Cyber ​​security governance needs to keep automakers ahead of hackers

The automotive industry today is undergoing major transformation and may become unrecognizable in the future. Key aspects that underpin this transformation are improved connectivity and autonomous driving, as well as the evolution of automakers and their entire supply chain.

Automakers are no longer just offering final products, they are also an integral provider of mobility. This opens up entirely new business models and roles for both current and future players, expanding the pace and extent of change unlike what has been seen in the automotive industry.

Many questions remain for consumers. Many believe Improving vehicle connectivity is beneficial to them and may drive demand for connected cars and consumption of mobility-related services. However, there are growing concerns about the use of data acquired and managed by these vehicles. Of course, many modern cars already manage and collect vast amounts of data, most of which remain in the car. It is important for OEMs to ensure that consumers understand how their data is being used and that connected car infotainment security is utilized..

In the future, with the growth of “wireless” connectivity and more sophisticated 5G telematics, OEMs will be able to better understand their customers’ journeys and behaviors through the collection and exchange of data related to vehicle-based services. increase. This data may reveal important information about vehicle maintenance, repair, or warranty, but it may also be related to certain driver behavior, such as commuting habits.

Armed with this data insight, OEMs open up many possibilities to create “value” for both themselves and their customers through new, more personalized services in the form of vehicle-to-vehicle, vehicle-to-device, and vehicle-to-vehicle. I can. Communication to the infrastructure.

Evolving regulations

However, as this technology evolves, so does the risk situation that OEMs must manage throughout the vehicle development life cycle. From point of sale to the maintenance and repair process and ultimately the life of the vehicle.

Given the potential impact of cyberattacks on both people and the vehicle itself, this has not been overlooked by regulators.When Over 200 The automobile cyber incident, which was publicly reported in 2020, is raising public awareness. Unfortunately, as the adoption and value of connected services grows, more car cyber hacks can be attempted for both malicious and financial purposes.

OEMs should see this as a structural change that pervades all activities, not a one-time compliance activity.

In response, the United Nations Economic Commission for Europe (UNECE) has led the integration and complementation of transport regulations, especially for electronics, telematics, and related cybersecurity. Published in 2020, these regulations require manufacturers to both provide evidence of a certified Cyber ​​Security Management System (CSMS) and to own a Software Update Management System (SUMS). Both are prerequisites for new vehicles on the road, approved from 2022, and for all vehicles to be certified by 2024. Without certification, OEMs will not be able to sell these vehicles.

Over time, these regulations evolve as autonomous driving grows, and OEMs should see this as a structural change that pervades all activities, rather than a one-time compliance activity to complete.

Data protection

Today’s automakers are usually even more complicated, given that they are organized into different groups, each focused on different parts of the car, whether in the manufacturing stage or afterwards. However, for cybersecurity to be robust, it must be a characteristic built into each product and must be consistently managed. This must be done throughout the vehicle life cycle and throughout the technology system, from the vehicle’s in-vehicle system to the manufacturer’s support system.

Not only are there regulatory best practice standards, but data protection and privacy should also be considered. ISO regulations integrated with the UNECE standard provide best practices on how to do this. In addition to UNECE regulations and ISO standards, local laws related to data protection and privacy, as well as European guidelines should be considered. For example, EDPB Guideline 01/2020 pertains to the processing of personal data in connected car and mobility applications.

As manufacturers increasingly collect and analyze driver data from vehicles, they need to comply with existing data protection laws that cover areas such as how data is processed and where it is shared to ensure the protection of personal rights. there is.

In addition, autonomous driving regulations specifically refer to the safety and “security by design” process. As connected cars advance and become more popular, more local laws will emerge in different countries, opening up a whole new layer of complexity to OEMs when selling connected cars in multiple markets.

Cohesion between applications

Cybersecurity governance for connected cars is important and defines the manufacturer’s ability to deploy, maintain and evolve cybersecurity management systems across the production chain over the next few years.

Deloitte’s analysis across various OEMs found that there were no well-defined new trends in the connected car cybersecurity governance model. Instead, OEMs typically choose from a wide range of options that can be categorized into three major clusters. Product development process lead, usually R & D or vehicle technology development / homologation function lead. Quality and assurance leads, usually quality and compliance function driven. And cybersecurity feature leads, usually CISO or cybersecurity related feature leads.

The application of these models by manufacturers is cohesive, but most often aimed at preserving the obligations and culture of the current organization or speeding up CSMS certification. The business importance of automotive cybersecurity is often not perceived as providing more value than achieving the required compliance.

The new regulatory requirements give manufacturers the opportunity to rethink their complete cybersecurity governance model in a more integrated way, especially for companies undergoing major organizational changes. This provides a more comprehensive cybersecurity governance between connected cars, factories and legacy systems of common information and communication technology (ICT), while providing a long-term competitive advantage.

Challenges to take

When adopted by OEMs, the new UNECE regulations R155 and R156 have the power to rebuild the entire automotive industry. Connected cars are well established and this technology offers as many opportunities as any other new technology, but potential attackers continue to look for vulnerabilities.

OEMs need to design their automotive ecosystem to be resilient to advanced cyberattacks. They need to act and react across a variety of business functions to ensure that cyber defenses are integrated throughout the production chain, after-sales, and product life.

It has the power to restructure the cybersecurity approach across the automotive industry.

Having a fully integrated cybersecurity governance model is not a one-time need for compliance today, but a continuous need. A good governance model must be able to integrate cybersecurity into the vehicle life cycle from design and development to security monitoring. The robust model also provides the ability to detect potential cyber attacks on the vehicle. OEMs who do not adopt such a model run the risk of having to modify their defenses at great cost as a result of the potential for future cyberattacks. This includes the possibility of costly recalls or warranty repairs of vehicles damaged by such attacks.

Ultimately, this is a challenge that has the power to rebuild the cybersecurity approach across the automotive industry and provide more security, security, and consumer trust as it embraces the mobility revolution.

The opinions expressed here are those of the author and do not necessarily reflect the position of Automotive World Ltd.

Stephanobski Being a partner Deloitte Cyber ​​Risk and Crisis Management Services Leader

The Automotive World Comment column is open to decision makers and influencers in the automotive industry. If you would like to post a comment, please contact editorial @ automotiveworld.com.