Latest News

TestVehicle Cybersecurity: A Long-term FocusTest

Joachim Fox

The modern car delivers a large part of its value through software and cloud-enabled services. New business models are on the rise with subscription-based features and the ability to interact with the car remotely. With digitally driven revenue generation now extending beyond the start of production, so does the requirement to maintain a high level of cybersecurity over the lifetime of the vehicle, including threat monitoring and potentially security patches. What does it take for the industry to cope with such challenges in products with a lifespan as long-lasting as a vehicle?

ADAS

Today, we as consumers live in a world where we are used to having immediate access to the latest wonders of – mostly digital – technology. Content, like music, videos, or news articles is delivered to us – often free of charge – provided we possess some basic devices able to download, play, or read it. The features of our phones are constantly updated and extended, mostly through the development of apps which in turn require constant development and updates to their features, keeping them desirable and hopefully, protected. If your existing device cannot keep up with this constant churn of development, it’s unlikely to fulfil your needs anymore, and you will order a new one which can be delivered overnight. Software-dominated products particularly can feel rapidly outdated if they don’t support these fast update cycles.

The auto industry has witnessed this trend and is responding to it by connecting vehicles to the cloud. This connectivity brings phone-like features to vehicle occupants, delivering digital content like music streaming or navigation with always up-to-date maps. It can allow upgrades to your car – features that can be unlocked digitally for a one-time fee or a subscription service. It is also possible to provide over-the-air updates to deliver new features not available at the start of vehicle production or as a means to install bug fixes and patches to the software in-vehicle.

However, with all this increased connectivity may come an obligation.  As we know from the IT world, all electronic interfaces significantly increase the potential for cyber attacks.  And one does not have to think of extreme cases where hackers could remotely control vehicles or shut down whole vehicle fleets with a ransomware attack.  These scenarios are not unthinkable as we look to the future but many if not most attacks happening today are driven by smaller-scale commercial interests – like tuner shops that promise to improve your engine’s performance, hacks that allow you to unlock features you would otherwise have to pay for, or ways to open your car electronically.  Attacks can potentially infringe on the privacy of a driver/occupant’s data or, by re-engineering, reveal intellectual property that manufacturers or suppliers would have preferred to keep private.

Consumers have the rightful expectation that a highly priced, technology-rich product such as a vehicle is well protected against online manipulation or local cyber attacks. This expectation has driven regulators to mandate the protection of vehicles from a cyber threat: the UNECE R155  Regulation was released in 2021 and will come fully into force by July 2024 – it states: “The [post-production] phase ends when there are no longer any operational vehicles of a specific vehicle type.”, and it requires a Cybersecurity Management System (CSMS) to be applied to all lifecycle phases (including post-production). This CSMS shall be able “to assess whether the cyber security measures are still effective in the light of new cyber threats”.

1powerelectronics

Consumers are used to receiving regular security patches on their computers and mobile phones and they expect manufacturers to deliver them.  They are also used to products only being supported for a limited amount of time – companies can announce the end of support for some products and consumers can either upgrade to new software or replace the hardware. This is widely accepted for products which have a lifespan of only a couple of years, but this would be a tough sell for vehicle manufacturers because the expected lifetime of a vehicle can be well over a decade and is a substantial investment for an end customer who might not plan to replace it frequently. The option to declare an end to support is mentioned both in the R155’s Addendum 154, and in the ISO/SAE 21434 International Standard on “Road Vehicles – Cybersecurity Engineering”, but until now, there was no consensus in the industry on how to handle this.

Cybersecurity risks in vehicles can appear at any point in the supply chain.  Vehicle Manufacturers and their suppliers usually have a shared responsibility to manage these risks.  Requests from vehicle manufacturers for continued product cybersecurity support for periods extending well beyond the end of production can be observed.  This includes a duty to monitor and analyze products for potential vulnerabilities and the ability to provide tested and proven updates. 

The business model for this is not easy to calculate. It requires installing a monitoring system for potential attacks which are relevant to automotive products (some of this is well supported by the Automotive Information Sharing and Analysis Center, AUTO-ISAC); the ability to quickly identify which products could be affected by a potential attack (this can be facilitated by a standardized Software Bills of Material automatically evaluated against vulnerability databases of publicly available software libraries); the technical infrastructure to create updates for old products and release; personnel skilled in working with products no longer under development; and much more.

Suppliers of pure software solutions have long-established business models around the support of their products. Renewable maintenance contracts are widely accepted and the new de-facto standard for many businesses seems to be subscription models and software-as-a-service solutions. Consumer attitudes to these models have evolved from resistance (why should I pay a monthly fee for my chosen music if I can own a physical CD?) to embrace (the world’s music, always available on my phone and for a low subscription fee). The suppliers have the advantage of a recurring revenue stream after the initial sale of their product (which might not even require an initial charge – the case for as-a-service models). And in a world, where the threat landscape of cybersecurity is ever evolving and security support for products is a regulated must, this revenue stream is crucial for the business to endure while providing high-quality, highly responsive cybersecurity monitoring and updates of products.

In some OEM/Tier 1 relationships, we have already observed requests for renewable maintenance contracts for classic automotive components.

To date, there is no accepted industry standard business model for this, though there is an obvious need.  Both manufacturers and suppliers should view this as a chance to transform their business models to include services and returns well beyond the vehicle sale while providing a lifelong focus on good cybersecurity to all customers.

Let’s work in our industry to make security a sustainable business, protecting our customers and the industry alike!

Dr.-Ing. Joachim Fox, Director Safety & Security Excellence, ZF AG

Share the Post:

Related Posts