Trustonic’s Andrew Till met with Harman’s Hadas Topor Cohen, The Qt Company’s Rolf Bittner, and Riscure’s Jasmina Omic to discuss the challenges of automotive security, and the opportunities this presents for manufacturers, tier ones and silicon providers on the 19^th November 2020. Sign up to watch the on-demand recording and read our detailed answers to the questions we received during the webinar here.

Heightened interest in automotive cybersecurity is the result of:

• Technology progress. More connected, autonomous and electric vehicles mean more software and greater complexity, and this combination of complexity and connectivity makes vehicles more vulnerable to cyberattack.
• User experience. As the role of the car changes to one of entertainment and experiences, instrumentation and infotainment systems are no longer separate which poses safety and security challenges. And, with the integration of payments and services, cars become lucrative targets for ransomware, privacy and payments.
• Increase in cyberattacks. As more connected cars emerge, we expect to see attacks on vehicles increase. By 2025, analysts estimate there will be about 450 million vehicles on the road.
• Regulations. UNECE WP.29 covering vehicle cybersecurity will have a profound impact on the automotive industry, affecting tier ones and OEMs. WP.29 places cybersecurity at the heart of vehicle design and requires each OEM to have a Cybersecurity Management System (CSMS) in place.

The need for more collaboration

Sharing and collaboration are important in achieving better vehicle security. When threats are identified, the industry needs to be able to share this information to keep all vehicles and occupants safe. One example, is in the development of standards around how vulnerabilities and alerts are reported and monitored.

What can the industry learn from others?

The telecommunications and mobile industries have been successful in bringing together the relevant players and suppliers to define and evolve joint standards. Mobile has also tackled the need to respond rapidly to security breaches, despite long development cycles. In automotive OEMs, the process to address security vulnerabilities is too long and needs to be speeded up.

Automotive could also port knowledge from the payment industry which is well organised, deals with high risk, and has many measures and systems in place to address security. Automotive needn’t develop this from scratch.

Other industries use advanced simulations and modelling that automotive could exploit; for example, to create test environments such as virtual cities, and digital twins of vehicles. This would enable the industry to model and predict different attack vectors and vulnerabilities inside vehicles proactively. R&D could then focus on deploying software fixes securely over the air (OTA) to update vehicles.

Do we need a digital standard akin to the Euro NCAP standard?

With greater connectivity and autonomy in vehicles, security becomes entangled with safety since an attack could threaten the physical safety of the vehicle’s occupants. As consumers become more aware of cybersecurity, they will likely drive demand for a standard.

“There is a misconception in the automotive industry that safety is equal to security and this is not the case … there are additional components in cybersecurity that have to be introduced”. Jasmina Omic

Safety and security are not the same. Safety is about what might happen unintentionally, while security is about deliberate attacks. Although both need to be embedded, cybersecurity requires specific components because of the intentional nature of cyberattacks.

What’s best practise to integrate cyber security?

Security must be integrated into the product from the outset rather than added later. Standards are beginning to drive this approach, but it needs to run through every part of the organisation and the supply chain. It’s no longer a case of waiting until the end of the development process to tick a box to state you’re compliant.

“Key to security is the move from it being seen as an activity performed at the end of a software development process to one where it becomes a philosophy running through the company” Andrew Till

Watch the insightful discussion here including live questions from the audience