Connected car data security becomes key as automakers enable advanced communications and safety features.
With this increased connectivity comes greater automotive cybersecurity risks, too. In fact, the number of automotive cyberattacks has risen sharply. The average car today contains up to 150 electronic control units and about 100 million lines of software code. That number is projected to reach 300 million lines of code by 2030.
In response, regulators have begun to take action to address the growing vulnerabilities in connected car data security.
Upcoming Automotive Cybersecurity Regulations
For example, the United Nations Economic Commission for Europe (UNECE) is working on regulations to improve automotive cybersecurity and software update management.
The WP.29 regulations will require manufacturers to implement measures in four areas:
- Managing vehicle cyber risks
- Securing vehicles by design to mitigate risks along the value chain
- Detecting and responding to security incidents across vehicle fleet
- Providing secure software updates and ensuring vehicle safety is not compromised.
In the European Union, the regulations on automotive cybersecurity will be mandatory for all new vehicles produced from July 2024. Japan and Korea have also agreed to implement the regulations according to their own timeline. They do not apply to North American automakers.
The WP.29 regulation defines the automotive cybersecurity requirements to approve vehicles based on type (cars, vans, trucks and buses) and the certificate of compliance for the Cyber Security Management System (CSMS). The CSMS refers to the system that supports the cybersecurity of the manufacturer. It includes every process, activity, and personnel to make sure the vehicles are secure.
Risk Assessment Standards
In addition, the International Organization for Standardization (ISO) is developing automotive cybersecurity standards. The ISO/SAE 21434 standard establishes “cybersecurity by design” throughout the entire lifecycle of the vehicle.
ISO 21434 provides the model for developing a risk assessment system and specifies details on processes and work products.
The overall process for WP.29 compliance can be broken down into three phases:
- Assessment, which includes scoping and the evaluation of status. The result should be a compatible framework.
- Implementation, which covers the cybersecurity organization (based on ISO 21434), definition of the risks, people and tools and finalization of the organization orchestration.
- Operations, which consists of monitoring, evaluation and continuous processes. It leads to the launch of the CSMS, which is followed by a type approval.
How To Get Ready
In response to the COVID-19 global pandemic and the resulting shift to remote work, there are several things automakers can do remotely to ensure compliance with the UNECE cybersecurity regulations for vehicles.
Beginning with the assessment, it is possible to review the existing setup, conduct interviews with internal experts and perform a gap analysis for the new requirements remotely.
The setup of organizational, processes and management systems can also be defined remotely. Last, but not least, the technical implementation of process automation solutions and CSMS technologies can be conducted remotely.
The Future of Automotive Cybersecurity
Due to increasing cyberattacks on vehicles and more risk, the industry needs standard procedures and international regulations for automotive cybersecurity.
Ultimately, automakers in the affected countries will need to become compliant with the new UNECE standards and change the way they work. The ISO 21434 standard is intended to make the process of becoming compliant more transparent and sets the foundation to achieve overall standardization.
Technological changes within the automotive industry are complex. Many automakers will need to align their connected car data security practices with international regulations and standards. The earlier they start preparing, the better chance they will have to implement the necessary changes to comply with the new regulations and standards.
Head of IoT Security, IBM