Automotive Cybersecurity

Our cars have long become driving computers. As a result, advancing digitization, autonomous driving, and increased connectivity pose new challenges for cybersecurity.

Digitalization also affects the automotive sector. Developments such as autonomous driving and an increasing connectivity between vehicles and with the transport infrastructure are improving safety, but also create new threats.

For instance, American cybersecurity experts have uncovered alarming security gaps in the backend and business IT systems of well-known car brands such as BMW, Porsche, and Mercedes. These gaps not only affected private vehicles, but also emergency vehicles such as police cars and ambulances. The experts were not only able to control the lights and horns, but also open and close the car doors and start the engines. Furthermore, they were able to copy vehicle data, reset settings and, in some cases, even access the manufacturers' internal networks.

Increasing connectivity, autonomous driving and complex software technologies are radically changing the threat scenarios. Where once it was necessary to be physically present at the vehicle to carry out attacks, now, with the installed wireless modules, attacks can also be carried out from the Internet or via other communication interfaces.

To address the growing threat head-on, the United Nations Economic Commission for Europe (UNECE) has drafted new regulatory requirements such as R155 and R156 under the 1958 Convention. These are aimed at ensuring cybersecurity across the entire supply chain and lifecycle of motor vehicles.

Concurrently, the ISO/SAE 21434 (Road Vehicles – Cyber Security Engineering) standard was published in August 2021, providing organizations with an implementation option for the new regulations. For the first time, this provides a unified and binding regulatory system for manufacturers. And since the entire supply chain must be audited, suppliers are also subject to the requirements.

TISAX® (Trusted Information Security Assessment Exchange) offers a testing and exchange mechanism for information security within the automotive industry developed by the German Association of the Automotive Industry (VDA). It is based on the VDA ISA requirements, which in turn are based on ISO/IEC 27001. In the automotive industry, TISAX® is often a prerequisite for business relationships, in particular where sensitive information is involved. The goal is to avoid redundant audits and to ensure an industry-wide security standard.

The implications for the safety requirements as well as for the E/E architecture of a vehicle can be far-reaching. It is primarily a matter of implementing the requirements across the supply chain to make the new generation of vehicles "more secure" and to update the old processes to reflect the new reality. The following measures are recommended over the entire lifecycle:

Network segmentation: Separating critical system functions from less critical functions can help minimize the impact of an attack.

Penetration tests: Regular testing by security experts can help identify and address vulnerabilities in vehicle systems.

Collaboration across the industry: Automakers and suppliers should collaborate and share information on threats and best practices.

Digitalization and autonomous driving are revolutionizing the automotive industry, but they also present new cyber threats. That is because security vulnerabilities in vehicles from well-known brands and the increasing software complexity make cars attractive targets for cyberattacks.

Now more than ever, the automotive industry must develop a new cybersecurity awareness and collaborate across the industry to maintain the balance between innovation and security.