Was 2021 the year automotive got serious about cybersecurity?
2021 was something of a breakout year for cybersecurity in the automotive industry.
For instance, we saw the creation of both TR-68:3 ‘Autonomous vehicles: Cybersecurity principles and assessment framework’ and ISO/SAE 21434 ‘Road vehicles: Cybersecurity engineering,’ as well as the Automotive SPICE for Cybersecurity standard. These new guidelines focus on securing the open-source software that has become so crucial to the sector in recent years.
The regulatory and standards environment isn't stopping there, however, with work underway on ISO 5112 'Road vehicles: Guidelines for auditing cybersecurity engineering, ISO/SAE 8477 ‘Road vehicles: Cybersecurity verification and validation, and ISO/SAE 8475 “Road vehicles: Cybersecurity Assurance Levels (CAL) and Target Attack Feasibility (TAF).. Each of these standards aims to help the industry ensure that both current and future vehicles are secure.
Focus on security
This renewed focus on cybersecurity in the sector is reflected in the hiring behavior of the big automotive manufacturers. Indeed, data from GlobalData's job analytics database shows that the number of companies in the sector hiring for cybersecurity roles rose considerably towards the back end of 2021, with nearly 60% of firms advertising for at least one cybersecurity position. Around 4% of all new job advertisements in the sector were related to cybersecurity.
It is now increasingly appreciated that cybersecurity will be a key disruptive force for automotive companies in the years ahead, with those able to thrive gaining a key competitive advantage over those lagging behind, with data suggesting that demand for cybersecurity talent is stronger in the automotive sector than in pretty much any other industry.
This emphasis on cybersecurity has arisen in large part due to the profound digital transformation of the sector, with technologies such as autonomous driving, connected cars, electric vehicles, and shared mobility dominating the agenda in recent years.
These technologies rely heavily on the digitization of the vehicle, with both front end and back end technologies turning modern vehicles into enormous information clearinghouses. Some of the challenges involved in this new domain were illustrated in an article I published in 2020, but the challenges have certainly not gone away in the meantime.
New rules of the game
With software updates becoming a standard feature of the sector, the standards and regulations outlined above, together with others, such as UN R155 and UN R156, are set to frame the development of the sector during 2022. UN R155 focuses specifically on cybersecurity and aims to create a framework for reducing cyber risks throughout the entire lifecycle of the product. This includes the development of a cybersecurity management system, which should provide "a systematic risk-based approach defining organizational processes, responsibilities, and governance to treat risk associated with cyber threats to vehicles and protect them from cyber-attacks.”
UN R156 focuses instead on the mechanisms by which software updates are provided to the vehicles, including the establishment of the software update management system. Both regulations place renewed expectations upon OEMs to improve the security of both the vehicles themselves and the means by which security and other updates are transmitted to them. As such, cybersecurity is now as important for the sector as it is for developers of operating systems for our digital devices.
Doing this will require close cooperation between the OEMs and their suppliers to ensure that there aren’t any weak points for attackers to exploit. What’s more, the ongoing nature of the cybersecurity challenge means that OEMs will now be obligated to provide constant monitoring of vehicles to enable them both to identify any cybersecurity issues and to detect software-related risks as quickly as possible so that those risks can be addressed.
New ways of working
It's clear that cybersecurity is rapidly becoming a nonnegotiable for the industry, and while it's pleasing to see companies investing heavily to bring in the talent required to provide the level of security regulators are demanding, it will also require new processes and working practices across the value chain to be implemented.
This includes successfully identifying cyber risks, better designing secure software and hardware architectures, and ensuring that any issues that are identified can be plugged, even if they're identified years after the product was shipped.
A recent report from McKinsey suggested that investment in cybersecurity in the sector will reach nearly $10 billion by 2030, with software representing around half of that.
"The strong growth of the market will create many new business opportunities for suppliers, established IT firms, specialist niche firms, start-ups, and many others, especially in the software development and services market," they say. "At the same time, the dynamics of the growing market will also challenge today’s leaders in the market."
There have clearly been substantial steps made already, but it’s equally clear that even more will be needed if the increasingly extensive attack surface represented by the modern automobile will be successfully covered.