Contact Us

AUTOCRYPT Launches Cybersecurity Testing Platform for UN R155/156 and GB Compliance.Learn More

Tag: automotiveindustry

13 June, 2023 . 5 mins read

AI In Automotive Cybersecurity

The rise of artificial intelligence is signaling disruption in the technology industry. The likes of Microsoft, Google, and OpenAI are spearheading fierce competition to create the most advanced artificial intelligence aimed at improving the way we interact with technology. While intelligent language models like ChatGPT are already fascinating people with their abilities to deliver answers to given prompts, AI technologies currently available to the public are just the tip of the iceberg. In the automotive industry, artificial intelligence can streamline operations and improve efficiency throughout the supply chain. Utilization of artificial intelligence in the automotive cybersecurity sector can especially benefit threat detection and response.

The Need for Strengthened Vehicle Cybersecurity

Several decades ago vehicle security would entail door locks, car alarms, and airbags. While the same is still true, cybersecurity is becoming an essential part of automotive security. Ensuring full protection now includes shielding the vehicle from internal system malfunctions as well as external cyber threats. However, as cars turn more software-driven and connected, vehicle security is becoming increasingly complex.

A modern-day car contains multiple electronic control units (ECUs) responsible for in-vehicle electronic systems that regulate and perform various functions ranging from essential tasks like steering and engine control to more mundane ones like unlocking doors and rolling down windows. The number of ECUs in a given vehicle depends on the quantity and complexity of vehicle features. For instance, a contemporary luxury car can have up to 150 ECUs, and the number may continue growing if new functionalities and sub-systems are added. These ECUs communicate with different parts of the vehicle and other ECUs to keep the vehicle running. Each of these ECUs and their communication nodes must be secured to protect the vehicle from cyber threats.

Limitations of Conventional Automotive Cybersecurity

Keyless car theft, infotainment system attacks, malware, conventional automotive cybersecurity software is built to protect against these and many other known threats. Cybersecurity companies employ ethical hacking methods to ensure the timely discovery of system loopholes. In ethical hacking, white hat hackers are responsible for hacking vehicle systems to find weaknesses in the software and report it to the cybersecurity software developers, who then implement appropriate security measures.

The complex system architecture of modern vehicles contains dozens of ECUs and millions of code lines, all of which can be potentially exploited by malicious actors. Manually searching for vulnerabilities in these vehicles is like looking for a needle in a haystack. As vehicle systems get more complex securing them will become even harder. While ethical hacking helps companies develop resilient security measures against cyber attacks, this ad hoc approach to cybersecurity has its limitations.

The biggest challenge in automotive cybersecurity is protecting the vehicle from unprecedented danger, also known as a zero-day attack. These attacks exploit previously undiscovered vulnerabilities in vehicle systems to install malware or tamper with the vehicle. Protection against zero-day attacks necessitates a more sophisticated approach to automotive cybersecurity, which is where AI comes in.

The Potential of AI/ML-powered Cybersecurity

AI/ML-based systems analyze, classify, and train on large amounts of data to self-improve and make independent decisions down the road. When applied in automotive cybersecurity, machine learning algorithms can be implemented in the security software to learn common patterns of vehicle operations. A trained model will then be able to distinguish anomalies that fall beyond the scope of ordinary vehicle signals. If malicious behavior is detected the cybersecurity software will send alerts and shield the vehicle from danger. Even if a malicious actor exploits a previously unidentified vulnerability, an AI-powered anomaly detection model will be able to detect intrusions and prevent them.

A car’s digital communications are simple and more predictable than that of a typical computer network. Since signals exchanged during normal vehicle operations often follow fixed patterns, determining an anomalous signal is not very difficult. Therefore, employing unsupervised machine learning in cybersecurity is feasible. For instance, imagine a car driving on the highway at cruising speed that suddenly receives a breaking signal requesting to stop the car in the middle of the road. An AI-powered security software will be able to differentiate this unusual command from a common driving pattern. The system will then block the anomalous signal and send it over to the security experts for further action.

While perfecting a fully AI-based cybersecurity software may take years, some companies are already leveraging the power of machine learning in their solutions. One example is AutoCrypt Security Fuzzer, which is an automated testing solution that employs an AI-based algorithm to input semi-random test cases into selected systems to reveal errors in vehicle software. The solution essentially causes intentional crashes in the system to expose software vulnerabilities that need to be addressed. An AI-based security fuzzer greatly reduces testing time, streamlining the ad hoc approach to cybersecurity implementation.

Due to the self-improving nature of artificial intelligence, the potential of AI in automotive cybersecurity is limitless. The speed of developments in the automotive sector requires cybersecurity measures that are just as agile. Leveraging artificial intelligence in vehicle cybersecurity will help address the risks of zero-day attacks and mitigate threats in a timely and efficient manner.

To stay informed and updated on the latest news about AUTOCRYPT and automotive cybersecurity, subscribe to AUTOCRYPT’s official newsletter.

27 April, 2023 . 6 mins read

What Are the Potential Consequences of Cyberattacks on OEMs?

The automotive industry has drastically changed in the past decade becoming increasingly software driven. However, higher reliance on software comes hand in hand with a higher risk of cyberattacks. This is because a more complicated system backend has more potential entryways malicious hackers can exploit. A cyberattack on an OEM can have dire consequences that may affect sensitive company and customer data, disrupt supply chain operations, and tamper with vehicles produced by the OEM. This blog will explore some of the potential consequences of cyberattacks against OEMs.

Data Breaches

One of the biggest cyber threats to an OEM is a data breach. If an OEM’s system is attacked and a data breach occurs, the stored data could be stolen, compromised, or deleted, leading to various adverse effects on both the customers and the OEM.

During a data breach, malicious hackers can steal confidential customer data, such as personal identification numbers (PINs), social security numbers, medical records, and more. This valuable information can either be leaked or posted on the dark web for purchase. In any case, if the customers’ confidential data is exposed, malicious actors can use it to commit fraud, phishing, or an infinite number of other criminal activities. Not all data breaches are targeted toward retrieving customer data. Sometimes cyber criminals may want to access sensitive company information and steal trade secrets or intellectual property. Some breaches are purely destructive, with hackers accessing confidential data only to destroy it. 

Data breaches are extremely dangerous as they not only compromise data but also lead to a loss of customer trust in the OEM. On top of that, OEMs may face legal consequences or be fined for negligent cybersecurity practices that can end up costing a fortune.

Sometimes a breach into a company’s system may not be limited to stealing sensitive data. Malicious hackers may encrypt the data and request a ransom in exchange for a decryptor. Ransomware is designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyber attackers place organizations in a position where paying the ransom is the easiest way to regain access to their files.

In 2021, Kia Motors America allegedly suffered a ransomware attack, where the hackers requested $20 million to decrypt files and not leak confidential data. During the alleged ransomware attack, the OEM’s portals suffered a system outage. This resulted in the disruption of services where customers and dealerships across the country were unable to access their data. While financial damages were never disclosed, this incident ended up damaging the OEM’s reputation.

A cyberattack on an OEM can cause significant harm to customer data, leading to financial loss, legal consequences, and loss of customer trust. As such, it is crucial for OEMs to invest in robust cybersecurity measures to protect themselves and their customers from potential cyberattacks.

Supply Chain Disruptions

Software plays a critical role in making sure the automotive sector’s supply chain operates efficiently and effectively. A cyberattack on an OEM, or any other company within the supply chain, could disrupt the production of components that are critical to the supply chain. This could lead to delays in operations, holding up the delivery of final products down the supply chain. Delays in the supply chain will ultimately slow down the rollout of vehicles to customers. If this happens, not only does the OEM suffer financial losses, but the company’s reputation will also take a major hit. A similar incident happened in 2022, when a supplier of Toyota suffered a cyberattack. As a result, the OEM had to halt production which ended up slashing production outputs by a third.

The effects of a cyberattack on the supply chain can be disastrous, therefore industry regulations like WP29 and ISO/SAE 21434 hold OEMs accountable for enforcing cybersecurity practices. Meaning that OEMs are obligated to make sure that cybersecurity measures are implemented across every company in the supply chain. This includes monitoring and auditing cybersecurity throughout the supply chain to demonstrate enforcement of the regulations at all times.

OEMs need to encourage cybersecurity measures at the base of all IT operations within the company and throughout the supply chain. Implementing cybersecurity measures is not limited to installing sophisticated cybersecurity software. It also includes utilizing encryption and authentication, as well as educating employees on cybersecurity practices that need to be honored in day-to-day operations.

Vehicle System Disruptions

While supply chain disruptions and data breaches have negative consequences on operations, finances, and company image, a cyberattack on a vehicle can escalate into a life-and-death situation.

Modern vehicles run on around 100 million lines of code which enable many advanced features beloved by customers. Unfortunately, hackers can exploit vulnerabilities in complex vehicle software to gain unauthorized access to in-vehicle systems. We have seen reports of hackers breaking into vehicles using car infotainment systems, key fobs, or Wi-Fi dongles. But hackers can also gain access to a car by attacking the OEM’s server. Hackers can inject malware into a company’s server, which can then spread to the vehicle’s systems via over-the-air software updates or other connections. The malware can then allow them to take control of the vehicle’s functions or steal data.

If the OEM system has remote access capabilities, through cellular or Wi-Fi connections, hackers can attempt to exploit vulnerabilities in these connections to gain access to the vehicle’s systems. This can allow them to remotely control the vehicle’s functions, such as acceleration, braking, and steering. If malicious hackers get access to vehicle control this can wreak havoc on the roads and put millions of lives in danger.

Companies must secure in-vehicle systems and conduct regular security assessments to mitigate the risks of vehicle-targeted cyberattacks. The automotive industry can collaborate with cybersecurity experts to stay on top of vehicle cybersecurity regulations and best practices. This can help the industry get access to effective solutions that address emerging cybersecurity risks. For instance, AutoCrypt IVS specializes in securing in-vehicle systems by protecting the vehicle from external attacks, monitoring communications within the vehicle, and responding to any abnormal activities.

The increasing reliance on software in the automotive industry has created new cybersecurity risks. To address these risks OEMs have to prioritize cybersecurity within the company, across the supply chain, and in every vehicle on the road by developing a comprehensive cybersecurity framework. Ensuring cybersecurity should come in multiple levels. First, OEMs must secure internal IT systems and operations. On the second level, OEMs will need to secure the supply chain and encrypt all communications between partner companies. And lastly, employ in-vehicle security measures that will make sure that vehicles are protected against internal and/or external threats.

8 March, 2023 . 7 mins read

Software-Defined Vehicles: Tangent Industry Collaboration Opportunities

The lines between the automotive and tech sector are blurring as we approach the age of software-defined vehicles. Modern day vehicles are much more sophisticated than ever before, where hardware and software are intricately intertwined to achieve superior car performance and user experience. And while improving hardware is not new for OEMs, creating advanced software systems is a much tougher task. Automotive system innovations are causing disruptions in the entire industry, affecting manufacturing processes, product management, policies, and more. However, these disruptions are bringing in an array of new opportunities in the sector and its tangent industries.

B2B auto insurance

The way vehicles operate has changed in the past decade, but the insurance policies surrounding our cars have not evolved at the same rate as the technology. There is still no universal framework that decides who is liable for accidents involving software-defined vehicles (SDVs). Yet, current events in the industry are pointing to a shift of liability from individuals to OEMs, especially when autonomous driving is involved. Auto insurance policies have yet to reflect upon industry developments.

Traditional vehicle insurance policies typically cover physical damages resulting from driver-caused accidents. However, as ADAS and autonomous driving becomes more prevalent, the element of human error will gradually decrease, making traditional insurance policies less relevant. In addition, as software improves and cars become safer, revenue from individual insurance sales will also drop. Losses are expected to reach $25 billion, putting auto insurance providers at a risk of bankruptcy. Nevertheless, industry disruptions are creating new opportunities for auto insurance providers, with a significant portion of these opportunities located in the B2B sector. Between 2020 and 2025, new insurance policy revenues are predicted to reach $81 billion , according to a source.

As long as vehicle performance is directly tied to software performance, OEMs will be held accountable for cyberattacks, bugs, and software malfunctions in SDVs. Since the cost of software-caused accidents can have a colossally negative impact on manufacturers they will be looking for ways to offset the losses. Insurance providers will need to adjust to the changes in the industry and create policies that offer coverage for a new set of potential threats for a smaller pool of larger customers. Key opportunities for new policies include cybersecurity insurance, product liability insurance, and infrastructure insurance for OEMs and governments.

In recent years, cyberattacks have become more common and are projected to cost the automotive industry $505 billion. Due to the growing frequency of malicious cyberattacks, governments are enforcing cybersecurity regulations and pushing OEMs to adopt more stringent cybersecurity measures. Data breaches, hacking break-ins, ransomware attacks, and similar incidents are on the rise, and as the number of SDVs continues to increase, these attacks may soon spread into the automotive industry, leading to various negative consequences. One solution to mitigate these risks is for auto insurance policy providers to analyze the most common cyber threats and offer coverage for a new set of cyber risks. This approach can help companies protect themselves and their customers against the costly repercussions of cyberattacks.

In addition to cyberattack insurance, OEMs will also need to insure themselves against product malfunctions. Software is just as crucial to a car’s function as hardware, and failures in either can have devastating consequences. Fiat Chrysler experienced the effects of software issues firsthand when a pair of cybersecurity researchers uncovered a significant vulnerability in the manufacturer’s Jeep Cherokee. The researchers were able to hack into the car’s internal computer network through its Wi-Fi connection, gaining access not only to the car’s entertainment system but also to its engine, transmission, and brakes. The discovery revealed software shortcomings in multiple Chrysler models and eventually led to a recall of 1.4 million vehicles. As a result, the OEM’s stock value dropped by more than 2%. This case shows that software gaps can lead to catastrophic outcomes that could cost companies millions, if not billions. Therefore, manufacturers will need product liability coverage to offset the high stakes of potential software malfunctions.

Vehicles are not the only things getting smarter nowadays. The infrastructure is becoming increasingly reliant on software. Wireless technologies that allow communication between pedestrians (V2P), vehicles (V2V), and the infrastructure (V2X) are crucial for ensuring safety on the roads. But even the infrastructure is not entirely safe from cyber risk. Higher levels of connectivity can create more pathways for malicious hackers to exploit. Infrastructure software malfunctions can disrupt traffic conditions in entire cities, potentially putting people’s safety in jeopardy. Failures in the infrastructure can negatively impact governments, OEMs, drivers, and pedestrians. Hence, the risks should be insured against with appropriate coverage policies.

Vehicle software development and maintenance

The number of electric and software-defined vehicles is rapidly increasing, causing car manufacturers to shift their focus from hardware to software. Most new vehicles on the road are essentially computers on wheels, and like any computer, vehicle software needs to be properly maintained and periodically updated to improve performance. To keep up with this demand, manufacturers will need to expand their software development departments. However, since software-defined vehicles are a relatively new concept, most OEMs still lack the technological expertise to create and maintain advanced vehicle software technologies.

Creating and continuously managing vehicle software will become more challenging as the number of self-driving vehicles grows. Vehicle software management requires specialized technical expertise and large amounts of computing power, which in turn requires substantial financial resources. To keep up with industry trends manufacturers have developing in-house technological capabilities, hiring new personnel, establishing subsidiaries, and even acquiring other companies. While expanding in-house abilities can be a viable plan, OEMs can also embrace collaboration and seek partnerships with software solutions providers. By delegating software development, maintenance, bug fixes, and management to software suppliers, car manufacturers can focus on their core competencies. At the same time, software suppliers can unlock new revenue streams by entering the automotive sector.

An example of such cross-industry collaboration is the partnership between Mercedes-Benz and Nvidia. The two companies are working on a new software architecture for self-driving vehicles that is expected to add upgradable automated driving functions in the OEM’s vehicles. Unique expertise and know-how shared through cross-industry partnerships will positively affect the supply chain and help push the industry further forward.

Cybersecurity by design

As the SDV market expands, cybersecurity is becoming one of the biggest challenges facing the industry. Regulations hold manufacturers fully responsible for ensuring cybersecurity measures throughout the supply chain, which means that the risks associated with cybersecurity incidents are not just limited to a single player in the market.

To ensure vehicle cybersecurity measures are effective, manufacturers need to take a multi-faceted approach. One of the key areas that needs to be addressed is the protection of in-vehicle systems. These systems, which are responsible for controlling various vehicle functions, need to be secured to prevent unauthorized access and tampering. Additionally, manufacturers need to ensure secure charging for electric vehicles, as well as safe infrastructure communications. Each of these measures requires the development of different solutions and management systems, which can be a complex and time-consuming process.

In addition to implementing security software, companies also have to periodically test and update their security systems to keep up with the evolving threat landscape. OEMs will need the help of cybersecurity experts to put all of the cybersecurity measures in place. This creates new market opportunities for B2B partnerships between manufacturers and cybersecurity providers. Automotive cybersecurity solutions providers can advise manufacturers on the required security systems and deliver the necessary cybersecurity software. Various models of software-as-a-service can be offered to the manufacturers. Cybersecurity solutions providers can take on the task of not only developing the security software, but also managing it and performing periodic checks and improvements.

Disruptions caused by the new trends in the automotive sector are creating opportunities for collaboration with tangent industries. To take full advantage of current market opportunities, the automotive industry will need to embrace the culture of collaboration.

To stay informed and updated on the latest news about AUTOCRYPT and mobility tech, subscribe to AUTOCRYPT’s official newsletter.

16 November, 2022 . 6 mins read

Cooperation in the New Automotive Software Supply Chain: An Emphasis on Cybersecurity

While there have been many changes within the automotive industry, since Toyota invented Just-in-Time (JIT) manufacturing in the 1960s, the automotive supply chain hasn’t seen much change within the past 60 years. The supply chain has been a solid vertical structure: Tier 2 suppliers provide subcomponents and materials to Tier 1 suppliers, who then supply OEMs with ready-to-install parts for assembly. This supply chain structure has been universally adopted because it is highly streamlined and efficient, both important attributes of vehicle production. Under this structure, automotive OEMs do not need to communicate directly with lower-tier suppliers, while every supplier focuses solely on fulfilling the orders of the upper-tier supplier. This all worked out great – until automotive software takes over the vehicle.

This vertical structure made perfect sense in the past when the automotive E/E architecture consisted of independent parts and domains. However, we are now approaching a different era of in the automotive supply chain where, fueled by the growing need for connectivity and automation, in-vehicle systems are becoming more and more sophisticated and interconnected, with software now acting as a core component of the vehicle. 

OEMs today are beginning to realize that the conventional manufacturing model no longer serves its purpose in the new era of software-defined vehicles. And with more and more EV startups entering the manufacturing game, conventional OEMs may need to redefine their supply chain to incorporate software development and cross-domain cooperation.

Growing Complexity of the Automotive Software Supply Chain

Name any car feature – more likely than not it is enabled by software. The modern vehicle runs on electronic systems and software that are stitched together to communicate with each other via the in-vehicle network. A typical vehicle today consists of up to 150 electronic control units (ECU), which are essentially minicomputers equipped with processors. System software needs to be embedded in each of these ECUs to control a particular domain of functions, such as powertrain, sensor, and infotainment.

As such, it would be an understatement to refer to the software-defined vehicle as “a computer on wheels.” A more accurate description would be “a computer network on wheels.” That’s because today’s vehicles run an average of 100 million lines of code. That is two to three times that of a PC operating system. And in fact, the level of complexity will only increase as more and more automated features and security systems are incorporated.

Under the current software supply chain structure, software vendors supply software development kits (SDK) and modules to chipmakers, which supply the chips (e.g., ECUs) to OEMs or Tier 1 suppliers, who then stitch all these chipsets onto the parts and components, putting them in place within the in-vehicle network. However, most OEMs have very little experience in software integration. Although vehicular software has been around for decades, nothing was at the magnitude and complexity of the software structure today.

Moreover, OEMs and Tier 1 suppliers are accustomed to the vertical supply chain structure. Many are overwhelmed by this growing need for direct external communications and cooperation.

Therefore, just like what many with a strategic mind would do, OEMs are outsourcing the work.

The Emergence of Software Providers and the Need for Cybersecurity

Due to the sheer volume and quick influx of software components, many OEMs choose to outsource software integration to a comprehensive software provider, acting as a “Tier 1 software supplier.” Many existing Tier 1 suppliers have seen this as an opportunity to expand their software division, and because of this many OEMs have chosen to establish or acquire their own dedicated software provider. Some take it a step further by making plans to establish a proprietary operating system and platform where all applications can be developed on. CARIAD from the Volkswagen Group is one such example. As the dedicated software provider for the Volkswagen Group, the company has announced plans to release the Volkswagen Operating System.

It might be tempting for OEMs to maintain their old way of doing things by having software providers take charge of all software integration, while focusing solely on inventory management, assembly, and quality control. However, the new supply chain landscape isn’t as straightforward, with quality control being the key difference. 

While hardware components are very easy to standardize and inspect, rules are different in the software game. Since there exists a cybersecurity risk in every connected computer – in the age of connected vehicles, software and cybersecurity must come hand in hand. This means that a large part of software quality control is making sure that it is free of vulnerabilities and flaws that may hinder its functionality and pose a cybersecurity risk. To do so, every piece of software needs to be rigorously tested prior to the release of a vehicle batch.

Additionally, similar to how OEMs are responsible for issuing hardware recalls, regulations are now holding OEMs accountable for software cybersecurity mismanagement and loopholes. The UN R155/R156 regulations set out by UNECE WP.29 mandate that all OEMs maintain an automotive cybersecurity management system (CSMS) and a software update management system (SUMS) for their vehicle fleets. This means that even after a vehicle is passed onto the consumer, software performance must be continuously managed, monitored, and updated and patched in real-time.

The bottom line: whether it is the OEM or the software provider in charge, the OEM will ultimately be responsible for cybersecurity management.

The Importance of Cooperation for Secure Software Implementation

At the end of the day, the jobs of both the OEM and software provider are to ensure that cybersecurity risk within the automotive ecosystem is well managed and minimized. However, this should not be taken lightly because cybersecurity management isn’t simply about buying security software from vendors and installing it into the systems.

In the sophisticated automotive software ecosystem, security measures must be incorporated and custom-built in the manufacturing process to ensure both secure implementation and cross-region interoperability.

Therefore, both OEMs and software providers must take an active role in cybersecurity and cooperate with firms specializing in automotive cybersecurity to facilitate secure software integration and implementation across all domains, from the embedded systems within a vehicle to the vehicle-to-everything (V2X) connections for autonomous driving and vehicle-to-grid (V2G) applications for EV charging.

The takeaway is this: the automotive industry has entered a new era – an era where value is no longer added step by step through vertical supply chains but generated from horizontal cooperation, and an era where the automobile is no longer a product, but a combination of services stacked on wheels.

To succeed in the new era of smart mobility, cooperation is the key.

To learn about how AUTOCRYPT’s in-vehicle systems (IVS) security solutions can help OEMs secure software integration and connectivity, contact global@autocrypt.io.

To stay informed and updated on the latest news about AUTOCRYPT and mobility tech, subscribe to AUTOCRYPT’s quarterly newsletter.

25 October, 2021 . 6 mins read

Top 6 Cybersecurity Challenges Unique to the Automotive Industry

Cybersecurity is one of the most complex and dynamic fields in the data-driven world, involving a constant battle between hackers and defenders. As internet connectivity reaches every corner of our lives, cybersecurity is now an essential component for automobiles. Yet, many are surprised to find out that cybersecurity in the automotive industry is entirely different from what we are used to encountering in the IT industry, and this means that there are challenges in terms of preparation and prevention. This article takes a closer look at how automotive cybersecurity differs from traditional IT security, with cybersecurity challenges unforeseen in the automotive industry.

1. Massive Scale and Density

As vehicles become increasingly digitalized and connected, many like to draw comparisons between cars and computers, referring to automobiles as “computers on wheels”. However, comparing a car to a computer is not quite fair because a car is, in fact, made up of hundreds of individual computers, which by industry terms are called electronic control units (ECU). The scale of the IT infrastructure in a vehicle resembles that of a small enterprise network, with all the computers, servers, and networking devices densely packed into this metal box. Now imagine having to manage cybersecurity risks for tens of millions of these densely packed “enterprise networks”; a single world-class OEM has between 20 to 100 million active vehicles on the road, a scale never seen in a single corporate IT environment.

Despite this seemingly impossible task, OEMs make cybersecurity scalable by incorporating it into the design and manufacturing stage. Since all vehicles of the same model contain an entirely identical IT infrastructure, they are able to pre-establish cybersecurity measures and embed them into the vehicle parts during the manufacturing stage. This brings us to the next point: type approval.

2. Regulations Requiring Cybersecurity Type Approval

In the IT industry, computer and device manufacturers are not directly responsible for the cybersecurity of their products. It is up to the users, mostly enterprises, to implement cybersecurity tools to protect their network and data. As a result, IT cybersecurity regulations tend to be enforced on enterprise users, not manufacturers. For instance, data privacy laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) mandate enterprises to have reasonable security measures to protect the customer data they possess. It is only recently that governments have started to require more transparent reporting from hardware manufacturers due to the latest surge of supply chain attacks.

In contrast, in the automotive industry, since cybersecurity must be deployed during the manufacturing stage, OEMs are directly held accountable for failures in cybersecurity implementation. UNECE’s WP.29 working party was the first to establish a set of regulations that require vehicular cybersecurity type approval, meaning that all vehicles must be assessed and qualified prior to being put on sale. The following diagram illustrates a stage-by-stage comparison of when cybersecurity is implemented between the automotive and the IT industry.

blog image
Cybersecurity Implementation: Automotive Industry vs. IT Industry

3. System Complexity

Besides having greater scale and density, the internal system of a vehicle—referred to as the E/E (electrical and electronic) architecture—is much more complex than that of a computer. With more than 30,000 hardware components moderated by over 100 ECUs, a single vehicle operates on over 100 million lines of code. What makes things more complex is that the in-vehicle system is largely distributed without a universal operating system; as each ECU serves a unique purpose, every one of them is crucial to a car’s functionality. For instance, some ECUs are paired with sensors and actuators. Some are paired with the powertrain. The ECU that provides wireless connectivity is called the telematics control unit (TCU)—or on-board unit (OBU)—overseeing communications between the vehicle and the outside world.

Given that the ECUs are highly sophisticated minicomputers, they are often manufactured by different third-party suppliers that specialize in their own field of expertise. This means that to implement cybersecurity throughout the vehicle, OEMs need to work with both cybersecurity providers and ECU manufacturers to ensure that all needs are aligned and all components interoperable. An example of such multi-party collaboration is demonstrated when AUTOCRYPT partnered with ECU manufacturer NXP Semiconductors to embed its AutoCrypt V2X software development kit (SDK) into NXP’s OBUs. The secured chipsets are then able to be delivered to OEMs for assembly.

As vehicles become more and more sophisticated, the industry is now looking for ways to group the ECUs by their domains of service and slowly work towards a more centralized vehicle system that is easier to assemble and manage, transforming the multi-tier supply chain into a more horizontal supply line.

4. Long Lifespan

Having covered the differences in the manufacturing process, it is now time to look at how car consumers differ from electronics consumers. With increasingly efficient engines, advanced mechanics, and precise quality control systems, vehicles now last longer than ever. As a result, more and more consumers are keeping their cars for longer, with the average age of vehicles on US roads reaching a record 12.1 years in 2020. This is three times the average age of computers in the US.

This might be good news to the consumers. Yet, long-lasting cars pose a new challenge to OEMs as they need to spend more effort into managing software updates for each car model to ensure that they are free of security vulnerabilities. More active vehicles on the road also put more strain on the Vehicle Security Operation Center (vSOC), which needs to constantly monitor all vehicle systems in real-time.

5. Scattered Locations

Speaking of vehicle monitoring, we need to talk about the unique challenges that the vSOC faces as compared to the SOC of an enterprise network. The computers and servers in a company do not move, hence it is easy for the cybersecurity team to monitor suspicious activities at all times and respond to threats immediately. On the other hand, vehicles move around constantly across cities and even countries. Oftentimes, they will enter zones without internet connectivity, making it difficult for the vSOC to detect and respond to threats due to delays in data transfer.

6. Damage Severity and Recovery

Lastly, in case a cyberattack happens, an enterprise will most likely lose sensitive data and experience operation disruptions. However, a successful cyberattack against a vehicle system not only puts data at risk, but the personal safety of the passengers and all those others on the road. Patching vulnerabilities is also more complex in the automotive industry because the OEM needs to work with different Tier 1 suppliers and cybersecurity providers to ensure smooth updates.

How AUTOCRYPT Overcomes Automotive Cybersecurity Challenges

What sets AUTOCRYPT apart from other automotive cybersecurity providers is its capability to offer a complete set of end-to-end solutions that help OEMs overcome all aspects of cybersecurity challenges throughout the vehicle. From securing in-vehicle systems and V2X communications, to EV charging and fleet management, AUTOCRYPT eliminates the complexity of searching for a different provider for each problem, making it a completely personalized experience for each client.

To learn more about AUTOCRYPT’s end-to-end solutions, contact global@autocrypt.io.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

10 December, 2020 . 5 mins read

The Automotive Industry – What We Can Expect in 2021

2020 has thrown the world for a loop. Unsurprisingly, most people are looking forward to 2021, and this includes the automotive industry. What trends can we expect next year, and are they necessarily going to be good ones?

1. More autonomy, less driving
2020 saw more vehicle manufacturers touting their autonomous driving technologies, and 2021 will be no different. In fact, autonomous vehicles categorized as SAE level 3 may be much more prevalent on the market. This means that more vehicles will be driven by the vehicle’s systems, though the human driver is still required to be on alert at all times.

While Tesla notably put its Full Self-Driving beta mode in the steering wheels of willing drivers, other vehicle manufacturers may not be too far behind as companies like Nissan, BMW, Mercedes-Benz, and Toyota are also putting in maximum effort to stay in the autonomous-driving game.

2. Further improvements on infotainment software
With a visible increase in models equipped with more advanced autonomous-driving or assisted-driving technologies, the industry may also get major changes in the type of infotainment software applications available in-vehicle.

Earlier models of connected vehicles saw focuses on data-based infotainment like location-services and GPS navigation, but we are likely to see a shift towards actual “entertainment,” as drivers will look for more interactive elements of the vehicle besides manually driving.

In fact, software providers and OEMs may be battling it out for precious infotainment real estate, as OEMs have been developing their own operating systems with built-in infotainment services. Advertisement agencies may also become increasingly involved as information delivery expands into these platforms.

3. Electric vehicles & BEVs become the norm
Electric Vehicles (EVs) are nothing new, but also this trend is not really a trend at all. Electric Vehicles look like they will soon become the norm, as more nations are committing to significantly reducing or completely eliminating traditional International Combustion Engine (ICE) vehicle within the next decade.

The United Kingdom announced in November 2020 that as part of a green industrial revolution, it would stop the sale of gasoline and diesel vehicles by 2035, with plans for significant reduction starting in 2030. As the automotive industry tends to plan for regulation changes with designs of new vehicle models well ahead of time, we are likely to see more vehicle manufacturers committing to design and manufacture of battery electric vehicles (BEVs). In fact, Bentley, luxury vehicle maker, announced that it would stop making ICE vehicles by 2030, with an added commitment to be carbon neutral at the same time.

These types of proclamations by nations and vehicle manufacturers are likely to continue as the pressure to go electric by regulations as well as the environment continue to grow.

4. Resurgence of Mobility-as-a-Service
COVID-19 threw a wrench in some mobility services like ride-sharing, but services have been quick to adjust their business models. For example, several delivery services have hopped on the bandwagon, providing contactless, robot or autonomous delivery pods to ensure that businesses and consumers can safely exchange goods. As cities and nations scramble for transport alternatives alongside the hopes for a widely-distributed vaccine, Mobility-as-a-Service solutions are likely to make a resurgence in 2021. Analysts report that MaaS business models are set to exceed 52 billion USD by 2027, even with the aftereffects of 2020.

This rebound will not only jumpstart the competition in the MaaS industry, but it also pressures connectivity providers to ensure that networks are ready to support the sheer quantity of connections. Lost or delayed connections not only mean a deficit in revenue, but while on the road connectivity is key to ensuring safety for all of those involved.

5. More (attempted) attacks, more security
As the aforementioned trends continue to see growth, it is highly probably that there will be more attempted attacks. No vehicle is exempt, as even Tesla’s Model X was hacked in 2020 using a new key fob hack. Fortunately, the flaw was found by white hat hackers and Tesla rolled out a fix with an over-the-air (OTA) update—but unfortunately, this does not mean that it won’t happen again. Malicious hackers will always find new and innovative technology to prey on, putting manufacturers, service providers, and end-users at risk.

Thankfully, defenses will probably improve due to the regulation changes coming our way next year. In June 2020, the United Nations Economic Commission for Europe (UNECE) working party WP.29 passed two new regulations mandating cybersecurity management systems for all new vehicles, going into force in 2021. Countries will be able to implement these regulations into national legislation, and manufacturers will then have until July 2022 to obtain system type approval for cybersecurity for all new vehicle types. By July 2024, all vehicles regardless of launch date will have to be fully compliant. Implementation can be complex but following guidelines by cybersecurity firms can be a great place to begin. For example, AUTOCRYPT has a free resource on how to begin structuring a cybersecurity management system along with consultation services on impelementation.

Because of the relatively short time spans of implementation, we will likely begin to see cybersecurity management by vehicle manufacturers prioritized and implemented, as well as government pressure to do so swiftly.

Counting down to 2021
While many of the trends of 2020 will continue in 2021, there is no doubt that the automotive industry will be forced to re-strategize business operations in order to acclimate to a post-pandemic world, whether in terms of embedded technology, software, or security—2021 will be a big year.

For more information on automotive tech and automotive cybersecurity, subscribe to our monthly newsletter at www.autocrypt.io/subscribe.