Top 6 Cybersecurity Challenges Unique to the Automotive Industry

Cybersecurity is one of the most complex and dynamic fields in the data-driven world, involving a constant battle between hackers and defenders. As internet connectivity reaches every corner of our lives, cybersecurity is now an essential component for automobiles. Yet, many are surprised to find out that cybersecurity in the automotive industry is entirely different from what we are used to encountering in the IT industry, and this means that there are challenges in terms of preparation and prevention. This article takes a closer look at how automotive cybersecurity differs from traditional IT security, with cybersecurity challenges unforeseen in the automotive industry.

1. Massive Scale and Density

As vehicles become increasingly digitalized and connected, many like to draw comparisons between cars and computers, referring to automobiles as “computers on wheels”. However, comparing a car to a computer is not quite fair because a car is, in fact, made up of hundreds of individual computers, which by industry terms are called electronic control units (ECU). The scale of the IT infrastructure in a vehicle resembles that of a small enterprise network, with all the computers, servers, and networking devices densely packed into this metal box. Now imagine having to manage cybersecurity risks for tens of millions of these densely packed “enterprise networks”; a single world-class OEM has between 20 to 100 million active vehicles on the road, a scale never seen in a single corporate IT environment.

Despite this seemingly impossible task, OEMs make cybersecurity scalable by incorporating it into the design and manufacturing stage. Since all vehicles of the same model contain an entirely identical IT infrastructure, they are able to pre-establish cybersecurity measures and embed them into the vehicle parts during the manufacturing stage. This brings us to the next point: type approval.

2. Regulations Requiring Cybersecurity Type Approval

In the IT industry, computer and device manufacturers are not directly responsible for the cybersecurity of their products. It is up to the users, mostly enterprises, to implement cybersecurity tools to protect their network and data. As a result, IT cybersecurity regulations tend to be enforced on enterprise users, not manufacturers. For instance, data privacy laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) mandate enterprises to have reasonable security measures to protect the customer data they possess. It is only recently that governments have started to require more transparent reporting from hardware manufacturers due to the latest surge of supply chain attacks.

In contrast, in the automotive industry, since cybersecurity must be deployed during the manufacturing stage, OEMs are directly held accountable for failures in cybersecurity implementation. UNECE’s WP.29 working party was the first to establish a set of regulations that require vehicular cybersecurity type approval, meaning that all vehicles must be assessed and qualified prior to being put on sale. The following diagram illustrates a stage-by-stage comparison of when cybersecurity is implemented between the automotive and the IT industry.

blog image
Cybersecurity Implementation: Automotive Industry vs. IT Industry

3. System Complexity

Besides having greater scale and density, the internal system of a vehicle—referred to as the E/E (electrical and electronic) architecture—is much more complex than that of a computer. With more than 30,000 hardware components moderated by over 100 ECUs, a single vehicle operates on over 100 million lines of code. What makes things more complex is that the in-vehicle system is largely distributed without a universal operating system; as each ECU serves a unique purpose, every one of them is crucial to a car’s functionality. For instance, some ECUs are paired with sensors and actuators. Some are paired with the powertrain. The ECU that provides wireless connectivity is called the telematics control unit (TCU)—or on-board unit (OBU)—overseeing communications between the vehicle and the outside world.

Given that the ECUs are highly sophisticated minicomputers, they are often manufactured by different third-party suppliers that specialize in their own field of expertise. This means that to implement cybersecurity throughout the vehicle, OEMs need to work with both cybersecurity providers and ECU manufacturers to ensure that all needs are aligned and all components interoperable. An example of such multi-party collaboration is demonstrated when AUTOCRYPT partnered with ECU manufacturer NXP Semiconductors to embed its AutoCrypt V2X software development kit (SDK) into NXP’s OBUs. The secured chipsets are then able to be delivered to OEMs for assembly.

As vehicles become more and more sophisticated, the industry is now looking for ways to group the ECUs by their domains of service and slowly work towards a more centralized vehicle system that is easier to assemble and manage, transforming the multi-tier supply chain into a more horizontal supply line.

4. Long Lifespan

Having covered the differences in the manufacturing process, it is now time to look at how car consumers differ from electronics consumers. With increasingly efficient engines, advanced mechanics, and precise quality control systems, vehicles now last longer than ever. As a result, more and more consumers are keeping their cars for longer, with the average age of vehicles on US roads reaching a record 12.1 years in 2020. This is three times the average age of computers in the US.

This might be good news to the consumers. Yet, long-lasting cars pose a new challenge to OEMs as they need to spend more effort into managing software updates for each car model to ensure that they are free of security vulnerabilities. More active vehicles on the road also put more strain on the Vehicle Security Operation Center (vSOC), which needs to constantly monitor all vehicle systems in real-time.

5. Scattered Locations

Speaking of vehicle monitoring, we need to talk about the unique challenges that the vSOC faces as compared to the SOC of an enterprise network. The computers and servers in a company do not move, hence it is easy for the cybersecurity team to monitor suspicious activities at all times and respond to threats immediately. On the other hand, vehicles move around constantly across cities and even countries. Oftentimes, they will enter zones without internet connectivity, making it difficult for the vSOC to detect and respond to threats due to delays in data transfer.

6. Damage Severity and Recovery

Lastly, in case a cyberattack happens, an enterprise will most likely lose sensitive data and experience operation disruptions. However, a successful cyberattack against a vehicle system not only puts data at risk, but the personal safety of the passengers and all those others on the road. Patching vulnerabilities is also more complex in the automotive industry because the OEM needs to work with different Tier 1 suppliers and cybersecurity providers to ensure smooth updates.

How AUTOCRYPT Overcomes Automotive Cybersecurity Challenges

What sets AUTOCRYPT apart from other automotive cybersecurity providers is its capability to offer a complete set of end-to-end solutions that help OEMs overcome all aspects of cybersecurity challenges throughout the vehicle. From securing in-vehicle systems and V2X communications, to EV charging and fleet management, AUTOCRYPT eliminates the complexity of searching for a different provider for each problem, making it a completely personalized experience for each client.

To learn more about AUTOCRYPT’s end-to-end solutions, contact global@autocrypt.io.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

The Automotive Industry – What We Can Expect in 2021

2020 has thrown the world for a loop. Unsurprisingly, most people are looking forward to 2021, and this includes the automotive industry. What trends can we expect next year, and are they necessarily going to be good ones?

1. More autonomy, less driving
2020 saw more vehicle manufacturers touting their autonomous driving technologies, and 2021 will be no different. In fact, autonomous vehicles categorized as SAE level 3 may be much more prevalent on the market. This means that more vehicles will be driven by the vehicle’s systems, though the human driver is still required to be on alert at all times.

While Tesla notably put its Full Self-Driving beta mode in the steering wheels of willing drivers, other vehicle manufacturers may not be too far behind as companies like Nissan, BMW, Mercedes-Benz, and Toyota are also putting in maximum effort to stay in the autonomous-driving game.

2. Further improvements on infotainment software
With a visible increase in models equipped with more advanced autonomous-driving or assisted-driving technologies, the industry may also get major changes in the type of infotainment software applications available in-vehicle.

Earlier models of connected vehicles saw focuses on data-based infotainment like location-services and GPS navigation, but we are likely to see a shift towards actual “entertainment,” as drivers will look for more interactive elements of the vehicle besides manually driving.

In fact, software providers and OEMs may be battling it out for precious infotainment real estate, as OEMs have been developing their own operating systems with built-in infotainment services. Advertisement agencies may also become increasingly involved as information delivery expands into these platforms.

3. Electric vehicles & BEVs become the norm
Electric Vehicles (EVs) are nothing new, but also this trend is not really a trend at all. Electric Vehicles look like they will soon become the norm, as more nations are committing to significantly reducing or completely eliminating traditional International Combustion Engine (ICE) vehicle within the next decade.

The United Kingdom announced in November 2020 that as part of a green industrial revolution, it would stop the sale of gasoline and diesel vehicles by 2035, with plans for significant reduction starting in 2030. As the automotive industry tends to plan for regulation changes with designs of new vehicle models well ahead of time, we are likely to see more vehicle manufacturers committing to design and manufacture of battery electric vehicles (BEVs). In fact, Bentley, luxury vehicle maker, announced that it would stop making ICE vehicles by 2030, with an added commitment to be carbon neutral at the same time.

These types of proclamations by nations and vehicle manufacturers are likely to continue as the pressure to go electric by regulations as well as the environment continue to grow.

4. Resurgence of Mobility-as-a-Service
COVID-19 threw a wrench in some mobility services like ride-sharing, but services have been quick to adjust their business models. For example, several delivery services have hopped on the bandwagon, providing contactless, robot or autonomous delivery pods to ensure that businesses and consumers can safely exchange goods. As cities and nations scramble for transport alternatives alongside the hopes for a widely-distributed vaccine, Mobility-as-a-Service solutions are likely to make a resurgence in 2021. Analysts report that MaaS business models are set to exceed 52 billion USD by 2027, even with the aftereffects of 2020.

This rebound will not only jumpstart the competition in the MaaS industry, but it also pressures connectivity providers to ensure that networks are ready to support the sheer quantity of connections. Lost or delayed connections not only mean a deficit in revenue, but while on the road connectivity is key to ensuring safety for all of those involved.

5. More (attempted) attacks, more security
As the aforementioned trends continue to see growth, it is highly probably that there will be more attempted attacks. No vehicle is exempt, as even Tesla’s Model X was hacked in 2020 using a new key fob hack. Fortunately, the flaw was found by white hat hackers and Tesla rolled out a fix with an over-the-air (OTA) update—but unfortunately, this does not mean that it won’t happen again. Malicious hackers will always find new and innovative technology to prey on, putting manufacturers, service providers, and end-users at risk.

Thankfully, defenses will probably improve due to the regulation changes coming our way next year. In June 2020, the United Nations Economic Commission for Europe (UNECE) working party WP.29 passed two new regulations mandating cybersecurity management systems for all new vehicles, going into force in 2021. Countries will be able to implement these regulations into national legislation, and manufacturers will then have until July 2022 to obtain system type approval for cybersecurity for all new vehicle types. By July 2024, all vehicles regardless of launch date will have to be fully compliant. Implementation can be complex but following guidelines by cybersecurity firms can be a great place to begin. For example, AUTOCRYPT has a free resource on how to begin structuring a cybersecurity management system along with consultation services on impelementation.

Because of the relatively short time spans of implementation, we will likely begin to see cybersecurity management by vehicle manufacturers prioritized and implemented, as well as government pressure to do so swiftly.

Counting down to 2021
While many of the trends of 2020 will continue in 2021, there is no doubt that the automotive industry will be forced to re-strategize business operations in order to acclimate to a post-pandemic world, whether in terms of embedded technology, software, or security—2021 will be a big year.

For more information on automotive tech and automotive cybersecurity, subscribe to our monthly newsletter at www.autocrypt.io/subscribe.