jtsec | Blog | The state of vehicle cybersecurity in Europe

- March

2021

Posted by: Alberto Caravaca

The state of vehicle cybersecurity in Europe

Why is cybersecurity in vehicles important?

Nowadays, the automotive sector does not have the obligation to certify the cybersecurity of the vehicles. This makes cyber-attacks common in today’s vehicles, the implications of these attacks are very broad.

It could allow the theft of the car as the one that has been recently detected in the key fob of the Tesla Model X. However, the implications of the possible cyber-attacks can go much further, if an attacker is able to compromise the vehicle system and take full control of it while driving, the safety of passengers could be endangered.

How is Europe moving towards a more cyber-secure automotive sector?

Due to the cyber threats that targets the vehicles, the United Nations Economic Commission for Europe (UNECE) has been working since 2018 in the cybersecurity and software updates of the vehicles. The last draft from UNECE regarding the cybersecurity of the vehicles was proposed a few months ago and its objective is to secure the whole environment of the vehicle. This ensures the cybersecurity of the vehicle itself but also in the development, production and post-production stages, ensuring a cyber-secure product during its lifetime.

The proposal from UNECE implies two main parts for the manufacturers.

Cyber Security Management System (CSMS), which is focused on the processes, considering all the phases of the vehicles (development phase, production phase and post-production phase), thus including the entire life cycle of the vehicle. These requirements imply a risk-based approach defining processes, responsibilities and governance to treat risk associated with cyber threats and protect them from cyberattacks.

Vehicle type assessment, for each of the vehicle models, it is required that the manufacturer carry out a risk assessment, perform tests, apply mitigations and implement appropriate cyber security measures in the design of the vehicle. This risk analysis should not only focus on the vehicle, it needs to cover all external systems that may interact with the vehicle.

Finally, to verify that all requirements are met, the manufacturer must provide the information to the competent authority. This authority will be in charge of certifying the validity of such information and repeat the tests it deems appropriate to verify the cybersecurity of the vehicles.

This regulation entered into force on 22 January 2021 and will be mandatory for all new types of vehicles. The countdown has already begun and manufacturers should start considering these requirements.

What players are involved in automotive cybersecurity and how the manufacturers will be impacted?

Of course the manufacturers are the main actors, but not the only ones. All the third party suppliers and service providers are part of the system. A clear example of a service provider would be the mobile application used by a vehicle, while the company that supplies the electric charger could be a clear example of a third party supplier.

Due to the large number of suppliers that a car manufacturer can incorporate into its chain, these components and services must be validated too.

The potential impact on manufacturers will depend on a number of factors:

Their knowledge of regulatory requirements and needs

The size and complexity of their processes

The dependence on external suppliers, taking into account their respective countries of origin

The expertise of their internal cybersecurity teams and the cybersecurity consulting firms advising them.

How can jtsec help the vehicle manufacturers?

jtsec is a is a well-known player in the certifications field and we can support customers to meet all the cyber security requirements that will be indispensable in the vehicle industry. Our team is able to support you in the adoption of the regulations, being able to elaborate the required documentation and risk analyses and perform all the necessary tests to guarantee the cyber security of the vehicles.