Skip to main content

Automakers, Regulators Take On Cybersecurity

Red car driving through the forest.

Can automakers and regulators beat hackers at their own game? That’s the goal in the world of automotive cybersecurity — where connected cars have put OEMs in cybercriminals’ crosshairs.

If I were to ask you to imagine someone hacking a car, what’s the first thing that comes to mind?

Let me guess. You’re picturing someone wearing a black hoodie and a Guy Fawkes mask. They’re sitting in front of a state-of-the-art computer rig in an otherwise unkempt basement, while a ‘90s-era techno soundtrack bumps with pulsating energy. Following some cloak-and-dagger coding wizardry, they hijack a cellular signal, take control of someone’s vehicle, and run it off the road.

Just like the movies, right?

Okay, so maybe that’s a little over the top. But for original equipment manufacturers (OEMs), cybersecurity is anything but a trivial matter. In fact, a single cyberattack can cost an automaker as much as $1.1 billion.

But the sheer monetary impact isn’t the only thing keeping business leaders up at night. The effects of a cyberattack extend far and wide — including potential legal / compliance fines, brand reputation impact, and crippling market capitalization losses.

But the sheer monetary impact isn’t the only thing keeping business leaders up at night. The effects of a cyberattack extend far and wide — including potential legal / compliance fines, brand reputation impact, and crippling market capitalization losses.

Cybercriminals set their sights on connected cars

These days, if something connects to an information stream, it’s vulnerable to cyberattacks. And since modern cars are essentially data centers on wheels, it’s easy to understand why they’ve piqued the interest of hackers. From infotainment systems and engine control units to steering columns and brake lines, almost everything in a vehicle ties into various computer-based subsystems.

The trouble is that each system offers multiple footholds for attackers to exploit. But that’s only half the problem. Cars connect over a number of interfaces — including USB, CAN bus, Wi-Fi, Bluetooth, cellular, and automotive ethernet. These interfaces give cybercriminals a veritable smorgasbord of attack options, making it a nightmare for your engineering and testing teams to secure.

But regulators and standards bodies aren’t waving a white flag. In fact, they’ve outlined a blueprint to fight back.   

Recent standards and regulations are making an impact on automakers

Over the last year or two, you've probably heard about standards like ISO / SAE 21434 and regulations like UNECE WP.29 and UN R155. But what do they actually mean — and what kind of practical impact do they have on automakers?

These interfaces give cybercriminals a veritable smorgasbord of attack options, making it a nightmare for your engineering and testing teams to secure.

UNECE WP.29: The Big Picture

The World Forum for Harmonization of Vehicle Regulations, UNECE WP.29 is a wide-ranging strategic initiative to bring OEMs into lockstep on various vehicular regulations, from the headlights to the exhaust pipe. In June 2020, WP.29 adopted a new framework to combat cybersecurity risks on passenger vehicles. The group’s work resulted in a pair of regulations — instructing automakers to implement measures to:

  • Manage vehicle cybersecurity risks.
  • Mitigate risks along the supply chain by securing vehicles in design.
  • Detect and respond to security incidents across the vehicle fleet.
  • Provide safe, secure software updates that do not compromise vehicle security.

Think of this high-level guidance as a proverbial carrot, while the included regulations are a stick.

UN R155: The Forcing Function

The chief regulation to come out of WP.29’s cybersecurity framework in June 2020, UN R155 mandates OEMs build cybersecurity into the entire lifecycle of their vehicle engineering processes. In layman’s terms, it boils down to two key details:

  • OEMs must establish and implement a cybersecurity management system (CSMS) that implements risk-driven engineering processes for vehicular components, subsystems, and assemblies.
  • Automakers must demonstrate compliance within their CSMS to secure “type approval” from the UN. Without approval, a vehicle won’t be allowed to operate on public roads.

UN R155 starts enforcement in major markets like the EU, UK, Korea, and Russia on July 1 (Japan is already enforcing it) — affecting all new vehicle types produced from that point onward. Beginning on July 1, 2024, all vehicles in production will need to comply.

ISO / SAE 21434: The Key to Compliance

If you imagine UN R155 as a lock, then ISO / SAE 21434 is the key. Unlike UN R155, this isn’t a regulation — it’s a standard. Whereas UN R155 mandates the deployment of a CSMS, ISO / SAE 21434 explains how to implement one.

Like functional safety, automotive cybersecurity follows the traditional “V Model” of engineering. That means all component and system testing need to be covered by verification and validation processes, which take place on the model's right side.

But there’s a catch. “Security” is a constantly moving target. You only need to test functional safety once per component. But with new threats, exploits, and vulnerabilities emerging every day, cybersecurity testing is anything but a “one and done” proposition.

But there’s a catch. “Security” is a constantly moving target. You only need to test functional safety once per component. But with new threats, exploits, and vulnerabilities emerging every day, cybersecurity testing is anything but a “one and done” proposition.

That's where a CSMS comes in. A good CSMS requires an extensive evaluation of applicable threats — which is otherwise known as a Threat Analysis and Risk Assessment (TARA). TARAs enable OEMs to identify, implement, and verify mitigations before pushing fixes to components and systems via software updates. But what if a new threat emerges? Engineering teams need a repeatable response that prioritizes speed and accuracy. A CSMS gives them the tools to promptly evaluate and mitigate emerging threats while ensuring their corrective actions didn't inadvertently expose something else to attack.

How can automakers fight back against cybercriminals?

Now that the standards are written and the regulations adopted, the next question seems all too obvious.

“Where do we go from here?”

Given the state of the threat landscape and the incoming regulations, it’s easy to understand the uncertainty. But ISO / SAE 21434, WP. 29, and UN R155 aren’t a threat. They’re a playbook to beating cybercriminals at their own game.

But what does that mean? Well, for automakers, that means attacking your own vehicles — before someone else gets the chance.

It all comes down to thinking like the enemy. Where a cybercriminal seeks to exploit system and component vulnerabilities, automakers can perform controlled cyberattacks to test vehicular security (in alignment with their CSMS). This practice is generally referred to as automotive penetration testing and encompasses multiple test types — including functional cybersecurity testing, fuzz testing, and vulnerability testing.

These tests don't just need to cover a comprehensive suite of potential threat vectors; they also have to account for the various points of ingress an attacker can take. That means testing across all the interfaces a modern car uses — including cellular, Wi-Fi, Bluetooth, USB, CAN, and automotive ethernet.

These tests don't just need to cover a comprehensive suite of potential threat vectors; they also have to account for the various points of ingress an attacker can take. That means testing across all the interfaces a modern car uses — including cellular, Wi-Fi, Bluetooth, USB, CAN, and automotive ethernet.

But that’s only half the battle. Software updates —the preferred method to mitigate vulnerabilities across automotive components and systems — require extensive verification. This process is painstakingly iterative, and automation is key to making this a reality. Think about how often your phone updates. If you had to pay someone to verify all the mitigations you think are in place for every release, you'd have to spend excessive amounts of time and money.

Compliance with UN R155 demands a repeatable, scalable, and well-documented testing approach. And between sprawling attack surfaces, emerging threats, and mandatory compliance processes, integration and automation aren’t luxuries — they’re table stakes. While it’s possible to cobble individual hardware and software components together into an automotive cybersecurity test platform, the time commitment of managing a homegrown system can easily outweigh any potential benefits.

Protect what matters most

By its very nature, the world of cybersecurity is in a near-continuous state of change. The coming years will likely see a mass proliferation of new attack vectors, component threats, and system vulnerabilities. It should come as no surprise, then, that the automakers who respond the swiftest will emerge as the most protected, the most secure, and the safest choice for discerning customers.

That’s why it’s so important to get in front of attackers. And with an automated, integrated, and intelligent approach to cybersecurity, it’s never been easier to stay a step ahead. No matter what the future holds, you can rest assured knowing your systems are shielded, your vehicles are secure, and — most importantly — your passengers are safe.

About the Author

Mike is a Cybersecurity Solutions Lead at Keysight. A self-professed geek, he enjoys making technology accessible to everyone by stripping complex topics down to layman’s terms. Over the last decade, he’s spun stories on a wide variety of topics — including aerospace and defense, software development, and the multifaceted world of cybersecurity. When he’s not working, you'll typically find Mike in the mountains of Colorado with his wife and floppy-eared hounds.

Profile Photo of Mike Hodge