The post-pandemic economy is pummeling auto sales, but the new generation of vehicles is also creating waves. People who spend all day using smartphone apps want their vehicles to have similarly responsive, information-rich interfaces and accessibility. This results in cars with more embedded computer code than fighter jets.
Manufacturers are scrambling to balance consumer demands while keeping models secure. In 2020 the United Nations adopted the UNECE WP.29 Cybersecurity and Cybersecurity Management Systems (CSMS) regulation that applies to 50 countries including the European Union, Russia, Australia and Japan and will address cybersecurity concerns to protect consumers.
Europe, which has a lengthy approval process for new models, is implementing rigorous cybersecurity rules that apply to all vehicles sold in the European Community. Current laws do not yet require vehicle cybersecurity in vehicles sold in the U.S.
Unique Automotive Cybersecurity Challenges
Manufacturers have spent $300 billion on autonomy, connectivity, electrification, smart/shared mobility and other vehicle technologies. But automobiles, like any connected device, are vulnerable to hacking. In the past decade, cars have become increasingly interconnected, creating numerous opportunities for exploitation.
Imagine looking out your window to see your car running, with doors open and lights on – steps taken by a hacker moments before someone was poised to slip behind the steering wheel and steal it. Such a scenario is possible and could become more likely unless manufacturers carefully weave cybersecurity into the design and testing of each vehicle.
Upcoming Automotive Cybersecurity Regulations
The National Transportation Safety Board recommends integrating more security measures into vehicle designs. However, the safety protocol is developing more slowly than the interconnectedness of cars. The European Commission requires new security steps by 2024 but those are optional for U.S. manufacturers. American automakers must meet various emissions and safety standards, but none currently address cybersecurity.
Experts say hackers could hold vehicles for ransom in the future, locking up systems until the owner caves to their demands.
Some of the ways vehicles are connected include:
- Emergency services such as OnStar, which allows the driver to communicate with people when the car is disabled, create an entry point for hackers.
- Newer autos equipped with in-dash systems allow drivers to search for gas stations, use GPS and interact with their phones. Each of these systems represents a potential door for hacking.
- As autonomous driving evolves, vehicles transmit more information about road conditions, how the engine is running, and traffic congestion to data collectors. Each of these interactions offers potential vulnerabilities to hackers.
- Hacking is possible through phone apps that allow owners to activate climate control and door locks. Unfortunately, hijacking becomes possible through those apps when parked and while driving.
Increasingly, vehicle-to-vehicle communication meant to reduce crashes, is vulnerable to hacking because it may lack processes for securing such messages. It is currently possible for malicious actors to send messages to vehicles that could alter their course or cause the auto-braking system to activate.
Future of Automotive Cybersecurity
Experts say there are now more software engineers than mechanical engineers in the automotive industry. As vehicles become increasingly sophisticated, manufacturers must ensure that security keeps pace with innovation, including:
- Securing the interface, or communication that vehicles have with outside sources, including phone apps, other cars, charging stations and onboard services.
- Adopting industrywide standards for cybersecurity.
- Preparing for a longer lifecycle of nearly 20 years for components, manufacturers must be forward-thinking about potential threats and include the capability to update security as needed.
- Looking ahead, fully electric vehicles capable of self-driving will become an industry standard, making the stakes higher than ever in terms of occupant safety and the possibility for hacking.
The future holds great potential for automotive innovation, but with it comes great responsibility. The industry is facing new terrain that must be navigated carefully, with security goals given the same priority as technology development.
David Lukić (pictured, left) is an information privacy, security and compliance consultant at IDstrong.com.