Car cybersecurity: What measures should manufacturers put in place?

Current regulations require manufacturers to have a cybersecurity management system in place for cars and trucks to prevent security incidents and limit their impact should they occur

Humanity is on the path to fulfilling a dream shared by many people around the world: to stop driving. Or, rather, to have autonomous cars drive for us. This scenario is no longer a pipe dream. Without going any further, Nvidia, the major chip manufacturer, has recently signed agreements with automakers such as Hyundai and Nissan to design this type of vehicle.

The arrival of autonomous vehicles has brought the cybersecurity of cars and trucks into the public spotlight.

The truth is that our current cars—the ones we still drive ourselves—are already fully digitized, so it is essential that manufacturers incorporate cybersecurity into their design and throughout their entire lifecycle.

In fact, manufacturers must already comply with vehicle cybersecurity regulations to obtain certification and market their vehicles.

In this regard, UNECE Regulation No. 155—which applies within the European Union—is particularly noteworthy. This regulation sets forth the requirements for cybersecurity management systems for vehicles, including vulnerability detection and the implementation of mitigation measures.

Next, we will review the cybersecurity measures for vehicles that manufacturers must implement to ensure an adequate level of protection against attacks.

Manufacturers must have a cybersecurity management system for cars and trucks

Regulation No. 155 stipulates that manufacturers of cars, trucks, vans, and quadricycles must implement a cybersecurity management system that:

1. Applies during the vehicle development phase, production, and post-production.
2. Ensures an adequate level of cybersecurity for cars and other vehicles.
3. Ensures the mitigation of cyber threats and vulnerabilities detected in vehicles within a reasonable timeframe.
4. Enables continuous detection of vulnerabilities and cyberattacks, enabling a proactive response to security incidents.
5. Enables the detection of risks linked to the supply chain by managing «any dependencies that may exist with contracted suppliers, service providers, or the manufacturer’s sub-organizations.»

Having a cybersecurity management system for vehicles with these characteristics will be mandatory starting July 1, 2024, for the type approval of new vehicles. Meanwhile, for the type approval of vehicle models manufactured prior to that date, it must be demonstrated that cybersecurity was taken into account from the development phase.

Assessment of Vehicle Cybersecurity Risks

Beyond designing and implementing a cybersecurity management system, manufacturers must conduct a comprehensive risk assessment for each vehicle type, accounting for its critical components.

To carry out this cybersecurity risk assessment for cars, the following must be taken into account:

• The specific characteristics of each vehicle type and the interactions between its components.
• Interactions with any external systems.
• The threats to automotive cybersecurity.

Supply Chain Risk Management

Similarly, risks associated with software or hardware suppliers must be considered when assessing cybersecurity risks in vehicles.

As noted earlier, one objective of this regulation is to prevent supply chain attacks that could cause serious damage to vehicles and harm the people driving or riding in them.

This issue is critical because vehicle manufacturers must integrate software from multiple suppliers and continuously assess whether it contains vulnerabilities that could be exploited by malicious actors.

As experts point out, a single vulnerable software component can affect the rest of the supply chain, making it easier for a vehicle’s software to be successfully attacked.

Implementation of measures to mitigate risks identified in vehicles

Risks identified through assessments must be addressed. Accordingly, the regulations require manufacturers to adopt appropriate mitigation measures to address cybersecurity risks in vehicles.

The regulation itself includes various appropriate measures to mitigate risks. For example, if communication channels allow for the manipulation of vehicle data or code, access control techniques must be applied to protect the data and system code.

However, the regulation also stipulates that manufacturers must not limit themselves to the mitigation measures it contains; rather, if these are insufficient to address the detected risks, other measures that are indeed adequate must be applied.

In addition, manufacturers must adopt appropriate measures to ensure secure, dedicated environments within vehicles for storing and executing:

• Software.
• Services.
• Applications.
• After-sales data.

Likewise, it is required that, prior to proceeding with the type approval of a vehicle, tests and trials be conducted to verify that the vehicle’s cybersecurity measures are effective against the identified risks.

Implementation of measures to detect and prevent cyberattacks against vehicles

Vehicle manufacturers are required to adopt measures that enable them to:

• Detect and prevent cyberattacks against the types of vehicles they manufacture.
• Increase their ability to detect threats, vulnerabilities, and attempted attacks against vehicles.
• Have sufficient forensic capabilities to collect data that enables the analysis of attempted attacks and security incidents.

Therefore, the regulation positions incident response as a key element of companies’ motor vehicle cybersecurity strategies.

Notification of Threats, Vulnerabilities, and Incidents

Manufacturers must also notify the vehicle type-approval authority, at least once a year, of:

• The results of their monitoring, detection, and response activities regarding cyber threats, vulnerabilities, and cyberattacks.
• Confirmation that cybersecurity measures remain effective in light of emerging threats. Additionally, if new measures have been adopted, the manufacturer must specify which ones have been implemented.

The type-approval authority may require manufacturers to remedy any deficiencies found, and if the notification provided and the responses to requests are unsatisfactory, it may revoke the type-approval certificate for the affected vehicle.

That is why it is critical for car manufacturers not only to have a cybersecurity management system for their vehicles but also to have procedures in place to document all assessments conducted and measures implemented.

Major Threats to Car Cybersecurity

What if a malicious actor could access a car’s GPS data or identify it through a vulnerability related to its Bluetooth connection? Could they track the driver and monitor all their movements?

Car cybersecurity is by no means a minor issue. In fact, it involves risks related not only to privacy but also to people’s personal safety, should location data be used to take action against them, or if financial information stored in the vehicle’s system is accessed. Given that many services offered to drivers operate on a subscription basis.

Regulations on automotive cybersecurity list seven major types of cyber threats:

1. Threats related to the manufacturer’s online services, such as vehicle maintenance history management. For example, unauthorized access to the backend server via a backdoor or an SQL injection attack.
2. Threats related to vehicle communication channels. For example, tampering with the messages or data received by the vehicle, or flooding the system with a massive amount of useless data to prevent it from functioning normally.
3. Threats linked to software update procedures for cars or trucks. For example, blocking legitimate vehicle software updates or compromising the manufacturer’s update processes.
4. Unintentional actions by individuals that facilitate cyberattacks. For example, a car owner or maintenance technician downloads malware after being tricked.
5. Threats related to vehicles’ external connections. For example, interference with sensors or wireless systems.
6. Threats to the vehicle’s data or code. For example, accessing the vehicle owner’s personal information, including payment accounts or information about their location or contacts.
7. Vulnerabilities that could be exploited because they are not patched or because protective mechanisms are insufficient. For example, insufficient use of cryptographic algorithms to safeguard sensitive vehicle systems.

Possible Consequences of Cyberattacks on Motor Vehicles

The cybersecurity threat landscape for cars that we outlined clearly suggests that the consequences of an attack on a vehicle can be severe. The regulations themselves identify six major consequences that must be taken into account when analyzing threats and conducting vehicle security assessments:

1. The vehicle fails to operate safely.
2. Interruption of any of the vehicle’s functions.
3. Modification of the car’s software and alteration of its performance, or failure to affect its operation.
4. Breach of the integrity or confidentiality of the vehicle’s data or that of its owner.
5. Data is becoming unavailable.
6. Other consequences, notably crime. For example, theft of a vehicle or of items stored inside it.

Euro 7: Secure Transmission of Emissions and Battery Durability Data

In addition to Regulation No. 155, manufacturers must also comply with other regulations. In particular, the Euro 7 regulation on vehicle emissions.

This European regulation requires manufacturers to ensure “the secure transmission of data regarding emissions and battery durability.” To do so, they must implement all the cybersecurity measures we have outlined, as Euro 7 directly references Regulation No. 155.

Therefore, manufacturers must ensure that it is not possible to maliciously alter data on emissions and battery durability.

This regulation will be mandatory as of November 29, 2026, for new passenger cars and commercial vehicles (trucks, vans, etc.).

Which cybersecurity services are key to strengthening vehicle protection

Based on what we have discussed regarding the cybersecurity of cars and other motor vehicles, it is clear that manufacturers need cybersecurity services that enable them to establish a cybersecurity management system capable of detecting risks, implementing mitigation measures, verifying their effectiveness, and detecting and responding to security incidents:

• Continuous security audits for every type of vehicle. From the design phase and throughout their entire lifecycle, vehicles must be audited to detect vulnerabilities that could be exploited by malicious actors. It is also important to conduct Bluetooth security assessments, as cars use this standard to connect, for example, to our mobile phones.
• Vulnerability management. Vehicle manufacturers must implement effective vulnerability management, prioritizing the mitigation of the most serious risks and preventing security incidents.
• Penetration testing services. Through advanced penetration testing, it is possible to verify whether a vehicle is vulnerable, identify exploitable weaknesses, and determine appropriate remediation measures to address them. Additionally, these tests allow for the evaluation of the effectiveness of measures already implemented.
• Incident response. As we have noted, regulations require manufacturers to have mechanisms in place to detect and respond to incidents. Proactive incident response services continuously implement preparedness measures that enable them to act immediately, identify the scope of the breach, expel malicious actors, and limit their ability to cause serious damage to vehicles and their operations.

In short, car cybersecurity is becoming increasingly important and is a central consideration in vehicle design and maintenance throughout the vehicle’s lifecycle.

The technological advancements already incorporated into automobiles require manufacturers to adopt robust security measures to ensure the proper functioning of vehicle software and prevent incidents that could compromise people’s safety.