Software Vulnerabilities
September 24, 2020 By Arndt Kohler 2 min read

Connected car data security becomes key as automakers enable advanced communications and safety features.

With this increased connectivity comes greater automotive cybersecurity risks, too. In fact, the number of automotive cyberattacks has risen sharply. The average car today contains up to 150 electronic control units and about 100 million lines of software code. That number is projected to reach 300 million lines of code by 2030.

In response, regulators have begun to take action to address the growing vulnerabilities in connected car data security.

Upcoming Automotive Cybersecurity Regulations

For example, the United Nations Economic Commission for Europe (UNECE) is working on regulations to improve automotive cybersecurity and software update management.

The WP.29 regulations will require manufacturers to implement measures in four areas:

  • Managing vehicle cyber risks
  • Securing vehicles by design to mitigate risks along the value chain
  • Detecting and responding to security incidents across vehicle fleet
  • Providing secure software updates and ensuring vehicle safety is not compromised.

In the European Union, the regulations on automotive cybersecurity will be mandatory for all new vehicles produced from July 2024. Japan and Korea have also agreed to implement the regulations according to their own timeline. They do not apply to North American automakers.

The WP.29 regulation defines the automotive cybersecurity requirements to approve vehicles based on type (cars, vans, trucks and buses) and the certificate of compliance for the Cyber Security Management System (CSMS). The CSMS refers to the system that supports the cybersecurity of the manufacturer. It includes every process, activity, and personnel to make sure the vehicles are secure.

Risk Assessment Standards

In addition, the International Organization for Standardization (ISO) is developing automotive cybersecurity standards. The ISO/SAE 21434 standard establishes “cybersecurity by design” throughout the entire lifecycle of the vehicle.

ISO 21434 provides the model for developing a risk assessment system and specifies details on processes and work products.

The overall process for WP.29 compliance can be broken down into three phases:

  • Assessment, which includes scoping and the evaluation of status. The result should be a compatible framework.
  • Implementation, which covers the cybersecurity organization (based on ISO 21434), definition of the risks, people and tools and finalization of the organization orchestration.
  • Operations, which consists of monitoring, evaluation and continuous processes. It leads to the launch of the CSMS, which is followed by a type approval.

How To Get Ready

In response to the COVID-19 global pandemic and the resulting shift to remote work, there are several things automakers can do remotely to ensure compliance with the UNECE cybersecurity regulations for vehicles.

Beginning with the assessment, it is possible to review the existing setup, conduct interviews with internal experts and perform a gap analysis for the new requirements remotely.

The setup of organizational, processes and management systems can also be defined remotely. Last, but not least, the technical implementation of process automation solutions and CSMS technologies can be conducted remotely.

The Future of Automotive Cybersecurity

Due to increasing cyberattacks on vehicles and more risk, the industry needs standard procedures and international regulations for automotive cybersecurity.

Ultimately, automakers in the affected countries will need to become compliant with the new UNECE standards and change the way they work. The ISO 21434 standard is intended to make the process of becoming compliant more transparent and sets the foundation to achieve overall standardization.

Technological changes within the automotive industry are complex. Many automakers will need to align their connected car data security practices with international regulations and standards. The earlier they start preparing, the better chance they will have to implement the necessary changes to comply with the new regulations and standards.

 |  | 
Arndt Kohler
Head of IoT Security, IBM

More from Software Vulnerabilities
August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

August 2, 2023

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

March 30, 2023

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

March 21, 2023

Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature