min reading time
Based on Upstream’s - a cybersecurity and data management platform for connected vehicles - latest report, the frequency of cyberattacks on cars increased 225% from 2018 to 2021. This data perfectly represents the importance of strengthening automotive cybersecurity for the entire industry.
In our article below, we provide insight into this topic and its possible solutions. We explain why international cybersecurity standards and regulations are extremely important. Moreover, you can learn how we support automotive cybersecurity at CCLab.
Automotive cybersecurity security is a subset of computer security that focuses on cyber dangers and risks in the automotive context. The rising number of ECUs (Electronic Control Units) in cars, together with the adoption of various different modes of communication from and towards the vehicle in a remote and wireless manner increasingly exposes cars to cyberattacks. This situation necessitated the creation of a cybersecurity branch specialized in automotive threats. Cybersecurity for road vehicles aims to protect communication networks, software, users, control algorithms, and automotive electronic systems from cyber attacks, disallowed access, damage, or manipulation.
The automotive industry as we know it has been drastically changed by technological innovations. Vehicles, originally propelled by wheels and an engine, are now a group of networked devices on wheels. And as we know a system can become vulnerable to a cyber attack the moment it is linked to a network.
Manipulation of the connectivity of vehicle functions enables a cyber-attack, this can include manipulation of functions designed to remotely operate systems such as remote keys as well as manipulation of vehicle telematics like temperature measurement of sensitive goods or remotely unlocking cargo doors. Cybercriminals can even access the battery, reducing its operating time. Security gaps that give rise to such attacks significantly damage the reputation of the given vehicle brand or even put human lives in danger.
Here are a couple of the most common cyber threats that the automotive industry is exposed to:
Ransomware attacks are growing increasingly widespread as cybercriminals discover new techniques to acquire database access and profit from the Ransomware as a Service (RaaS) market. Five major car brands: Tesla, Honda, Toyota, Nissan, and Renault have also suffered ransomware attacks recently.
One of the most common types of attacks in the automotive sector is the brute force attack. Cybercriminals employ this approach to target a computer network and penetrate a big database of passwords and usernames. Following that, they will undertake a credential stuffing attack, in which they will generate combinations in order to get access to an automobile's computer network.
And last but not least cyberattacks could not only cause material damage, but they may put human lives in danger.
Eliminating cyber risks begins with determining where the vulnerabilities originate from and how they may be avoided from the start. Vehicle manufacturers have a critical role in ensuring the safety and security of their products. Complying with international cybersecurity rules and standards is one effective and efficient way to prevent cybercrime and make vehicles safer.
These standards enable the automotive sector to establish standardized cybersecurity processes and practices particular to vehicle manufacture and development. Adhering to these regulations and standards encourages unity among the automotive industry, ensuring that cybersecurity is at the forefront of all manufacturers' minds.
Automotive cybersecurity measures also help:
Below, we have collected some of the most important current and upcoming automotive cybersecurity regulations and standards that help keep cars and their drivers safe.
UNECE (United Nations Economic Commission for Europe) Vehicle Regulations are a set of regulations controlling automotive cybersecurity. It contains two regulations: UN R155 and UN R156. UN R155 addresses broad criteria for vehicle cybersecurity, whereas UN R156 addresses particular requirements for heavy vehicles.
UNECE Vehicle Regulations play a vital role in promoting road safety by ensuring that cars meet a set of criteria for automotive cybersecurity. The Regulations also ensure that the member nations have consistent requirements on this matter.
UN R155 and UN R156 went into effect in the EU for new vehicle types in July 2022, and then for all newly built vehicles starting in July 2024. Automobile manufacturers will be accountable for complying with rules and providing a high degree of cybersecurity across their supply chain under ISO/SAE 21434.
ISO/SAE 21434 Standard for Road Vehicles-Cybersecurity Engineering defines engineering standards for cybersecurity risk management regarding the concept, product development, manufacturing, maintenance, operation, and decommissioning of electrical and electronic systems in road vehicles, including their interfaces and components.
The OEM must comply with UNR155. In addition, R155 requires that the mandatory level of security be required by OEMs from suppliers.
The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard (ISO/IEC 15408) for IT product security certification. Common Criteria is a framework for independent, scalable, and internationally recognized security assessments of IT systems and products including in the automotive industry.
Suppliers can get Common Criteria certified devices like:
The automotive supply chain has been significantly impacted by wireless technologies. As connection levels rise and more complicated technologies emerge in the automobile sector, the compliance process becomes more intricate and unpredictable.
This is why in 2021 the Commission has taken action to improve the cybersecurity of wireless devices available on the European market. Economic operators in the automobile sector now must comply with the EU's Radio Equipment Directive 2014/53/EU (RED) and assure that they executed their responsibilities accordingly. This regulation establishes additional legal criteria for cybersecurity protections, which manufacturers must consider when designing and manufacturing the relevant devices.
We provide the industry with versatile cybersecurity automotive solutions including readiness assessments, risk assessments, implementation of Cybersecurity Management systems, vulnerability testing, threat scenario discovery, etc.
CCLab is an accredited cybersecurity lab that has comprehensive experience in global cybersecurity consultancy and evaluation projects. We can help you verify your security goals, concepts, requirements, and implementations during the evaluation process. Besides, we evaluate known attack methods, cybersecurity-related methods, tools, guidelines, and cybersecurity controls. You can also count on reviewing and evaluating your software, IoT products (such as Software on Chip), evidence, and work products.
At CClab we provide you with a complex “one-stop shop” automotive cybersecurity solution that covers readiness assessment, technical advice and consultation, vulnerability testing, and much more. We can help you with complete type-approval process management and a smooth transition to ISO/SAE 21434. Our dedicated and experienced specialists help to simplify the process and minimize the project time. Besides that, we can help you to obtain other relevant international certifications just like Common Criteria or RED.
As the automotive industry develops intelligent, connected, and autonomous vehicles, we must seek to better understand the safety and security of this linked technology in order to protect the whole industry. That is why international standards and regulations are important to provide a strong basis for maintaining and strengthening automotive cybersecurity.
With our extensive industry experience and professional team, CCLab is here to support vehicle manufacturers and automotive industry suppliers to achieve the desired level of safety for their products.
The latest version of the Network Device collaborative Protection Profile (NDcPP) was released in March 2020. NDcPP currently is one of the most popular and extensively used protection profiles among network device vendors and manufacturers to get their product certified.
min reading time