The cybersecurity challenges for the auto industry

Automobiles are becoming increasingly digital affairs, with developments across shared mobility, electrification, autonomous systems and connectivity all moving the sector further and further into the digital realm.  This transformation has made the modern vehicle an information clearinghouse that both generates and processes huge quantities of data in real-time.  It’s also made them attractive targets for cyberattacks.

Earlier this year, I highlighted some of the security challenges vehicles and their manufacturers face from cyberattack as they become more digitally advanced and connected.  Despite this thread, there are few specific standards or guidelines for manufacturers to ensure vehicles are secure, but this is set to change with the introduction of the World Forum for Harmonization of Vehicle Regulations (WP.29) on cybersecurity that are designed to ensure cybersecurity is the number one priority for manufacturers, and indeed a condition for market entry.

A regulatory framework

These regulations provide a framework and a set of minimum requirements for all stakeholders in the automotive value chain, but they don’t provide any detailed guidance regarding implementation or practical operational steps companies can take.  Slightly more robust guidance might emerge from the International Standardization Organization (ISO)/Society of Automotive Engineers (SAE) 21434 standard, which hopes to lay out clear technical and procedural requirements for each stage of the vehicle's lifecycle.

These standards should provide sufficient common ground to allow the industry to produce consistent cybersecurity practices to the development of the next generation of connected vehicles.  This common approach will also make it easier for regulators to monitor and assess progress to ensure that the industry remains safe from attack.

To provide this level of reliability will require a new set of skills, and indeed new ways of working, across the sector.  This is a highly competitive marketplace at the moment, with new data from Novartis showing that a growing number of tech workers are considering working in sectors such as pharma and healthcare due to the high profile these sectors have enjoyed during the coronavirus pandemic.  This interest is largely at the expense of sectors such as manufacturing and financial services, so attracting the talent required to provide this digital infrastructure may be challenging.

New talent

The need for digital skills will not be confined to the IT or even manufacturing departments, with cybersecurity skills needed across the board, including in dealerships, procurement and customer communications.  One possible avenue to attract these skills is to improve the gender diversity of the workforce.

It’s an issue I’ve touched upon in past articles, as the cybersecurity field is notoriously male dominated, and this is reflected in the automotive sector more generally, with recent data showing just 17% of workers in the sector are female.

It’s also important that manufacturers and other members of the value chain ensure that their cybersecurity processes are robust and their compliance procedures in place.  It’s likely that the ability to modify systems is highly dependent upon the structure and maturity of the business, as new roles, responsibilities and processes will be required to adequately assess and manage any cybersecurity risks posed to vehicles.

Also of critical importance will be the speed of response by manufacturers, both in terms of their internal response to any cyberattacks, but also the public sharing of such attacks so that other stakeholders can be aware of potential vulnerabilities.  Data from PwC suggests companies are getting better at reporting cyberbreaches, but there is clearly a lot more that can be done to ensure security is maintained at all times.

Rapid recovery

Given the critical nature of the challenge, it’s also vital that firms are able to regain control of systems in the event of attacks as quickly as possible.  Data suggests that there is still a considerable lag between initial attacks and full control being regained, and companies can be especially vulnerable to follow-up attacks in the immediate wake of an initial breach.  The ability for vendors to provide rapid and robust patches to secure vehicle systems will be vital to their safe operation.

What’s more, this support needs to be provided for the duration of the vehicle’s life, as it’s not acceptable to have scenarios analogous to those seen in the software world where applications and operating systems are mothballed and not provided with ongoing security support.  A better comparison would be to aircrafts and ships, both of which tend to receive updates and patches over a much longer timeframe than consumer products.

It’s estimated that the cybersecurity market in the sector will be worth nearly $10 billion by 2030, which underlines the growing importance of ensuring the next generation of vehicles are safe.  Doing so will require not only an investment in skills and processes, but a new wave of standards, regulations and guidelines to help the industry chart a common course.

Given the scale of the challenges ahead, it’s likely that the industry will see considerable disruption in the coming years, as OEMs bolster their own cybersecurity capabilities, and new entrants enter the value chain with dedicated cybersecurity offerings.  Cybersecurity is a constant race between attackers and defenders, and for the automotive industry, the starting pistol has long since fired.