With vehicles now collecting, accessing, and storing a large volume of data, cybersecurity has become a major focus for the automotive sector. In fact, work’s been underway for more than a decade to answer the unique security questions posed by the big auto industry disruptors – automation, connectivity, and e-mobility.
As early as 2011, manufacturers were working with the United Nations Economic Commission for Europe (UNECE) to develop a regulatory framework to support auto cybersecurity. Incidentally, the security risk received worldwide attention in 2015 when white hat hackers took control of a vehicle over the internet, leading to the recall of 1.4m vehicles, and the industry responded by redoubling its efforts to tackle the issue.
According to the UNECE, cars now contain up to 150 electronic control units and about 100 million lines of code – four times more than a fighter jet – and that’s projected to rise to 300 million lines of code by 2030.
The new frontier: UN R155 and UN R156
To address the growing threat of cyberattacks, the UNECE published the first regulations in January 2021. UN R155 and UN R156, regulations aiming at enhancing the security of current and future car models, were implemented in July 2022 for new type approvals. From July 2024, they’ll become mandatory for all new cars produced across 54 countries.
- UN R155 mandates that vehicles must have a Cybersecurity Management System (CSMS) in place, meaning applying cybersecurity practices and measures across the development process and life-cycle of vehicles. Although no CSMS is currently mandatory for suppliers, they tend to put in place the right processes, assessments and security concepts (e.g. ISO 21434) to comply with regulations.
- UN R156 deals with the software update management system (SUMS). It provides all the requirements to achieve a secure software update during the life-cycle of a system.
The players on the new frontier
Three unique cybersecurity challenges facing automotive
- One-size needs to fit all
Cybersecurity is relatively new to automotive – it’s been a focus for around ten years, so it’s still work in progress. The current major challenge is to standardise the security concepts, to make sure all manufacturers and suppliers use the same. It was a success on the diagnostics feature, prioritised because it’s a crucial security feature. Whether a manufacturer or a supplier wants to implement a diagnostic interface, they will always need to refer to the Unified Diagnostic Service (UDS) standard. ‘Unified’ in this context means that it’s an international and not a company-specific standard. The main goal today is to have a standard for all the security relevant features, which is obviously very complex to achieve, as all manufacturers will need to agree on them. - An eternal update cycle
An additional challenge comes from the length of the automotive product life-cycle, opposed to the rapid evolution of cyber-threats. Development life-cycles range up to five years, and the average age of a car at scrappage is 12 years, therefore an end-to-end lifecycle of more than 15 years to account for. Add on top of that the embedded aspect of the automotive systems. Automotive manufacturers have limited resources and need to limit the cost of a new vehicle, so they can’t always integrate the best security into the systems. When an algorithm or a hardware security is selected, it’s based on international recommendations like NIST or FIPS and commit to providing unbreakable features for at least 10 years. If a security vulnerability is found, or if the algorithms are outdated, they’ll need to be managed via software updates. - A time of seismic change
With increased connectivity comes greater threats. In the past, hacking events primarily resulted in inconvenience to infotainment users. Now cyber-attacks can impact the safety of drivers, passengers, and other road users. This means cyber protection is now on par with functional safety. On top of that, new transport on-demand or MaaS (Mobility as a Service) models will pose new problems to solve, like the security of payments, billing, and personal data.
Keeping up with innovation with Expleo
In the battle between innovation and cybersecurity, innovation needs to keep winning. Automotive consumers prefer innovative features and are willing to share personal data to take advantage of them. Since market demand still favors innovation, OEMs and tier 1 and 2 suppliers need to keep up with the dynamics of automation and connectivity, or they take the risk of falling behind. But favouring innovation shouldn’t mean accepting the risk of cyber incidents. The focus should be on the integration of innovation, cybersecurity, and functional safety to shape the future of the auto industry.
We draw skills and experience across engineering and technology – everything from Banking, Financial Services, and Insurance (BFSI) to automotive engineering – which means we offer a unique combination of design thinking to our clients that delivers innovation while ensuring safety and security. We also guide our customers to navigate the ever-changing regulatory landscape.
