What You'll Learn
- Impact of Cybersecurity Regulations on Automotive Industry: Understand the implications of UNECE WP.29 R155 and R156 regulations on vehicle compliance and market availability.
- Challenges in Securing Legacy Automotive Components: Learn about the difficulties faced by OEMs in updating legacy components to meet modern cybersecurity standards.
- Insights from the State of Automotive Cybersecurity 2023 Report: Gain key insights from the report on current trends and persistent issues in automotive cybersecurity.
- Role of OEMs and Suppliers in Cybersecurity Transformation: Discover how OEMs and suppliers are addressing cybersecurity challenges and transforming their approaches to meet regulatory demands.
- Future Trends in Automotive Cybersecurity: Anticipate future developments and necessary steps to enhance cybersecurity in the automotive industry.
Last updated June 6, 2024
—–
We have known for some time that the electronic components placed inside vehicles contain unresolved vulnerabilities. In response, UNECE has added R155 and R156 to their WP.29 requirements, both resolutions aimed at taming, preventing, and responding to the increased cybersecurity risk found in complex software-driven vehicles.
While OEMs and their suppliers have been updating their processes and lineups to comply with the new R155 CSMS regulations that go into effect in July 2024, some vehicles are simply not worth the effort of making cyber secure.
Shockingly, three beloved Porsche vehicles—the internal combustion engine (ICE) Boxter, 718 Cayman, and their best-selling model, the Macan—will be removed from markets that enforce R155, most likely due to their lack of security in their components and products.
Perhaps it is a lack of strong architecture, or maybe, as we’ve seen with the latest State of Automotive report, the components used are too outdated and no longer worth the resources needed to keep it compliant– the details are Porsche’s business. While a rational business decision, it is a blow to those who enjoy the roar, control, and performance that boxer engines are renowned for.
It is a loss for those who appreciate the performance and mechanical beauty of ICE vehicles. The removal of these three vehicles begs the question– ‘What does it really take to secure a modern vehicle?’
Legacy Automotive Cyber Security Challenges and Compliance Trends
Our annual analysis and breakdown of internal automotive product security data paints a picture of the complex reality– one that has unfortunately brought us to the point of manufacturers asking if existing vehicles can ever be made compliant. With so many legacy components still being used throughout the automotive industry, it’s no surprise that the automotive data shows an alarming number of known CVEs and CWEs that go along with them.
Using end of life or end of service software component packages kicks the can down the road, compounding the cybersecurity problems that will likely arise later. As new and old vulnerabilities are discovered within products, it is worthwhile for teams to identify these outdated components and consider swapping them for more secure options.
Insights from the State of Automotive Cybersecurity 2023 Report
In our State of Automotive Cybersecurity 2023 report, the data tells a complicated story of how critical vulnerabilities seem to stubbornly find their way into new vehicles. What OEMs like Porsche are realizing is that to sell throughout Europe (and soon beyond) they’ll have to answer to governments and shareholders for the known risks they have neglectfully allowed into vehicles.
As is now a more open secret, the automotive industry as a whole is not quite ready for the next phase of WP.29 R155 at the end of 2023– a mere 7 months before implementation. However, while there has no doubt been great progress in the world of automotive product security, there is still a way to go in terms of maturity.
Our main takeaways include
- Old threats remain persistent – Despite the greater awareness surrounding secure development, vulnerabilities are making their way into devices at a significantly faster rate than ever before. Without automation and streamlined vulnerability management and prioritization, this number seems poised to grow exponentially.
- Security is playing a bigger role – We have seen an increase in operating systems that have inherent security capabilities built in– this includes Android, up to 22% in 2023 from 18% in 2022. Another OS with noticeable growth is Debian, which is used 18.1% of the time compared to just 4.1% last year.
- Fewer private keys are being detected – There appears to be a growing awareness amongst developers and product security practitioners to use public keys and better secure their private keys. This step reduces risk to the components, should their private key become exposed.
- Developers are stuck in a ‘if it isn’t broken, don’t fix it’ mindset – The data shows reason to believe that newer software is developed securely. However, existing components that have known vulnerabilities keep finding their way into new vehicles. This is apparent through the continued presence of end of life (EOL), end of service (EOS), and no longer maintained software – introducing old risks into new vehicles.
To avoid costly market withdrawals, proactively assess the cybersecurity of legacy components early in the design phase. Implement a phased upgrade strategy that prioritizes components with the highest risk, and consider integrating cybersecurity features directly into new designs to future-proof your vehicles against evolving regulations.
Driving Change: OEMs and Suppliers Take the Lead in Automotive Cyber Security Transformation
With so many legacy components, vulnerabilities, and potentially malicious code being put into our vehicle components for years, OEMs and Tier-N suppliers have a large challenge in front of them.
No longer can they take vulnerability-packed components and keep passing responsibility down the road. Like we’ve seen from Porsche and will likely see from others, meeting WP.29 regulations are forcing OEMs to review their offerings from a product security perspective– deciding if the vehicle can be salvaged from the risk-infested environment in which it was developed to a vehicle that can remain resilient in the face of an ever-evolving and increasingly hostile landscape.
To learn more about the data that led to these conclusions and steps being taken to bolster product security maturity, read the State of Automotive Cybersecurity 2023 report.
Key Takeaways
- Regulatory Compliance: UNECE WP.29 R155 and R156 regulations are driving significant changes in the automotive industry, compelling OEMs to ensure their vehicles are cyber secure.
- Market Impact: Porsche’s withdrawal of certain models highlights the practical challenges and business decisions involved in complying with new cybersecurity standards.
- Legacy Component Challenges: Many vehicles still use outdated components with unresolved vulnerabilities, posing significant cybersecurity risks.
- Persistent Vulnerabilities: Despite advancements in secure development, old vulnerabilities continue to be a problem, often exacerbated by the use of end-of-life software.
- Advancements in Security Practices: There is a growing use of operating systems with built-in security features and a reduction in the use of private keys, indicating improved security practices.