How OEMs Drive Cybersecurity in Smart Vehicles | Rockwell Automation

As the automotive industry speeds toward the dream of software-defined vehicles, IT systems are becoming more embedded in the driving experience — opening new attack routes for hackers.

Financial services firm and researcher Evalueserve claims connected cars could exchange up to 4 terabytes of data per day, or the equivalent of around 8 million digital photos. The need to secure this massive data flux is creating an entirely new branch of cybersecurity devoted to the automotive sector.

It’s a branch concerned not only with securing data while a connected car is in use, but also across the automotive life cycle, from manufacturing to aftersales.

Automotive industry cybersecurity is evolving rapidly, because OEMs have not traditionally faced IT security threats in the manufacturing or use of their products. Nor has the industry been a major target for hackers, beyond the malware threats faced by all enterprise operations.

The arrival of software-defined vehicles means the auto industry now needs to get ahead of data encryption, IT platform security and the use of AI and other tools for the enhanced identification of vulnerabilities.

Yet, as things stand, “Vehicle-to-everything and vehicle-to-grid communication security development is reactive, as most technology is still pilot phase and requires strong hardware and software integration,” said an executive interviewed by Evalueserve.

Factory Cybersecurity

OEM manufacturing does boast several cybersecurity strengths. For example, the industry is already encrypting communications within internal components and uses an architecture design based on isolated zones that minimizes the risk of malware transmission in vehicles.

Similarly, devices that the car might connect to, including cellphones, already use secure technologies such as elliptic curve cryptography. And manufacturers rely on secure cloud providers for data storage and over-the-air software updates.

However, as vehicles add more data entry points, concern is growing about the vulnerability of an expanding attack surface. The industry collaborations required for software-defined vehicle development, often involving small or start-up companies, could also create openings for hackers.

Software-defined vehicles will interact with a growing number of IT systems, any one of which could be compromised by a determined threat actor. It’s uncertain whether the legacy systems currently being integrated into connected cars have all the security they might need.

The need to shore up industry defenses is being addressed by an array of cybersecurity providers, operational technology (OT) security specialists and Tier 1 suppliers. These providers are helping introduce cybersecurity best practices such as standardization, code signing, penetration testing, controlled access and monitoring, tamper-evident hardware seals and secure software development life cycles.

In response to security concerns, some OEMs are using virtual security operation centers to aggregate, correlate, analyze and report on vehicle threat data to mitigate risks and manage vulnerabilities.

These centers are usually run by OEMs, for data privacy purposes, but developed by third parties.

Across all fronts, OEMs are seeking to beef up their cybersecurity capabilities, usually in partnership with specialist firms. Only about 5% of current cybersecurity initiatives are developed in house, although this could rise to 20% in the next 10 years as automakers gain experience.

Podcast

What’s Really Happening with Industrial Cybersecurity & What You Can Learn

Manufacturing is now the #1 target for hackers. In this episode of our “Automation Chat” podcast from The Journal From Rockwell Automation and Our PartnerNetwork magazine, “What’s Really Happening with Industrial Cybersecurity, and What You Can Learn,” Executive Editor Theresa Houck chats with Fortinet’s Richard Springer about a study on unprecedented cybersecurity risks. Learn key takeaways, cybersecurity trends, the role of IT/OT collaboration, and more.

Listen on your favorite podcast app or on the web, or watch their conversation on YouTube.

** Named Best Podcast 2 Consecutive Years! 2022 & 2023 Apex Awards of Publication Excellence.

Listen Now Watch Now

Secure Strategies

Emerging automotive cybersecurity strategies focus on providing several layers of security. One major OEM has built its own vehicle operating system and uses secure wireless local area networks (LANs) to safeguard vehicle-to-infrastructure communication.

The company has also invested in a risk analysis and penetration testing start-up and collaborates with third-party experts on areas such as the provision of a virtual security operation center, training institutions for cybersecurity skills and industry associations for guidance on best practices.

Another global manufacturer has created a dedicated cybersecurity unit and launched a bug bounty program to track down vulnerabilities. It has also invested $4 million to improve its architecture, design principles and threat-analysis risk assessments.

Auto industry players work alongside a range of IT security bodies, including the Automotive Information Sharing and Analysis Center, the U.S. National Highway Transportation Safety Agency (NHTSA), Alliance for Automotive Innovation and the National Institute of Standards and Technology (NIST).

They can also leverage the knowledge and technologies developed for traditional cybersecurity, such as using microservices architectures, to minimize potential attack surfaces and strengthen defenses with secure boot processes and hardware-based security modules.

Some companies are even exploring post-quantum cryptography technologies, in anticipation of traditional bit-based encryption being rendered obsolete by quantum computing.

Evolving Regulations

Standards and industry bodies offer the automotive sector a range of best-practice frameworks, from the International Organization for Standardization's ISO/SAE 21434:2021 road vehicles — cybersecurity engineering standard to Europe’s UN Regulation No 156 provisions for software updates.

The ISO/SAE 21434 framework is of particular importance because it sets requirements for automotive cybersecurity processes and a common language for communicating and managing risks. One part of the framework concerns the structure, processes and governance involved in automotive cybersecurity management systems. Another offers guidelines on how to make sure vehicle architecture designs, risk assessment procedures and cybersecurity controls are executed correctly.

These cover factory and in-vehicle cybersecurity, respectively.

A third concern is how to secure charging infrastructure. Currently, most of this depends on the adoption of best practices such as security by design and blockchain-based data exchanges.

At the same time, though, organizations such as the Institute of Electrical and Electronics Engineers (IEEE) and the International Electrotechnical Commission (IEC) are developing cybersecurity standards for emerging vehicle-to-grid and smart-grid implementations.

One challenge facing OEM efforts to secure connected cars is that regulations and best practices vary widely from one region to another. Therefore, for example, automotive OEMs in Europe all need to comply with laws such as UN Regulation 165, while in the United States, there is a much heavier reliance on industrial development more than regulatory limitations.

For more on how the auto industry is driving the evolution of smart cars, download the white paper from Rockwell Automation at rok.auto/EVTrends.

Like this article? Sign up for the digital magazine (4X/year) and e-newsletter from The Journal From Rockwell Automation and Our PartnerNetwork.

^{The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Endeavor Business Media.}