Today’s Software Defined Vehicles offer a host of user benefits that we’ve become accustomed to – from GPS, to in-car entertainment and telecommunications. However, heightened connectivity is also driving cybersecurity needs. In recent years, these add-ons have evolved even further to include keyless entry and start functions, autonomous driving capabilities, smartphone connectivity, and advanced driver assistance and safety measures.
With more gateways to exploit, cybercriminals are continually on the hunt for new ways to hijack automotive ecosystems. And needless to say – the risks of successful interception could range from mere inconvenience to roadside catastrophes and security risks.
The UN’s latest regulation No.155 (UN R155) for Vehicle Safety looks to address just this by setting standardised parameters to safeguard vehicles against cyber threats. With the framework implicating the 54 member countries of the 1958 agreement, including the European Union, the UK, Japan, and South Korea, and applying to a host of vehicles, there’s rationale in building up an understanding of the requirements.
So, what do these measures look like, and how will they play their part in driving cybersecurity, ensuring vehicles’ safety and trustworthiness?
Cybersecurity Management Systems
With attack attempts being a ‘when’, not an ‘if’, vehicle manufacturers will be required to establish cybersecurity management systems (CSMS) that operate on a proactive, continuous basis. This means they will be monitoring for inbound threats and conducting regular risk assessments within the systems, rather than seeing cybersecurity as a mere ‘tick box’ exercise. Cybersecurity is never truly ‘complete’!
Manufacturing a vehicle that is secure by design is one thing, but keeping up with the evolving risk landscape is another. On this basis, security teams will also need to update their protective measures in response to emerging threats and vulnerabilities as and when they evolve.
Another element of the framework centres around the fact that cybercriminals don’t just pounce once a vehicle is up and running on the roads. The CSMS’ requirements for uniform measures, policies, and processes will apply to the identification, assessment, and management of cybersecurity risks throughout the vehicle’s entire lifecycle. This will ensure protection stretches beyond one single moment in time, spanning development, production, and post-production phases.
Supply chain considerations
Automotive manufacturers also rely on a host of third-party providers within the supply chain – especially when it comes to technologies and cybersecurity – which means any vulnerabilities among suppliers could also ladder up to the vehicle in question if intercepted by bad actors.
Additional requirements and recommendations within UN R155 factor in navigating supplier agreements, ensuring alignment of practices and responsibilities and establishing a secure automotive ecosystem at every level and stage.
Compliance requirements
Manufacturers will be mandated to demonstrate conformity with the cybersecurity standards through independent audits, where manufacturers will submit their CSMS for assessment. Only upon passing will the vehicle be approved for manufacturing and sale – so the stakes are high. But for good reason, ensuring that only vehicles that respect this framework are launched.
The takeaways
Vehicles – and all their interconnected features – are only as good as the security foundations. Trust will be integral to the modern automotive industry, which means that security cannot be an afterthought in vehicle development – especially given these latest regulations.
With more attack vectors, vulnerabilities, and emerging technologies to consider, it can feel overwhelming. However, automotive manufacturers do not have to go at it alone, with Thales driving cybersecurity, helping navigate regulation compliance, whilst providing a robust cybersecurity infrastructure.
Visit our webpage on automotive cybersecurity to learn more about best practice security measures in the industry: