There’s no doubt the automotive industry takes cybersecurity seriously. In fact, work’s been quietly underway for more than a decade now to answer the unique security questions posed by the big four auto industry disruptors – automation, connectivity, shared mobility and alternative fuels. The security risk received worldwide attention in 2015 when white hat hackers took control of a vehicle over the internet, leading to the recall of 1.4m vehicles, and the industry responded by redoubling its efforts to tackle the issue.

As early as 2011, manufacturers were working with UNECE to develop a regulatory framework to support auto cybersecurity, and in 2021 the governing body announced that regulations would come into force in July 2022 for all new vehicle types, before becoming mandatory for all new cars across 54 countries from July 2024.

Although moving at a rapid pace, many say regulation can’t come soon enough, as the risk of hackers exploiting the connected vehicle is all too real. According to UNECE, cars now contain up to 150 electronic control units and about 100 million lines of  code – four times more than a fighter jet – and that’s projected to rise to 300 million lines of code by 2030. Industry insiders know this is no small matter – it’s arguably one of the greatest challenges they face.

The new frontier

There are no strict requirements relating to cybersecurity for cars on the road today, however, the industry is actively working towards addressing this, including carrying out significant research into what regulation should look like and working with UNECE to develop Reg.155. In the interim, this leaves OEMs to follow the new ISO/SAE21434 or SAE J3061. This has resulted in a form of self-policing, a wild west where much needed collective regulation is coming, but is not here yet.

The players on the new frontier

While we await Reg. 155, I believe we’ll see ISO continually updating its documentation to ensure it stays relevant, but this means OEMs and their tier 1 and 2 suppliers will need support to navigate the ever-changing landscape. They will need a security partner that can advise on current challenges at the same time as consistently scanning the horizon.

Three unique cybersecurity challenges facing automotive

  1. One-size doesn‘t fit all

Applying a tried and tested approach, developed for another industry, just isn‘t going to cut it for automotive. Cybersecurity is relatively new to auto – it’s been a focus for around ten years or so – whereas IT security in general, has its origins in the late 1980s. As a result, the auto industry tends to lack the in-house skills and experience it needs in this area. Combine this with the speed regulation is moving at, add legacy systems like CAN and FlexRay to the mix – and you’ve got a unique and complex path to navigate. Equally, there’s a question to answer around how strictly new regulations will be enforced – will large OEMs and smaller-scale manufacturers be held to the same standards?

  1. A lengthy life-cycle

An additional challenge comes from the length of the automotive product lifecycle. Look at it this way, if development cycles range between 5-10 years (depending on component) and the average age of a car at scrappage is 14 years, you’ve got an end-to-end lifecycle of 20 plus years to account for. During this time, the cyberthreat will have evolved multiple times, forcing OEMs and their suppliers to solve for the long-term security of their fleet. There may even come a time when manufacturers could be required to offer cybersecurity warranties or after-sales support products, complete with regular patch updates.

  1. A time of seismic change

We all know the auto industry is going through a seismic shift as it transitions its operating model to alternative fuel solutions in time to meet both government targets and rising consumer demand. However, I’d argue that alongside alternative fuel vehicles (AFVs), the cybersecurity risks brought about by the connected car present equally pressing issues, if not as immediately obvious ones. With increased connectivity comes greater security challenges, and although safety must always come first, new transport on-demand or MaaS (Mobility as a Service) models will pose new problems to solve, like the security of payments, billing and personal data. Although many large OEMs are building their own teams to tackle cybersecurity, what of the tier 1 and 2 suppliers who will be held to the same standards? They’ll need a partner who can help them keep up. Expleo draws skills and experience across engineering and technology – everything from Banking, Financial Services and Insurance (BFSI) to automotive engineering – which means we offer a unique combination of design thinking to our clients that covers both safety and security.

We’ve got around two years until UNECE Reg. 155 comes into play and during that time, the twin dynamics of automation and connectivity will force us to address the challenge or risk falling behind. The companies that rise to the occasion will be the ones that stay open to new thinking and embrace learnings from other industries to forge a path through the unique obstacles automotive faces. And Expleo will be right there, working with its customers to guide, advise, specify and design solutions that help the industry tame this new frontier.

Talk to us.

To find out more about how Expleo can help your business prepare for UNECE  Reg.155 or to discuss other cybersecurity related services, contact Glynn Beeken and the team.