Prioritizing Embedded Cybersecurity: A Fundamental Shift for Automotive OEMs
Today, a car is no longer just a metal chassis with four wheels, seats, and a steering wheel. Of course, automobiles were first conceived purely as driving machines, capable of getting people from A to B efficiently, but their concept has far exceeded that of Karl Benz’s original vision. Now, they are highly intelligent, digitally connected experiences on wheels, designed not only to transport their occupants, but also to entertain and excite them.
This trend of increased connectivity is no flash in the pan either; it’s the clear direction of travel for the automotive industry. Indeed, it’s anticipated that embedded automotive connectivity will represent 30 percent of a vehicle’s makeup by 2030, and that nearly 75 percent of all vehicles sold will come with embedded connectivity by 2027. With our lives now driven by smart technology – from our phones to our home appliances – the increased connectivity of our cars is simply a reflection of our growing appetite for seamless digital experiences.
Many automakers are recognizing this, and are eager to increase their investment in this lucrative segment of the market as a result. The rise of embedded connectivity within the automotive industry may be ushering in a new era of convenience for motorists, but its growth does not come without significant dangers. As more connected tech is added to our vehicles, the need for robust cybersecurity becomes ever clearer. Between 2018 and 2021, the frequency of cyberattacks on cars soared by 225 percent, with data or privacy breaches the most common type of attack. And with Upstream estimating that the automotive industry is set to lose $505 billion to cyberattacks by 2024, it is clear that the problem is only worsening over time.
Although the threat of attacks on connected vehicles is constantly growing, not all automakers are approaching security in the same way. While many OEMs are taking the challenge of protecting vehicles seriously – as can be seen in the work being done by AutoISAC and GlobalPlatform’s new Automotive Task Force – others are merely treating their responsibility to vehicle security as a mere box ticking exercise, rather than as an intrinsic part of their philosophy as a manufacturer.
Consequences of neglecting cybersecurity in the automotive industry
Taking a serious approach to security is not only good practice for automakers; it is absolutely in their best interests to do. This is because, as the risks that cyberattacks pose continue to grow, legislation around security is becoming much more robust. For example, since July 2022, all new vehicle types have had to comply with UNECE WP.29.
This legislation, devised by the United Nations Economic Commission for Europe World Forum for Harmonisation of Vehicle Regulations Working Party 29, aims to ensure that ample cybersecurity is present within connected vehicles. It achieves this by harmonizing the various, fragmented regulations that make it difficult for automakers to create common platforms that will adhere to the specific requirements of each country they operate in.
While UNECE WP.29 doesn’t explicitly dictate how manufacturers must implement security into their vehicles, it supplies them with details of the structure, process, and methods that must be complied with. This helps to ensure that cybersecurity is central to automakers’ ethos around vehicle design, and that they can apply the strongest possible protection to their vehicles. It also provides them with a common framework to communicate their requirements with their supply chain, helping to ensure that at all levels of the value chain security are taken seriously.
If manufacturers fail to comply with UNECE WP.29’s legislation, they will be denied Type Approval for certain markets, meaning they would be precluded from selling their vehicles in those regions. Not only would this have an obviously negative impact on an automaker’s revenues, but could also badly damage their reputation, particularly as an organization committed to safeguarding customer data.
The potential harm that ignoring cybersecurity requirements extends far beyond simply regulatory penalties, however. Automakers must also consider the damage that a sustained number of attacks against their vehicles could inflict upon their brand. After all, remote key attacks have already cost the industry dearly, which is hardly surprising given that keyless car theft accounted for 94% of all vehicles recovered by Tracker in 2021. Because manufacturers are heavily reliant on the trust they build with customers, any perceived vulnerability in a vehicle’s security infrastructure could severely erode consumer confidence, and cause motorists to switch over to alternative brands.
Another potential ramification is the impact that weak, or a perceived lack of focus on, security will have on automakers’ future digital revenue streams. With many car companies now increasing their targets for revenue generated from digital services, it requires vehicle users, as well as third-party service and payment scheme providers, to all have trust in the digital platforms implemented within vehicles and the related back-end/cloud-based systems.
Why security should be an organizational philosophy
It is clear, therefore, that automakers can’t afford to take a laissez-faire approach to cybersecurity. As such, it is not enough to simply make it the job of one person in the organization to consider vehicle security. If they don’t have the influence to make things happen, this is how cybersecurity just becomes another activity to be ticked off the list. Instead, security must be a core part of the business’ philosophy, permeating every stage of both the design and production processes. However, an automaker’s responsibility doesn’t end once a vehicle has left the factory; they must consider its entire lifecycle, and what threats may arise throughout this time.
Everyone at the company should understand and care about the importance of cybersecurity, and be alert to the dangers that attacks pose. A strong emphasis also needs to be placed on keeping up to date with changes in the threat landscape, and how threat intelligence is shared across companies in order to ensure the best possible counter measures, not only within one company but for the automotive industry as a whole. By taking this universal approach, automakers can ensure that they never lose sight of the need for security, and can rest assured that their vehicles are safer and more resilient as a result.
If the industry is truly to achieve a culture of organizational security, automakers should consider appointing a Chief Information Security Officers [CISO] to oversee the entire process. This is because a key part of a CISO’s role is to make security a company-wide focus, rather than an aspect of vehicle design that is only considered by a select few.
Trustonic: Your reliable partner for automotive cybersecurity
At Trustonic, we appreciate that knowing what steps to take to ensure cybersecurity becomes a key part of their philosophy can be challenging for automakers. However, we are a provider of the industry-leading Trusted Execution Environment [TEE] – an environment for executing code in which those executing the code can have high levels of trust in the surrounding environment. Therefore, we have both the solution and the expertise to assist automakers in implementing the highest level of security into their vehicles, and ensuring that the latest cybersecurity legislation requirements have been met.
Recognized as a gold standard solution for the consumer Internet of Things [IoT] sector, our TEE has been certified using the industry-standard Common Criteria Protection Profile, defined by GlobalPlatform, and achieved a class-leading EAL5+ certification.
To date, the Trustonic TEE has been deployed in over 80 million vehicles, and this number is constantly rising. As such, the platform is very much at the heart of the next generation of secure, connected vehicles. Through the use of its hardware-backed secure environment, the solution can carry out critical operations, such as encryption and biometric authentication, and provide a trusted environment for applications and services. As ours is a strongly certified product, automakers are attracted to working with us because using our TEE makes it significantly easier for them to meet UNECE WP.29 requirements.
While the advancements made to embedded connectivity in recent years have been truly exciting, automakers must be aware of the dangers that come with the evolution of vehicle technology. With the regulatory penalties and brand damage that cyberattacks can inflict, it is clear that automakers’ responsibility to ensure vehicles are secure is not one to be taken lightly.