As the automotive industry increasingly embraces connectivity and smart mobility, the need for robust cybersecurity measures has never been more critical. As of July 7th, this year, all new software-defined and autonomous vehicles produced must comply with the UNECE regulations R155 and R156. Set by the United Nations Economic Commission for Europe and operational in 64 countries globally, these regulations require OEMs to have a cybersecurity management system in place (R155) for all new models and ensure that these new vehicle software updates are protected from cybersecurity threats (R156).
For car makers this is a significant challenge as they must protect vehicles from more than 70 cybersecurity threats over the entire lifespan of these new vehicles. Given that the average car lifecycle is 12 years – but could extend as long 25 years – this is no small feat.
The urgency of compliance with these UNECE regulations is underscored by a significant rise in cyber threats targeting the automotive sector. Research indicates a 380% increase in API-based attacks on smart mobility systems in 2023. This growing threat landscape necessitates a proactive approach from manufacturers who must rethink their security strategies over the entire lifecycle of a vehicle.
The shifting landscape of vehicle security
The UNECE R155 AND R156 regulations are indicative of the bigger shift in the car industry, as automakers transition from traditional metal press to software-defined vehicles (SDVs).
Software is set to be the defining factor of a vehicle’s worth over the next decade, as consumer demand for personalised in-car experiences gains traction. But alongside these benefits that software brings, automakers must also put in place robust processes and precautions to manage the inevitable cybersecurity threats that use of software brings.
In the past, the relationship between car manufacturers and their vehicles was largely transactional, focused on production and warranties. Now, with the rapid advancement of connected technologies this relationship has changed completely. Automakers will now need to continuously interact with their vehicles, and by extensions their customers, long after the car has left the lot.
The role of over-the-air (OTA) updates
For automakers to ensure that software-defined vehicles can withstand cybersecurity threats they must leverage advanced, data-driven technologies. These will enable them to remotely monitor vehicle security, deliver updates, and proactively address threats.
Over-the-air (OTA) updates in particular are central to safeguarding a vehicle’s security. They allow
OEMs to address potential vulnerabilities as they arise and ensure vehicles are never left exposed. It is imperative therefore that these OTAs are seamless and that hinges on OEMs having smart and reliable global connectivity.
Indeed, over-the-air updates themselves can be vulnerable to cyber-attacks – UNECE R156 outlines the need for automakers to ensure they are as safe as possible – so it’s crucial their connectivity is secure and continuously adapting to new threats and vulnerabilities.
Connectivity and strengthening vehicle security
Data is at the heart of the software-defined vehicle, both in terms of what the car generates itself but also what it captures from its users. For OEMs, understanding the latter is invaluable; enabling them to create better, more personalised in-car experiences which will grow their business.
Managing this enormous volume of data, however, also brings with it considerable cybersecurity needs. Access to data such as driver identity, location history and user behaviour mean hackers could create profiles of users’ which could then be used for targeted attacks.
Seamless, secure connectivity is the means of combating this. Our advanced monitoring systems ensure any potential security breaches are identified early, and updates are swiftly deployed. Device and traffic restrictions incorporated into the network build out and automated network actions based on unique vehicle identities, also safeguard against cyber threats.
Building in security protocols such as restricting what a device in a car can talk to or being able to suspend or block a SIM if suspicious activity is detected, can all protect data. We can also tailor connectivity for OEMs that ensures sensitive data is only relayed on a private network and only uses private Access Point Names (APNs). This ensures that customers, traffic and use cases are segmented securely.
Navigating opportunities in cybersecurity
UNECE Regulations R155 and R156 mark a pivotal moment for the automotive industry and cybersecurity. While the challenges are significant, they also present opportunities for innovation. The creation of digital twins of individual vehicles, for example, will be instrumental in delivering personalised updates and monitoring overall vehicle health. By having a virtual replica of each vehicle, car manufacturers can gain insights into performance and security needs, enabling more targeted and effective updates.
Ultimately, by prioritising cybersecurity, leveraging advanced analytics, and fostering a culture of security awareness and innovation., OEMs will not only meet regulatory requirements but build lasting consumer trust.
Nick Power will be discussing these challenges, and the essential role connectivity has in navigating the cybersecurity landscape, on a panel tomorrow, October 22nd, at Automotive USA.
