The automotive industry is experiencing radical change—and software is the catalyst. Progressively more software, increasingly intelligent components, and new methods of interaction are finding their way into automobiles of all sizes and price. Software empowering the latest features has become a critical differentiator in this industry, beyond improving road safety, convenience, and fuel efficiency for drivers. This opens up entirely new possibilities for auto manufacturers, their OEMs, and third parties to develop and deliver innovation—setting themselves apart from their competition while enhancing our mobility experience. However, the increasing number of applications and software-driven components are also associated with an increase in software-related risks. Every new service, component, endpoint, and API represents a new point of attack that criminals can take advantage of to steal critical data, gain access to upstream maintenance and software update systems, take over rental or transportation fleets, manipulate driving behavior, and the list goes on, only limited by imagination. Damage to reputation is an obvious outcome of successful automotive related cyberattacks, however, protecting drivers, passengers, and innocent bystanders must be of utmost importance. As a result of the overarching cybersecurity concerns in modern automobiles, the United Nations Economic Commission for Europe (UNECE) recently developed two new regulations on cybersecurity and software security designed to help manage the risks moving forward for both manufacturers and consumers. The binding regulations are the first ever globally coordinated effort in the area of automobile security. The regulations will apply to passenger cars, vans, trucks and buses and they will enter into force in January 2021. These regulations are primarily being driven by the fact that today’s automobiles can include 150+ electronic control units (ECUs) and roughly 100 million lines of software code, which is estimated to be about 4x more than a modern fighter jet. Assessments expect lines of code to exceed 300M by 2030. There are already a number of documented examples of attacks against automobiles and a comprehensive list of threats, mitigation approaches, and attack methods can be found in the cybersecurity regulation, Annex 5, beginning on page 18. When trying to decipher any regulatory initiative or requirement, they often take countless hours for a lay person to understand. Through further investigation into the topic, this study was conducted by McKinsey & Company, Inc., in conjunction with the Global Semiconductor Alliance (GSA). In the study, which is directly related to the UNECE WP.291 regulations on cybersecurity and software updates, it simplifies the UN initiatives to four key topics:
- Cybersecurity is becoming a new dimension of quality for automobiles.
- The automotive industry is rethinking cybersecurity along the entire value chain.
- Managing cyber risk throughout the vehicle lifecycle will require new working practices.
- Automotive executives should prepare their cybersecurity strategy.
- In-vehicle services: Software within the vehicle that runs ECUs or domain control units (DCUs)
- OEM back-end services: Cloud services for both the vehicle and user
- Infrastructure and third-party services: Gas/charging, parking, insurance, etc.