Today, cybersecurity affects each of us on multiple levels. Our professional work, our personal lives, and even our cars rely on connectivity and technology running on complex software. As information technology becomes more and more integrated into our daily lives, our dependence on subsequent information systems is also increasing. In turn, the vulnerabilities and potential attacks of these systems have increased. To protect these systems and the information they contain, cybersecurity was born. Applied to vehicles, cybersecurity takes on an even more important role: the systems and components responsible for safety must be protected against harmful attacks, unauthorized access, damage or anything else that could interfere with the safety function.
Today, autonomous driving, connected cars, electric vehicles and shared mobility -- have dominated the agenda of automotive industry leaders in recent years. These innovations, based on the digitization of in-vehicle systems, the extension of automotive IT systems to the back end, and the dissemination of software, have turned the modern car into an information clearinghouse while also making it an attractive target for cyber-attacks. The industry needs to focus on three key issues in the automotive industry:
What are the specific trends and drivers of cybersecurity in the automotive industry?
How will these drivers affect the long-term value chain of the automotive industry?
How can companies inside and outside the industry prepare and position themselves for the upcoming market development and expected segment growth?
The cyber risks of connected cars have become apparent over the past few years as security researchers have revealed various technical vulnerabilities. In these cases, attackers disclosed their findings to OEMs to help them fix issues before malicious actors could do harm.
As automotive technology advances rapidly, so does the need for robust automotive cybersecurity. Government agencies, automakers, suppliers, and the public will need to collaborate to advance the industry's response to automotive cybersecurity challenges. The goal is to facilitate the impact of various safety applications employed in current vehicles, as well as those envisioned for future vehicles that may incorporate more advanced forms of automation and connectivity.
Currently, there are only some narrowly defined standards and guidelines on specific technical procedures for securing automotive hardware and software, such as hardware encryption standards or secure communication standards between electronic control units (ECUs). However, that could change soon. The World Forum for Harmonization of Vehicle Regulations, part of the United Nations Economic Commission for Europe (UNECE), is planning to publish new regulations on cybersecurity and over-the-air software updates. The regulations will make cybersecurity a prerequisite for ensuring market access and type approval in UNECE member states.
While the UNECE regulations on cybersecurity and software updates set out the regulatory framework and minimum requirements for automotive companies along the value chain, they do not include detailed implementation guidelines for translating the requirements into specific operational practices. However, the new International Organization for Standardization (ISO)/Society of Automotive Engineers (SAE) standard 21434 "Road vehicles - Cybersecurity engineering" (still in draft) and ISO 24089 standard "Road vehicles - Software update In terms of updates, clear organizational, program and technical requirements are put forward for the entire vehicle life cycle from development to production to after-sales.
These standards will enable the industry to implement common cybersecurity practices for vehicle development and manufacturing. The standards will also allow for compliance with these practices to be assessed and attested by third parties, which could be used among industry players to demonstrate compliance with the standards, for example between OEMs and suppliers. in contract.
Ensuring a comprehensive cybersecurity environment in the U.S. requires a multifaceted research approach, leveraging the National Institute of Standards and Technology’s cybersecurity framework, and encouraging industry to adopt practices that can improve the cybersecurity posture of their vehicles in the U.S. . NHTSA advocates a multi-layered approach to cybersecurity, focusing on wireless and wired entry points to vehicles, as these entry points may be vulnerable to cyberattacks. A multi-layered approach to vehicle cybersecurity reduces the likelihood of a successful vehicle cyberattack and mitigates the potential consequences of a successful intrusion. A comprehensive systems approach to developing layered cybersecurity protection for vehicles includes the following:
Risk-based prioritization and protection processes for safety-critical vehicle control systems;
Timely detection and rapid response to potential vehicle cybersecurity incidents on U.S. roads;
Design architectures, methods, and measures for cyber resilience and facilitate rapid recovery from incidents should they occur;
And ways to effectively share intelligence and information across the industry to facilitate rapid adoption of lessons learned across the industry. NHTSA encourages the formation of the Automotive Information Security Council (Auto-ISAC), an industry environment that emphasizes cybersecurity awareness and collaboration across the automotive industry.
To secure hardware and software while meeting regulatory requirements and customer expectations, existing employees in the automotive industry need to acquire new skills and work methods throughout the development cycle, including specification, design, development, integration and testing phases ( See Figure 2). Employees in other areas such as purchasing, project management, dealership and customer communications also need to improve skills related to cybersecurity.
In addition to improving workforce skills, OEMs and other companies along the value chain must also establish stricter cyber risk management processes and compliance documents. The decision to revise a system or adopt a new one often depends on the organizational structure and maturity of the company. Companies may also need to adjust roles, responsibilities and formal processes for assessing and managing vehicle cyber risk.
In the new environment, OEMs need to respond immediately to security incidents, including situations where a company discovers a new or potential vulnerability, or a vehicle is compromised by a malicious hacker. This requires organizational, procedural and technical capabilities to detect and address cybersecurity incidents. Providing security patches throughout the vehicle's life cycle is also critical to the safe operation of the vehicle. Vehicles are often driven for ten years or more, requiring regular updates over long periods of time. That makes them more akin to airplanes or boats, which take longer to provide software updates than consumer products like PCs, smartphones, tablets and smart appliances.
The automotive cybersecurity market is currently segmented into three elements: cybersecurity hardware, cybersecurity-related software development efforts, and cybersecurity processes and solutions. Based on expert interviews, McKinsey analysis, and forecast models, the research firm estimates that the total cybersecurity market will grow from $4.9 billion in 2020 to $9.7 billion in 2030, an annual growth rate of more than 7 percent (see Figure 3).
To capture value in this growing cybersecurity market, players across the value chain are adopting different strategies. We expect significant changes in the following areas:
OEMs are pursuing vertical integration (for example, by building their own cybersecurity components or even software stacks).
Vendors are moving up and down the value chain, for example by offering specialized cybersecurity consulting services.
Startups are entering the market with innovative solutions, including dedicated threat detection applications or vehicle security operations centers as a service.
IT and operational technology companies are expanding into the adjacent automotive cybersecurity market (for example, by providing back-end solutions or cybersecurity components).
Semiconductor companies are moving up the value chain through various measures, such as offering software optimized for their chips. The following is Infineon's application in automotive network security and information security.
