Integration and education keys to secure automated mobility, says ENISA
The European Commission defines CAM (Connected and Automated Mobility) as “connected vehicles that can share data or operate autonomously, provide a unique opportunity to make our transport systems safer, cleaner, more efficient and more user-friendly”.
With the expected exponential increase of self-driving cars, the whole ecosystem of services behind a revolution that will change the transportation system is becoming increasingly relevant.
Due to the level of technological innovation typical of this sector, vehicle automation and connectivity also mean more cybersecurity challenges and threats, as recognised by the European Union Agency for Cybersecurity (ENISA) in its latest report “Recommendations for the security of CAM”, released in May this year.
The report highlights challenges and solutions for decision makers and in support of the EU Commission and Member states in revising or adapting the UN cybersecurity regulations, mandating that all car manufacturers secure vehicles against cyberattacks. In the European Union, the new regulation on cybersecurity will be mandatory for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced from July 2024.
“Connected services – warn the authors of the report - may be attacked by cyber-attackers and create cyber fraud, data breach and privacy incidents, as well as software overrides resulting in dangerous situations and accidents when part of the vehicle to everything (V2X) network is attacked, thereby threatening the drivers, road users and companies. Efforts across the whole industry should be made to ensure that even if one system is compromised and/or tampered, the rest of the systems remain unaffected.”
Increased resilience to potential cybersecurity attacks should be achieved through a series of actions and policies across the whole industry. “Today, connected vehicles, connected environment and connected infrastructure should be designed with new capabilities and features that have the potential to provide increased safety, better vehicle performance, competitive digital products and services, more comfort, environmental friendliness, as well as convenience for its end-users. Governments, manufacturers, private companies (incl. SMEs and start-ups) as well as IT enterprises are all involved in the future development of intelligent and connected and automated mobility.”
The report goes on describing the complex interconnectivity of the Cam environment, from the connected services and off-board systems that are characterised by agile development cycles, to various physical infrastructures, equipment, products and associated services, vehicles and soft-mobility devices managed by engineering teams, which are characterised by a much longer development cycle.
The above two different parts of the environment have an impact on cybersecurity, particularly if we look at the challenge of the new collaboration needed by two different teams: those managing the digital world and those developing and operating physical products: “Developments on each side can affect the security of the other side, thereby making the risk approach holistic which has proven to be challenging in environments where a clearly stated and efficient governance has not yet been put in place”.
Luckily, as the report notes, the different actors of the CAM ecosystem have already started to grow new expertise, skills and competences, enabling the integration of digital into the transport sector by hiring new profiles, transferring competences and opening up internally. Companies have also started collaborating with partners, start-ups and other suppliers that could provide the required expertise.
To foster this process, Enisa recommends raising awareness to the top management level of the organisation and throughout the organisation about the impact of cybersecurity and technology on the CAM ecosystem lifecycle and promoting the integration of cybersecurity along with digital transformation at the board level in the organisation.
Most of the stakeholders interviewed for the report ranked the financial resources available for cybersecurity as a main challenge, hindering the ability to carry out state-of-the-art activities and effectively address all identified risks. It is therefore important to promote a mind-set shift so that “cybersecurity is not seen as a cost and pure loss of money that may avoid potential risks, but as a real enabler of important business opportunities made possible by the mastering of technologies”. Cam actors can add value to their products by ensuring a high level of quality based on security, reliability and privacy.
Another major challenge for the sector is the number of standards and regulations to comply with. “Standardisation and regulatory environments are evolving internationally, generating new requirements for the industry regarding connectivity and autonomous capabilities. In Europe, regulations tend to be harmonised for the Member States, but some specific regulations exist per country. (…) The lack of streamlined regulations at the global level leads to a situation where an organisation is subject to different schemes for a same product range.”
To tackle the challenge of different regulatory systems, Enisa recommends ensuring a homogeneous, detailed, and stable legal EU environment for CAM cybersecurity and working across all levels of policy-making (incl. governmental and European) to participate in the development of new, harmonised laws and guidance to provide clarity on national standards and responsibilities, and to reduce barriers to innovation while promoting secure product and service development. It also advisable to conduct analyses on current automotive regulations to examine potential gaps and promote multi-stakeholder dialogues between the automotive industry actors to ensure consensus in the development of relevant technical standards and regulations.
Finally, another major obstacle hindering the adoption of security measures specific to CAM products and solutions is the lack of expertise and skilled resources for the sector. These require expertise of IT security in general, in several further areas such as software security, network security, cryptography, embedded systems, and operational technology (OT).
To promote knowledge on cybersecurity, Enisa recommends, among other measures: launching security education and training in mobility industry, introducing programmes at schools and universities to address the lack of security and safety knowledge across the industry and empowering the next generation of IT/OT and mobility security experts.
In conclusion, cybersecurity is a challenge, but one that comes from revolutionary technologies destined to provide new and exciting business opportunities. As with any new development, challenges can be sustained and overcome by mastering the required new technologies, setting aside adequate budgets and working together to introduce the necessary regulatory systems.
Figure 1 - Cybersecurity Challenges in the CAM area. Source: Recommendations for the Security of Connected and Automated Mobility, ENISA, May 2021
Figure 2 - CAM Stakeholders’ Mapping. Source: Recommendations for the Security of Connected and Automated Mobility, ENISA, May 2021