Navigating the evolution of cyber security in the automotive sector

3 December 2024

The automotive industry has seen fewer cybersecurity attacks compared to other sectors, with no major incidents undermining consumer confidence in manufacturers. However, as digital integration continues, regulations increase, and consumer demands evolve, the industry will need to adapt.

The difficulties of legacy infrastructure

Many automotive businesses rely on legacy technology throughout the manufacturing process. Historically, this has meant a reduced cyber risk; less connectivity means fewer entry points for bad actors. However, operational technology with remote access is being employed more and more within the industry, whether as replacements for legacy solutions or as a supplement to help operate and maintain them efficiently.

With more access points and more connectivity being introduced, automotive businesses will need to step up their cyber security to ensure cyber threats – whether malicious or incidental – can’t have a devastating impact on production. Disruptions could in turn impact consumer sentiment and therefore demand.

Cyber Security Regulation in the automotive sector is relatively new when compared to many other sectors, with many standards being published in 2021. It is essential for manufacturers to extend new and existing cybersecurity measures into vehicles, electronic charging infrastructure and production environments. This includes thorough incident response planning and physical entry protections, as well as remote interference via digital channels.

Balancing rising consumer awareness and expectations

Consumers are becoming increasingly aware of the safety risks associated with technological advancements in vehicles, but they often remain uninformed about the cyber security implications. While they demand innovative features like keyless entry, they may not fully comprehend the risks involved. Furthermore, the connectivity of new technology features creates a potential for huge cyber security risks which can even impact consumer safety. Despite the reliance on software for a vehicle to run, requirements for maintaining and updating that software are not being adequately considered.

As demonstrated recently by researchers targeting one of the biggest global OEMs, existing access points could indeed give bad actors access to not only the vehicles themselves but also their operation. Consumer data was compromised, in addition to attackers taking remote control of a number of features for a specific vehicle, all from just the licence plate number. In this example, both customer data and customer safety were found to be at risk.

What can automotive businesses to do address cybersecurity?

From safety risks to data privacy concerns, and compliance risks to production disruptions, the cyber security risk to the automotive sector is vast. However, very few manufacturers introduce measures to help mitigate this risk.

Some recommended measures include:

Regular cyber security assessments by a third-party advisor
Risk analysis and treatment plans
Cyber security awareness programmes for the workforce
Third-party risk management
Incident response planning
Access controls and network segmentation
Change management strategies for new technology and processes
Physical security measures

Looking ahead: Cyber security in the automotive sector

Cyber security is an increasingly regulated topic, and manufacturers must now navigate a complex regulatory landscape, including standards like ISO 27001, TISAX, and ISO 21434, and, in Germany, regulations on critical infrastructure. As the industry leaps forward technologically towards autonomous vehicles, the security risks will only multiply. It should be considered for example, who is responsible for adopting traditional cyber security measures like penetration testing on technological advances to ensure safety for the lifetime of the vehicle?

It’s up to market leaders to raise the bar to protect themselves and their drivers. It’s critical that cyber security not remain an afterthought for manufacturers, but that they instead embrace it as a reputational advantage and a trust signal with consumers.