Automakers, suppliers race to comply with cybersecurity rules for connected cars

Automakers and suppliers in Europe will soon be required to ensure all connected vehicles are protected against cyberattacks to comply with two United Nations regulations.

The new rules on cybersecurity and software updates went into effect for all new vehicle types in July 2022 and will become mandatory for all new vehicles produced starting July 2024.

The rules have already had an effect on the market, serving as a contributing factor to the discontinuation of a low-cost electric minicar.

Volkswagen brand CEO Thomas Schaefer told Automotive News Europe sister publication Automobilwoche last month that production on the e-Up would end in mid-2024 because of the new rules for cybersecurity.

"To keep it in production we would have had to integrate a completely new electronic architecture," he said. "That would be too expensive. So, it's better to develop a new car right away."

The e-Up full-electric minicar is VW brand's entry EV, starting at 29,995 euros in Germany.

As vehicles become increasingly connected and complicated a big investment in cybersecurity and IT professionals will be required. The average vehicle has 100 million lines of code, compared less than 7 million for a Boeing Dreamliner, according to Continental.

The automotive cybersecurity market is forecast to grow in value to $17.7 billion by 2031 from about $2.8 billion last year, according to data specialist Research and Markets.

And there are questions about whether the automotive industry is prepared.

Israel's Argus Cyber Security, a subsidiary of Continental, found that 58 percent of small automakers and automotive suppliers are not ready to create a management system focusing on vehicle cybersecurity that complies with Regulation 155 from the United Nations Economic Commission for Europe (UNECE).

Additionally, the commission's Regulation 156 governs cybersecurity protocols for software updates in new vehicles and will start that same month.

"No one is prepared and to be honest, the complete automotive chain is not prepared," Gulroz Singh, an executive at NXP Semiconductors, in Austin, Texas, told Automotive News Europe sister publication Automotive News.

Managing cyber risks

The two new UN regulations require measures be implemented across four main disciplines, ranging from managing vehicle cyber risks and securing vehicles by design to mitigate risks along the value chain to detecting and responding to security incidents across vehicle fleets.

The last area requires the provision of safe and secure software updates and ensuring vehicle safety is not compromised, introducing a legal basis for over-the-air (OTA) software updates.

While the industry is in broad agreement that cybersecurity is a top priority for automakers to ensure the safety of vehicle systems and their occupants, not everyone is satisfied with the UNECE regulations.

Eric Dequi, Stellantis EE architecture and cybersecurity senior expert, supports the creation of rules that clarify and standardize cybersecurity.

"Operating safety, security and confidentiality are necessary and mandatory," he said in an email reply to questions. "OEMs are responsible -- in compliance with the legislation – to managing vehicle access control to limit impact."

The weak points

Gerd Preuss of ADAC, Germany's largest motor club, and lead of EuroNCAP's vehicle security and data access working group, explained via email that the vehicle cyberattacks that occur today are mostly carried out via interfaces such as the on-board diagnostics (OBD) port or via man-in-the-middle attacks through the manipulation of Bluetooth connections.

"The vehicle manufacturer is obliged by UNECE R155 to present IT security measures on the vehicle via a cyber security management system," he said.

From a consumer's point of view, however, this law lacks specific performance requirements and uniform acceptance criteria.

Preuss said EuroNCAP not only plans to fill in those gaps with its own tests, but also plans to clarify how the vehicle owner can safely monitor and control the data flow from or to the vehicle.

'A clear regulation'

"IT security is a prerequisite for the safe operation and the environmental performance of a vehicle," Preuss continued. "Investing in IT security for vehicles is essential for protecting personal data, preventing cyberattacks, meeting regulatory requirements, and maintaining brand reputation. Also access to data for repair and maintenance requires investments is IT security, where only authorized access is possible."

Continental's chief product security and privacy officer, Mathias Dehm, also agrees with the implementation of stronger regulations. As vehicles become more complex the rules can serve as a baseline for automakers and their suppliers.

"Looking back five years, there was no really international standard or regulation existing in this field," he said. "But now with a clear regulation from the UNECE and also the international standard ISO/SAE 21434, the industry has better guidance in place and to ensure a common level of cybersecurity across the whole industry."

He added this is important along the whole supply chain because everything needs to work seamlessly.

While the focus of the UNECE regulation falls mostly on the automakers, Dehm notes the regulation also stipulates the standards must be met along every link of the supply chain.

"It's a big challenge because the supply chain is so large and involves so many different suppliers, and not everyone has automotive as their main customer," Dehm said. "To roll this out along such a huge supply chain takes time, and you have an additional challenge in a shortage of required experts."

The new regulations, which the automaker needs to ensure along the supply chain, also require suppliers such as Continental, Robert Bosch and more to have continuous vulnerability management so they can response if something goes wrong. This needs to be maintained through the product's life cycle.

"You need the right team in your company including people with know-how about the product and all the specific details of the product for a long period of time," he said.

When it comes to updating cybersecurity software across vehicles and individual components, Demh sees OTA updates as the key solution to providing fleet-wide updates or fixes across potentially millions of vehicles.

Stellantis' Dequi added that OTA updates require a state-of-the-art solution to avoid malware injection.

"The basic solutions like the checking of integrity and confidentiality are mandatory to avoid all compromises during the transfer and installation of the software release," he said. "That includes a strict configuration management when multiple components are updated at the same time, and a rollback procedure in case of a safety or cyber issue after installation."

Better risk acknowledgment

From the perspective of Nick Maynard, vice president of fintech market research at Juniper, the new regulations from the UN represent an important development in the vehicles market.

"Cybersecurity has been an important issue within the connected vehicle for some time. The rise of connectivity creates cybersecurity issues," he said via email. "As vehicle manufacturers have non-standardized approaches to keeping software updated, this was a major driver of the regulation."

He pointed to Tesla leading the way with OTA updates, with other manufacturers significantly lagging, and many of even the most expensive cars having to return to the manufacturer for an update.
 
"The regulation will help resolve some of the challenges here," Maynard said. "What we will see is a better acknowledgement and risk assessment of the cybersecurity element within the connected vehicles market."

He added that those changes are already being seen -- for example, in February 2023, LG announced that its automotive components had been certified to the new standard.

"This is the beginning of a much greater process of standardization and certification, which many automakers and parts manufacturers will need to undertake," Maynard noted.
 
He also anticipates there will be much more interest in the software supply chain from automotive manufacturers.

"While manufacturers are responsible for the main systems that vehicles are running, there are many third-party components that will have independent software," he said.

As such, vehicle manufacturers will need to get to understand these risks, which have been relatively unknown for some time.

"We anticipate greater involvement of independent cybersecurity vendors who have been covering this area for a while," Maynard noted.