Connected car data security becomes key as automakers enable advanced communications and safety features.

With this increased connectivity comes greater automotive cybersecurity risks, too. In fact, the number of automotive cyberattacks has risen sharply. The average car today contains up to 150 electronic control units and about 100 million lines of software code. That number is projected to reach 300 million lines of code by 2030.

In response, regulators have begun to take action to address the growing vulnerabilities in connected car data security.

Upcoming Automotive Cybersecurity Regulations

For example, the United Nations Economic Commission for Europe (UNECE) is working on regulations to improve automotive cybersecurity and software update management.

The WP.29 regulations will require manufacturers to implement measures in four areas:

  • Managing vehicle cyber risks
  • Securing vehicles by design to mitigate risks along the value chain
  • Detecting and responding to security incidents across vehicle fleet
  • Providing secure software updates and ensuring vehicle safety is not compromised.

In the European Union, the regulations on automotive cybersecurity will be mandatory for all new vehicles produced from July 2024. Japan and Korea have also agreed to implement the regulations according to their own timeline. They do not apply to North American automakers.

The WP.29 regulation defines the automotive cybersecurity requirements to approve vehicles based on type (cars, vans, trucks and buses) and the certificate of compliance for the Cyber Security Management System (CSMS). The CSMS refers to the system that supports the cybersecurity of the manufacturer. It includes every process, activity, and personnel to make sure the vehicles are secure.

Risk Assessment Standards

In addition, the International Organization for Standardization (ISO) is developing automotive cybersecurity standards. The ISO/SAE 21434 standard establishes “cybersecurity by design” throughout the entire lifecycle of the vehicle.

ISO 21434 provides the model for developing a risk assessment system and specifies details on processes and work products.

The overall process for WP.29 compliance can be broken down into three phases:

  • Assessment, which includes scoping and the evaluation of status. The result should be a compatible framework.
  • Implementation, which covers the cybersecurity organization (based on ISO 21434), definition of the risks, people and tools and finalization of the organization orchestration.
  • Operations, which consists of monitoring, evaluation and continuous processes. It leads to the launch of the CSMS, which is followed by a type approval.

How To Get Ready

In response to the COVID-19 global pandemic and the resulting shift to remote work, there are several things automakers can do remotely to ensure compliance with the UNECE cybersecurity regulations for vehicles.

Beginning with the assessment, it is possible to review the existing setup, conduct interviews with internal experts and perform a gap analysis for the new requirements remotely.

The setup of organizational, processes and management systems can also be defined remotely. Last, but not least, the technical implementation of process automation solutions and CSMS technologies can be conducted remotely.

The Future of Automotive Cybersecurity

Due to increasing cyberattacks on vehicles and more risk, the industry needs standard procedures and international regulations for automotive cybersecurity.

Ultimately, automakers in the affected countries will need to become compliant with the new UNECE standards and change the way they work. The ISO 21434 standard is intended to make the process of becoming compliant more transparent and sets the foundation to achieve overall standardization.

Technological changes within the automotive industry are complex. Many automakers will need to align their connected car data security practices with international regulations and standards. The earlier they start preparing, the better chance they will have to implement the necessary changes to comply with the new regulations and standards.

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The X-Force Vulnerability and Exploit Database shows that the number of zero days being released each year is on the rise, but X-Force has observed that only a few of these zero days are rapidly adopted by cyber criminals each year. While every zero day is important and organizations should still devote efforts to patching zero days once a patch is released, there are characteristics of certain…

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…