As vehicle safety regulations loom, carmakers fret over cyber risks

Global, UN-backed car safety and security regulations come into force next year, and automotive bosses say they are not only unprepared, but “swamped” by a tide of compliance and security risks

Alex Scroxton,
Security Editor

Published: 14 Sep 2023 9:00

Automotive industry leaders are struggling with competing cyber risk and security priorities, and as such, many are increasingly concerned that their organisations will be unprepared for new, United Nations (UN)-backed vehicle safety regulations that come into force next year, leaving drivers exposed to unacceptable security risks.

The United Nations Economic Commission for Europe World Forum for Harmonisation of Vehicle Regulations (UNECE WP.29) framework covers a wide range of standards relating to vehicles, including pollution and energy, noise and tyres, lighting and signalling, general and passive safety provisions, and automated or autonomous and connected vehicles.

With respect to cyber security, when it comes into force in July 2024, regulations UN155/156 as set out by UNECE WP.29 will mandate that all automotive original equipment manufacturers (OEMs) and their supply chains must make multi-layered cyber security provisions to guard against current and future cyber attacks at the risk of having to stop manufacturing vehicles that are not compliant.

Critically, the regulations require that any vehicles already under development for production from mid-2022 onwards will need to comply.

OEMs will also have to ensure all of their suppliers are compliant with the regulations, meaning that every component part of a vehicle that contains software will have to come with evidence it complies with security-by-design principles, and failure to do so will make it impossible for the OEM to accept or integrate the code into their vehicles.

However, revealed Kaspersky principal security researcher David Emm, with the deadline just 10 months away, the automotive C-suite finds itself well behind the curve, with 42% of respondents to a Kaspersky-sponsored study saying they did not have any plan in place, and 63.5% saying they were “not very involved” in planning for UNECE WP.29 compliance despite 64% agreeing that cyber threats were a “strategic board issue”.

Even more respondents – 68.5% – agreed that the sector needed more understanding of the implications of the standards and what they will mean for car companies.

Emm also pointed to a lack of clarity over responsibility lines, roles and ownership within carmakers and their suppliers, hindering progress towards compliance.

“The security of any supply chain is defined by its weakest part, and the automotive industry is no exception,” said Emm. “Delivering secure vehicles in the connected era will require a more tightly integrated set of working relationships across the supply chain, but our research highlights the challenges faced by these businesses.

“First, in interpreting and actioning appropriate measures to defend against an increasingly varied threat landscape, and second, balancing these actions with the necessary steps that will be required to become compliant with industry regulations.

“The next few months will be critical for suppliers whose solutions are covered by UNECE WP.29 – act now with the right processes in place and there is the potential to forge new long-term relationships to ensure OEMs have complete solutions with the right level of security compliance,” he said. “Or fail to do so and risk being left behind by an industry which is being compelled to act on the imminent cyber threats they are facing daily.”

Further threats

On top of the looming impact of UNECE WP.29, Kaspersky’s survey – which tapped 200 C-suite decision-makers at automotive organisations with more than 1,000 employees – also found that sector leaders are struggling more generally with the cyber security landscape, particularly as it relates to the potential for threat actors to exploit software vulnerabilities in the production of connected cars, and the integration of software into them.

A total of 64% of leaders believed their supply chains were vulnerable, with the biggest area of concern being the provision of infotainment systems and connectivity technology supplied by others, cited by 34% of respondents.

In addition, found Kaspersky, they worry about threats such as keyless entry leading to vehicle theft, eavesdropping and surveillance on users, remote exploitation of autonomous cars, denial of service attacks, and even vehicles being used as an entry point for threats such as ransomware – gangs including Conti, LockBit and Hive have all been known to conduct attacks against the sector.

“Protecting businesses while tackling cyber security threats has radically changed … to a whole new level of complex coding, unknown threats and ongoing cyber attacks,” said Kaspersky automotive research leader Clara Wood. “Our research shows us that criminals are turning their focus towards the automotive supply chain and looking to exploit any weaknesses they can find. This is why cyber literacy is now a critical component if an increasingly interconnected automotive industry is to develop a culture of cyber security best practice, share knowledge, and institute actionable intelligence with a clear and quantifiable return on investment.”

The study additionally found that automotive C-suites also seem to struggle to realise or perceive enough return on their current cyber intelligence investments, and in common with many other sectors, find the jargon and language that surrounds security a barrier to their understanding of risk – an issue Kaspersky has raised before.

“Automotive leaders are being swamped by a tide of competing priorities, unclear processes and isolated threat intelligence, which is threatening the security of both their organisation, and an interconnected network of suppliers, manufacturers and service providers,” said Emm.

“The industry has passed an inflection point, and there is now a clear danger that consumer privacy and safety may be compromised,” he continued. “The use of technology in vehicles, the supply chains required for their development and the need to comply with WP.29 have made it critical that the C-suite understands the cyber risk their companies are facing and take immediate steps to inform their strategies.”