Increasing connectivity is causing widespread disruption across the automotive industry. Frost & Sullivan’s analysis indicates that connected vehicles will comprise nearly 86% of the global automotive market by 2025, thereby giving rise to many vulnerable threat points for hackers. Cyberattacks and data breach incidents will pose severe risks to the automotive industry as they directly impact driver safety, data privacy, and service continuity. Hence, proper guidelines and regulatory mandates will be critical to ensuring the safety and security of automotive customers in the near to long term.
Indeed, one of the key challenges so far has been the lack of clear and enforceable standards for the connected vehicle ecosystem. However, we are confident that the industry is set to turn a corner with the emergence of two much-needed vehicle cybersecurity initiatives—the United Nations Economic Commission for Europe’s (UNECE) WP.29 regulation and the ISO/SAE 21434 standard.
Over the past few years, agencies like the National Highway Traffic Safety Administration, European Union Agency for Network and Information Security, European Automobile Manufacturer’s Association, Society of Automotive Engineers, and Auto-ISAC, among others, have released their cybersecurity standards. These have sought to spread awareness and understanding while helping ecosystem participants build secure vehicles and vehicle components. To date, however, there have been no officially mandated security standards for the auto industry as a whole. The lack of a standardized security framework for the connected vehicle ecosystem has left the connected vehicle ecosystem deeply vulnerable to cyberattacks.
This situation is expected to change from 2021, thanks to a duo of promising initiatives/standards—the UNECE’s WP.29 and the ISO/SAE 21434—that are creating positive ripples in the auto industry. While the ISO/SAE standard is still in the drafting stage, WP.29 was adopted by the UNECE World Forum for Harmonization of Vehicle Regulations in June 2020 and is expected to come into force in January 2021. ISO/SAE and WP.29 complement each other as both prepare the automotive industry for securing a new generation of connected vehicles.
ISO/SAE 21434: Emphasis on Security by Design
The ISO/SAE standard proposes to establish a common ground for security among automotive OEMs and suppliers. This standard also mandates the adoption of an effective cybersecurity framework across all stages of a vehicle’s lifecycle—from design, development, and production to decommissioning. It clearly defines the processes for threat analysis, assessment, and management of cyber risks at every stage. OEMs and other supply chain participants have to comply with this standard to ensure that all vehicles, hardware and software components, networks, communication channels, and connectivity platforms are secured. This standard will establish cybersecurity as an integral part of the entire connected vehicle ecosystem, thus limiting vulnerable points in the supply chain.
WP.29: Securing End-to-End Vehicle Lifecycle
Unlike ISO/SAE, the WP.29 regulation places the onus of managing cyber risks along the entire supply chain on OEMs. It emphasizes the need for OEMs to adopt a holistic security approach focused on four distinct principles:
- Implement security by design during vehicle development
- Provide intrusion detection and protection for the entire vehicle fleet
- Manage vehicle cyber risks throughout the lifecycle
- Establish secure communication channels for over-the-air updates.
These principles can be achieved through two key requirements of the regulation—Cybersecurity Management Systems (CSMS) approval and Vehicle Type approval.
CSMS Approval: This requirement will mandate OEMs to build CSMS—a threat assessment and mitigation framework—within their organizations. OEMs will be tasked with proving that their CSMS appropriately handles threat identification, categorization, and remediation during vehicle development as well as throughout the ownership cycle.
More than 30 threats, including message spoofing, data breach, unauthorized manipulation of vehicle code/data, denial of service attacks, unprivileged user access, and transmission of malicious content, are compiled in the regulation document. To acquire the compliance certificate, OEMs have to ensure that their CSMS identifies the comprehensive list of threats and provides the relevant mitigations for each of the threats mentioned in the regulation.
Vehicle Type Approval: The second part of the regulation details the various steps with which an OEM has to comply to receive new vehicle type approvals. Regulatory authorities will test if vehicle architecture and risk assessment procedures are being implemented and executed in accordance with those mandated in the regulation. This regulation also requires OEMs to verify the security of supplier components used in their vehicles. Automakers can take cues from ISO/SAE 21434 guidelines related to building structured cybersecurity processes during vehicle development.
Although both the ISO/SAE standard and the WP.29 dictate efficient procedures for cybersecurity management, they intentionally do not provide technical-level specifications, allowing OEMs to creatively decide on cybersecurity technology KPIs that meet the requirements. This is an intelligent approach as rigid technical measures could prove counterproductive in the dynamically changing world of cybersecurity.
Are Automakers Equipped to Handle the Change?
WP.29 is expected to impact new vehicle type approvals in over 60 countries once it comes into effect. The regulation applies to the contracting parties of UNECE’s 1958 Agreement, which includes specific countries in Europe, Africa, and Asia-Pacific. The US and Canada, which were not a signatory to the 1958 agreement, are, therefore, exempt from this regulation. However, a decision on the US and Canada’s potential inclusion in the list of countries governed by the regulation is expected soon. Vehicles need to comply with WP.29 requirements to be sold in these countries. Hence, OEMs need to start identifying gaps and drawing up new process roadmaps to comply with WP.29.
While there are many cybersecurity companies in the market today to help OEMs secure their vehicles at the design/development phase, the need to build a robust CSMS and monitor security risks across the entire vehicle lifecycle has become critical. The limited technical expertise of OEMs and the huge upfront costs involved in executing new processes will challenge in-house implementation. Stringent timelines to comply with WP.29, mostly by mid-2022 for new approvals, will make it even more challenging for OEMs.
Ensuring security requirements are met throughout the value chain is complicated and requires continuous collaborative efforts with suppliers. Frost & Sullivan believes that OEMs will seek to achieve compliance with the upcoming WP.29 regulation by initiating partnerships with third-party companies—tech vendors, security partners, consulting firms, and cross-industry experts, among them—for cybersecurity consulting services, setting up CSMS, managing supply chain risks and performing audit and certification checks. Stringent deadlines, the need to perform extensive checks on large vehicle volumes, and limited auditing budgets will make OEMs dependent on third-party solutions. Some OEMs that are building internal IT and security expertise or hiring CDOs/CIOs will prefer to manage their security architecture internally. However, until these standards mature, OEMs will continue to be dependent on third-party consulting firms for auditing services.
What to Expect in the Future
We believe that the regulations will give rise to new opportunities in the industry:
- New startups will enter the ecosystem with advanced intrusion detection techniques and cybersecurity managed services, thereby challenging current competitive dynamics
- Existing automotive security companies that specialize in on-board security protection will upskill their solutions to include vehicle CSMS to stay relevant in the market
- IT services companies will expand their portfolio into the automotive cybersecurity market to offer back-end cybersecurity services and IT talent to manage OEM-built CSMS
- Automotive suppliers will begin offering security-by-design vehicle components, CSMS, and specialized consulting services to help OEMs comply with the regulations.
To conclude, it is going to be an interesting and slightly bumpy road ahead for OEMs as they embark on identifying security gaps, deciding with whom to partner, selecting what tools/technology to adopt, and determining how to set up new regulation-compliant processes. Achieving cybersecurity management across the vehicle lifecycle and automotive value chain is the end goal for OEMs. Although complex, successful collaborations with ecosystem partners will enable this goal to become a reality.
The automotive industry is set to embrace SECURITY as a vital pillar in its digital transformation journey, encouraging its transition from being an important element in vehicle architecture to occupying a more central role in the connected vehicle ecosystem and among automotive OEMs.
Should you have any queries on the impact of COVID-19 across industries, need more information on this or any related topic, or would like to schedule an interview/interaction with our spokespersons, please email Priya George at priyag@frost.com.
