A UN/ECE regulation has imposed new cybersecurity requirements on new vehicle models since mid-2022. In the future, no vehicle will be allowed on the road unless the manufacturer can prove that the vehicle series was developed to be cybersecure. IAV helps OEMs and suppliers address the new requirements and processes.
«This campaign made headlines worldwide in 2016. It was also a wake-up call for car manufacturers and has led to a much stronger awareness of cybersecurity.»
— Senior Technical Consultant Automotive Security at IAV.
Increasingly larger attack surfaces
Since then, however, the network of vehicles has continued to increase – and thus the number of possible attack scenarios: Hackers can now attempt to manipulate a vehicle via mobile communications, Bluetooth, near-field communication (NFC), WLAN or Car2X connections, among others. “
In addition, the IT architecture of modern cars is increasingly changing toward centralization,” explains Carsten Elvers, Head of Department Embedded Security at IAV. “There, more and more components from the PC and Internet area are being used, which makes life even easier for the attackers.”
To protect vehicles better from hackers, the UN/ECE Economic Commission for Europe has developed a new control on Cybersecurity (R155), which sets the requirements for new vehicle types and from 2024 for all new cars. Detailed processes for vehicle development are provided in ISO/SAE Standard 21434 (“Road Vehicles – Cybersecurity Engineering”).
For example, in the future, OEMs will have to prove that they have a cybersecurity management process and that they are able to develop vehicles safely in cybersecurity terms.
«We know the cat-and-mouse game with the hackers because we have been developing safety-relevant software such as immobilizers for 20 years.»
— Senior Technical Consultant Automotive Security at IAV
Therefore, IAV can offer vehicle manufacturers advice on the new requirements and support in providing the required documentation along the entire V process.
For large OEMs, the focus is on the documentation and implementation of the processes; for smaller manufacturers, advice on the consequences of the new regulations is currently required. “But Tier 1 suppliers must also become cyber-compliant,” says Elvers. “We can also support this – after all, we are in the process of adapting all processes to the new requirements ourselves.”
The aim is to make connected vehicles safer, and thus to offer hackers such as Miller and Valasek fewer opportunities to attack in the future.
You can read all articles of the new inware magazine here.