global pandemic and the resulting shift to remote work, there are several things automakers can do remotely to ensure compliance with the UNECE cybersecurity regulations for vehicles.

Beginning with the assessment, it is possible to review the existing setup, conduct interviews with internal experts and perform a gap analysis for the new requirements remotely.

The setup of organizational, processes and management systems can also be defined remotely. Last, but not least, the technical implementation of process automation solutions and CSMS technologies can be conducted remotely.

The Future of Automotive Cybersecurity

Due to increasing cyberattacks on vehicles and more risk, the industry needs standard procedures and international regulations for automotive cybersecurity.

Ultimately, automakers in the affected countries will need to become compliant with the new UNECE standards and change the way they work. The ISO 21434 standard is intended to make the process of becoming compliant more transparent and sets the foundation to achieve overall standardization.

Technological changes within the automotive industry are complex. Many automakers will need to align their connected car data security practices with international regulations and standards. The earlier they start preparing, the better chance they will have to implement the necessary changes to comply with the new regulations and standards.

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today