Driving change: the cyber security transition in the automotive industry

The automotive industry has experienced less activity when it comes to cyber security attacks; unlike in other sectors, there has yet to be a high-profile cyber incident to shake consumer confidence in manufacturers. But as digital integration persists, regulations abound, and consumer appetites and requirements change, the industry will have to evolve.

Cyber security is an automotive problem.

Carm Del Guercio Associate Director – Cyber Attack and Defence

The challenges of an ageing infrastructure

Many automotive businesses rely on legacy technology throughout the manufacturing process. Historically, this has meant a reduced cyber risk; less connectivity means fewer entry points for bad actors. However, operational technology with remote access is being employed more and more within the industry, whether as replacements for legacy solutions or as a supplement to help operate and maintain them efficiently.

With more access points and more connectivity being introduced, automotive businesses will need to step up their cyber security to ensure cyber threats – whether malicious or incidental – can’t have a devastating impact on production. Disruptions could in turn impact consumer sentiment and therefore demand; What Car? reported that 83% of consumers said unacceptable waiting times would impact their willingness to purchase a new vehicle from a manufacturer.

Cyber Security Regulation in the automotive sector is relatively new when compared to many other sectors, with many standards being published in 2021. It is essential for manufacturers to extend new and existing cybersecurity measures into vehicles, electronic charging infrastructure and production environments. This includes thorough incident response planning and physical entry protections, as well as remote interference via digital channels.

Read our 2024 cyber report - Securing digital supply chains: how cyber security drives resilience in business transformation - giving you guidance on how to approach a more secure cyber future.

Consumer awareness and expectations

Consumers are becoming increasingly aware of the safety risks associated with technological advancements in vehicles, but they often remain uninformed about the cyber security implications. While they demand innovative features like keyless entry, they may not fully comprehend the risks involved. Furthermore, the connectivity of new technology features creates a potential for huge cyber security risks which can even impact consumer safety. Despite the reliance on software for a vehicle to run, requirements for maintaining and updating that software are not being adequately considered.

As demonstrated recently by researchers targeting one of the biggest global OEMs, existing access points could indeed give bad actors access to not only the vehicles themselves but also their operation. Consumer data was compromised, in addition to attackers taking remote control of a number of features for a specific vehicle, all from just the licence plate number. In this particular example, both customer data and customer safety were found to be at risk.

Measures to address automotive cyber security

From safety risks to data privacy concerns, and compliance risks to production disruptions, the cyber security risk to the automotive sector is vast. However, very few manufacturers introduce measures to help mitigate this risk.

Some recommended measures include:

  • Regular cyber security assessments by a third-party advisor
  • Risk analysis and treatment plans
  • Cyber security awareness programmes for the workforce
  • Third party risk management
  • Incident response planning
  • Access controls and network segmentation
  • Change management strategies for new technology and processes
  • Physical security measures
Dr. Roman Krepki

By taking these measures, automotive manufacturers can significantly reduce the risks associated with operational technology and protect both their consumers and their own manufacturing processes.

Roman Krepki Senior Manager

The future of cyber security in the automotive sector

Cyber security is an increasingly regulated topic, and manufacturers must now navigate a complex regulatory landscape, including standards like ISO 27001, TISAX, and ISO 21434, and, in Germany, regulations on critical infrastructure. As the industry leaps forward technologically towards autonomous vehicles, the security risks will only multiply. It should be considered for example, who is responsible for adopting traditional cyber security measures like penetration testing on technological advances to ensure safety for the lifetime of the vehicle?

It’s up to market leaders to raise the bar to protect themselves and their drivers. It’s critical that cyber security not remain an afterthought for manufacturers, but that they instead embrace it as a reputational advantage and a trust signal with consumers.

Contacts