lassedesignen - Fotolia
Automotive industry leaders are struggling with competing cyber risk and security priorities, and as such, many are increasingly concerned that their organisations will be unprepared for new, United Nations (UN)-backed vehicle safety regulations that come into force next year, leaving drivers exposed to unacceptable security risks.
The United Nations Economic Commission for Europe World Forum for Harmonisation of Vehicle Regulations (UNECE WP.29) framework covers a wide range of standards relating to vehicles, including pollution and energy, noise and tyres, lighting and signalling, general and passive safety provisions, and automated or autonomous and connected vehicles.
With respect to cyber security, when it comes into force in July 2024, regulations UN155/156 as set out by UNECE WP.29 will mandate that all automotive original equipment manufacturers (OEMs) and their supply chains must make multi-layered cyber security provisions to guard against current and future cyber attacks at the risk of having to stop manufacturing vehicles that are not compliant.
Critically, the regulations require that any vehicles already under development for production from mid-2022 onwards will need to comply.
OEMs will also have to ensure all of their suppliers are compliant with the regulations, meaning that every component part of a vehicle that contains software will have to come with evidence it complies with security-by-design principles, and failure to do so will make it impossible for the OEM to accept or integrate the code into their vehicles.
However, revealed Kaspersky principal security researcher David Emm, with the deadline just 10 months away, the automotive C-suite finds itself well behind the curve, with 42% of respondents to a Kaspersky-sponsored study saying they did not have any plan in place, and 63.5% saying they were “not very involved” in planning for UNECE WP.29 compliance despite 64% agreeing that cyber threats were a “strategic board issue”.
Even more respondents – 68.5% – agreed that the sector needed more understanding of the implications of the standards and what they will mean for car companies.
Read more about connected vehicles
- Hyundai will launch an in-car payments service in the US when the company’s latest car model is launched next year.
- Consortium introduces ‘revolution’ in mobility, with connected vehicle bringing together 20 concrete operational innovations, offering a ‘true experience’ beyond automotive mobility.
- Adding mileage to its strategy to go up a gear with its automotive offers, Qualcomm announces intention to buy specialist vehicle-to-everything fabless semiconductor company.
Emm also pointed to a lack of clarity over responsibility lines, roles and ownership within carmakers and their suppliers, hindering progress towards compliance.
“The security of any supply chain is defined by its weakest part, and the automotive industry is no exception,” said Emm. “Delivering secure vehicles in the connected era will require a more tightly integrated set of working relationships across the supply chain, but our research highlights the challenges faced by these businesses.
“First, in interpreting and actioning appropriate measures to defend against an increasingly varied threat landscape, and second, balancing these actions with the necessary steps that will be required to become compliant with industry regulations.
“The next few months will be critical for suppliers whose solutions are covered by UNECE WP.29 – act now with the right processes in place and there is the potential to forge new long-term relationships to ensure OEMs have complete solutions with the right level of security compliance,” he said. “Or fail to do so and risk being left behind by an industry which is being compelled to act on the imminent cyber threats they are facing daily.”
Steps to UNECE WP.29 compliance, and supply chain security
- Conduct a supply chain risk assessment, creating an inventory of every supplier of products and services and where your own organisation sits in the supply chain. Audit your supplier’s cyber credentials, risk management plans, and what their own attitude to their suppliers is like;
- Map and prioritise your cyber governance processes, accounting for those that will require strict compliance, from software updates to product testing and certification. This should include all policies for handling risk across the entire product lifecycle, and services that are associated with it – for cars this will include operations, production, maintenance, and eventually scrappage;
- Establish a product security lifecycle. This framework should include regular training and auditing, and partnerships with security providers that can understand and decode threats to enable you to take prompt action. Cyber solutions you implement should be able to detect threats bubbling through the supply chain in real-time, as well as measures to detect and stop in-progress attacks, and provision of evidence to prove intrusions have been mitigated;
- Implement threat monitoring, both in real-time and offline, with regular monitoring and log collection, and provision of reports to the relevant national bodies responsible for approving products for use. For vehicles, it will be important to be aware of threats that may be specific to certain vehicle types;
- Implement a robust incident response plan with well-prepared teams and clear objectives. Having a competent cyber security provider on hand can help here.
On top of the looming impact of UNECE WP.29, Kaspersky’s survey – which tapped 200 C-suite decision-makers at automotive organisations with more than 1,000 employees – also found that sector leaders are struggling more generally with the cyber security landscape, particularly as it relates to the potential for threat actors to exploit software vulnerabilities in the production of connected cars, and the integration of software into them.
A total of 64% of leaders believed their supply chains were vulnerable, with the biggest area of concern being the provision of infotainment systems and connectivity technology supplied by others, cited by 34% of respondents.
In addition, found Kaspersky, they worry about threats such as keyless entry leading to vehicle theft, eavesdropping and surveillance on users, remote exploitation of autonomous cars, denial of service attacks, and even vehicles being used as an entry point for threats such as ransomware – gangs including Conti, LockBit and Hive have all been known to conduct attacks against the sector.
“Protecting businesses while tackling cyber security threats has radically changed … to a whole new level of complex coding, unknown threats and ongoing cyber attacks,” said Kaspersky automotive research leader Clara Wood. “Our research shows us that criminals are turning their focus towards the automotive supply chain and looking to exploit any weaknesses they can find. This is why cyber literacy is now a critical component if an increasingly interconnected automotive industry is to develop a culture of cyber security best practice, share knowledge, and institute actionable intelligence with a clear and quantifiable return on investment.”
The study additionally found that automotive C-suites also seem to struggle to realise or perceive enough return on their current cyber intelligence investments, and in common with many other sectors, find the jargon and language that surrounds security a barrier to their understanding of risk – an issue Kaspersky has raised before.
“Automotive leaders are being swamped by a tide of competing priorities, unclear processes and isolated threat intelligence, which is threatening the security of both their organisation, and an interconnected network of suppliers, manufacturers and service providers,” said Emm.
“The industry has passed an inflection point, and there is now a clear danger that consumer privacy and safety may be compromised,” he continued. “The use of technology in vehicles, the supply chains required for their development and the need to comply with WP.29 have made it critical that the C-suite understands the cyber risk their companies are facing and take immediate steps to inform their strategies.”