New standards for cybersecurity in cars

Anyone buying a new mid-range car is travelling around with a small data processing centre on board. In the meanwhile, modern cars have more software than many airplanes. However, this has resulted in an increased security risk, as cyber attackers have for some time now identified our mobile companions as attractive targets. The attacks involved range from digital car thefts to interfering with traffic flows. Manufacturers have known about these risks for a long time, but have been rather slow to implement security measures. International committees and organisations now have this issue on their agenda and for some time now have not just been dealing with traditional aspects of vehicle security but also with digital issues.

The task is being handled at the highest levels: “The criteria for cybersecurity in cars are being determined by EU and UN working groups,” explains Richard Goebelt, a member of the management board of VdTÜV, the umbrella organisation of Germany’s technical inspection agencies, and head of its vehicle and mobility division.

International committees for automotive cybersecurity

The UN committee dealing with standardised technical regulations for motor vehicles is called ECE, Economic Commission for Europe. However, as a UN committee, ECE’s scope actually extends far beyond Europe. The requirements it defines are adopted by the EU, so that all manufacturers are then subject to the same conditions. “Previously the committee dealt mostly with hardware, but in future the focus will shift to software,” says Goebelt, because IT security aspects are increasingly part of the work of this committee. “Software will be the critical factor and the highest quality standards are needed for security reasons,” he says.

In Germany this testing is done largely by the technical inspection agencies (TÜV), which prepare an expert report as early as the mandatory type approval stage when a new vehicle is being brought onto the market. For this process the test specialists even have a prototype to inspect.  “All interfaces that can be accessed by wireless technology are potentially dangerous and need to be subjected to special inspection,” explains Goebelt. Testing cybersecurity presents new challenges for the technical inspection agencies:  “The testing specifications and assessment criteria for this still need to be developed,” he says. This will initially be the role of the UN committee. However, the technical inspectorates also need more cybersecurity specialists, which are not easy to come by given the current situation on the job market.

TÜV needs software specialists

For cybersecurity, the regular checks every two years are not sufficient, says Goebelt. Updates have to be installed regularly. Goebelt calls for the management of software updates to also be taken into account when checking operational safety. Remote testing should also be possible, above all when vehicles are sharing data in cooperation with other road users. Moreover, the fact that more and more functions are being outsourced to the Cloud is complicating the testing process. “This is why we need independent access to original data in the vehicle. Both the software and its system description need to be divulged; in some cases this will even include the source code.”

The specialists at TÜV have developed a concept to protect the most important digital components of a car:

“As an interoperable security architecture we want to put an automotive security platform in the vehicle that among other things will separate the digital components into different segments, including an end-to-end encryption of the vehicle communications,” explains the TÜV expert, adding: “For example, if the entertainment system is corrupted the attackers should not be able to get from there to the engine controls.” A UNECE task force has already produced a draft recommendation on the type testing of automated and connected vehicles with the title “Cyber Security Recommendations of Task Force GRVA”. “The first practicable drafts will probably be published as early as next spring,” says Goebelt. When it comes to cyber security he knows he has the backing of consumers: “According to a Survey by VdTÜV (German association of technical inspection agencies), 95% of consumers believe that cyber security needs to be tested in future.” But Goebelt is already thinking ahead. “In future it will no longer be the individual vehicle that plays the major role; other traffic components like traffic signals have to be considered as part of the same system.” Because the more autonomous the cars, the more new forms of attack will emerge.