Cyber security governance must keep automakers ahead of the hackers

New regulations could reshape how the automotive industry addresses cyber security, writes Stefano Buschi

Today’s automotive industry is likely to be unrecognisable in the future as it undergoes huge transformation. Key aspects underpinning this transformation will be increased connectivity and autonomous driving, and how automakers and their entire supply chain evolve.

Automakers will no longer just provide the end product: they will become integral providers of mobility. This opens up entirely new business models and roles for both current and future players, with the pace and extent of change unlike anything seen before in the automotive industry.

Connected car
Advances being made in connectivity and autonomous driving will make vehicles more useful. They will also create new opportunities for hackers

For consumers, there remain a number of questions. Many believe that increased vehicle connectivity will be beneficial to them, which is likely to drive demand for connected vehicles and the consumption of services related to mobility. However, there are also increasing concerns about security and safety of connected vehicles, and the usage of the data acquired and managed by these vehicles. Of course, many modern cars already manage and collect an enormous amount of data but most of this remains onboard the car. For OEMs, ensuring consumers understand how their data is being used will be key.

With the growth of ‘over the air’ connectivity and more sophisticated 5G telematics in the future, OEMs will be able to better understand customer journeys and behaviours through the collection and exchange of data related to vehicle-based services. This data may reveal key information about a vehicle’s maintenance, repair or guarantees, but could also relate to specific driver behaviours, such as commuting habits.

Armed with this data insight, OEMs could open up a plethora of possibilities to create ‘value’ for both themselves and their customers through new and more personalised services in the form of vehicle-to-vehicle, vehicle-to-device, and vehicle-to-infrastructure communication.

Evolving regulations

However, as this technology develops, so too does the risk landscape that OEMs must manage throughout the vehicle development lifecycle; from the point of sale, to maintenance and repair processes and, finally, a vehicle’s end-of-life.

This has not gone unnoticed by regulators, given the potential impact of cyber attacks to both people and the vehicles themselves. With more than 200 automotive cyber incidents publicly reported in 2020, public awareness is also growing. Unfortunately, as the adoption and value of connected services increases it is likely that more automotive cyber hacks will be attempted with both malicious and financial intent.

OEMs should consider this a structural change that will be pervasive across all of their activities, and not a one-off compliance activity

In response, the United Nations Economic Commission for Europe (UNECE) has been taking the lead in unifying and complementing transportation regulations, specifically regarding electronics, telematics and related cyber security. Published in 2020, these regulations require manufacturers to provide both evidence of a certified Cyber Security Management System (CSMS) and to have a Software Update Management System (SUMS). Both are prerequisites to receive certification for a new car to be approved and on the road from 2022, and for the entire fleet by 2024. Without the certification, OEMs will not be able to sell these vehicles.

Over time, these regulations will evolve with the growth of autonomous driving, so OEMs should consider this a structural change that will be pervasive across all of their activities, and not a one-off compliance activity to be completed.

Data protection

There is additional complexity when you consider that today’s automakers are typically organised into different groups, each focused on different parts of the car, whether at the production stage or afterwards. However, for cyber security to be robust, it must be an embedded characteristic of each product, and managed consistently. This should be across a vehicle’s entire lifecycle and throughout the technology systems, from the car’s onboard systems to the manufacturer’s support systems.

As well as having regulatory best practice standards, data protection and privacy must also be considered. ISO regulation, integrated with the UNECE standard, provides best practice on how to do this. Beyond UNECE regulations and ISO standards, there will also be local laws related to data protection and privacy that need to be considered, as well as European Guidelines. For example, EDPB Guidelines 01/2020 relates to the processing of personal data in connected vehicles and mobility applications.

As manufacturers increasingly gather and analyse driver data from cars, they will need to comply with existing data protection laws, covering areas such as how the data is processed and who it is shared with, to ensure the rights of the individual are protected.

Furthermore, autonomous driving regulations refer specifically to safety and ‘secure-by-design’ processes as a reference. As connected cars advance and become more popular, we will see more local laws emerge in different countries, opening a whole new layer of complexity for OEMs when selling their connected vehicles in multiple markets.

Bosch 5G factory AGVs
Cyber security efforts must extend across the automotive industry, including smart factories and conventional IT infrastructure

Cohesion across applications

Governance of connected vehicle cyber security is key and will define manufacturers’ abilities to deploy, maintain and evolve their cyber security management systems across their entire production chain in the coming years.

Deloitte’s analysis across different OEMs has found that there is no clearly defined emerging trend in governance models for connected vehicle cyber security. Instead, OEMs typically choose between a wide range of options that can be classified in three predominant clusters: Product Development Process Lead, typically R&D or Vehicle Technical Development/Homologation function-led; Quality & Assurance Lead, typically Quality & Compliance function-led; and Cyber Security Capability Lead, typically CISO or cyber security related function-led.

Whilst there is cohesion in the application of these models by manufacturers, most aim to simply maintain current organisational duties and culture or speed up CSMS certification. The business criticality of automotive cyber security is often not recognised as providing value beyond achieving necessary compliance.

With new regulatory requirements, there is an opportunity for manufacturers to re-think their complete cyber security governance model in a more integrated way, especially for those that are undergoing major organisational transformation. This would help achieve more comprehensive cyber security governance between connected vehicles, factories and typical information and communication technology (ICT) legacy systems, whilst also achieving a competitive advantage in the long term.

A challenge that must be taken on

If embraced by OEMs, the new UNECE regulation R155 and R156 has the power to reshape the complete automotive industry. Connected vehicles are here to stay and while the technology provides a number of opportunities, as with any new technology, potential attackers will continue to seek out vulnerabilities.

OEMs must design automotive ecosystems to be resilient against sophisticated cyber attacks. They must be able to act and react across their different business functions, ensuring cyber defences are incorporated along their entire production chain, aftersales, and through to the end of life of their products.

This has the power to reshape the cyber security approach across the automotive industry

Having a fully integrated cyber security governance model is not a one-off need for compliance today, but an ongoing necessity. A good governance model must be able to integrate cybersecurity into the lifecycle of a vehicle, from design and development to security monitoring. A robust model will also provide the ability to detect any potential cyber attack on a vehicle. OEMs that fail to adopt such models will risk having to retrofit defences—at great expense—in the aftermath of a possible future cyber-attack. This includes the potential for costly recalls or warrantee repairs for vehicles damaged in such attacks.

Ultimately, this is a challenge that has the power to reshape the cyber security approach across the automotive industry, and to provide more security, safety and consumer confidence as more embrace the mobility revolution.


The opinions expressed here are those of the author and do not necessarily reflect the positions of Automotive World Ltd.

Stefano Buschi is Partner and Cyber Risk & Crisis Management Services Leader at Deloitte

The Automotive World Comment column is open to automotive industry decision makers and influencers. If you would like to contribute a Comment article, please contact editorial@automotiveworld.com

Welcome back , to continue browsing the site, please click here