The United States lags the European Union in vehicle cybersecurity
The post-pandemic economy is sinking auto sales, but the new generation of vehicles is also creating waves. People who spend all day using smartphone apps want their vehicles to have equally responsive and information-rich interfaces and accessibility. This results in cars with more embedded computer code than fighter jets.
Manufacturers strive to balance consumer demands while ensuring the safety of models. In 2020, the United Nations adopted the UNECE WP.29 regulation on cybersecurity and cybersecurity management systems (CSMS) which applies to 50 countries, including the European Union, Russia, Australia and the Japan, and will address cybersecurity issues to protect consumers.
Europe, which has a lengthy approval process for new models, has stringent cybersecurity rules in place that apply to all vehicles sold in the European Community. Current laws do not yet require vehicle cybersecurity in vehicles sold in the United States
Unique automotive cybersecurity challenges
Manufacturers have spent $300 billion on autonomy, connectivity, electrification, smart/shared mobility and other automotive technologies. But automobiles, like any connected device, are vulnerable to hacking. Over the past decade, cars have become increasingly interconnected, creating many opportunities for exploitation.
Imagine looking out the window to see your car running, with the doors open and the lights on – actions taken by a hacker moments before someone is about to slip behind the wheel and steal it. Such a scenario is possible and could become more likely unless automakers carefully integrate cybersecurity into the design and testing of every vehicle.
Upcoming Automotive Cybersecurity Regulations
The National Transportation Safety Board recommends incorporating more safety measures into vehicle design. However, the security protocol is developing more slowly than the interconnection of cars. The European Commission requires new safety measures by 2024, but these are optional for US manufacturers. US automakers must meet various emissions and safety standards, but none currently address cybersecurity.
Experts say hackers could hold vehicles for ransom in the future, locking systems down until the owner gives in to their demands.
Here are some of the ways vehicles are connected:
- Emergency services like OnStar, which allows the driver to communicate with people when the car is broken down, create an entry point for hackers.
- Newer cars with in-dash systems allow drivers to search for gas stations, use GPS, and interact with their phones. Each of these systems represents a potential doorway for hacking.
- As autonomous driving evolves, vehicles transmit more information about road conditions, engine operation and traffic jams to data collectors. Each of these interactions offers potential vulnerabilities to hackers.
- Hacking is possible through phone apps that allow homeowners to activate air conditioning and door locks. Unfortunately, hijacking becomes possible through these apps when parked and while driving.
Increasingly, vehicle-to-vehicle communication intended to reduce accidents is vulnerable to hacking as it may lack processes to secure these messages. It is currently possible for malicious actors to send messages to vehicles that could alter their trajectory or cause the automatic braking system to activate.
The future of automotive cybersecurity
Experts say there are now more software engineers than mechanical engineers in the automotive industry. As vehicles become increasingly sophisticated, manufacturers need to ensure safety keeps pace with innovation, including:
- Securing the interface or communication that vehicles have with outside sources, including phone apps, other cars, charging stations and on-board services.
- Adopt industry-wide cybersecurity standards.
- Preparing for a longer lifecycle of nearly 20 years for components, manufacturers need to be proactive about potential threats and include the ability to update security as needed.
- In the future, fully electric vehicles capable of autonomous driving will become an industry standard, making the stakes higher than ever in terms of occupant safety and the possibility of hacking.
The future holds great potential for automotive innovation, but with it comes great responsibility. The industry faces new ground that must be navigated with caution, with safety objectives having equal priority with technological development.
David Lukic (photo, left) is a privacy, information security and compliance consultant at IDstrong.com.