Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

YONATAN APPEL

CTO & Co-Founder

April 11, 2024

The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is also exposing mobility assets to a myriad of cybersecurity risks, expanding significantly in scale and impact, as demonstrated by insights from Upstream’s 2024 Global Automotive Cybersecurity Report.

Recognizing the urgency of addressing these threats, regulatory bodies around the world are actively expanding the scope of existing regulations and introducing new frameworks to enhance cybersecurity resilience across the automotive ecosystem.

The EU Cyber Resilience Act (CRA)

One notable development is the EU Cyber Resilience Act (CRA), a horizontal legislation covering all products with digital components (both hardware and software), including vehicles. The Cyber Resilience Act takes a comprehensive approach, governing the entire lifecycle of these products, from planning and design to development and maintenance. It requires manufacturers to report actively exploited vulnerabilities and incidents and mitigate risks effectively throughout the product’s support period.


unece wp29 r155

The Cyber Resilience Act is set to enter into force in May 2024, with manufacturers obligated to comply within 36 months. Determining the scope of the CRA is critical for OEMs and other mobility stakeholders, as it interacts with existing regulations like the General Safety Regulation (EU) 2019/2144 and UNECE WP.29 R155. Vehicles under categories M, N, and some in category O will be governed by R155, while other vehicle types will be subject to the CRA.

The ISO 15118 Standard for Secure EV Charging

Another significant initiative is the ISO 15118 standard, which serves as the leading communications standard for secure vehicle-to-grid communications in electric vehicles (EVs). This standard ensures encrypted and secure communication between EVs and electric vehicle supply equipment (EVSE). It applies to category M and N vehicles, but encourages other OEMs to also adopt its framework. It also serves as the foundation for the high-level communication protocol (HLC) for the Combined Charging System (CCS) standard for charging EVs. 

Based on the need to establish trust in the EV charging process, the standard was designed to protect the grid and support the charging of multiple vehicles at once while preventing the grid from overloading.

The ISO 15118 standard governs a “Plug and Charge” operation involving three fundamental stages:

  1. Confidentiality – Transport Layer Security (TLS v1.2) protocol is used to establish an encrypted communication session with a shared key that is valid for one charging session. 
  2. Data integrity – All messages are encrypted and decrypted during a charging session using the symmetric TLS session key
  3. Authenticity – The authenticity of the sender and the integrity of the message are both verified using an Elliptic Curve Digital Signature Algorithm (ECDSA). 

ISO 15118 applies to all entities involved in the charging process, including EVSE manufacturers, EV OEMs, charging point operators (CPOs); cloud service providers (CSPs, e.g., edge computing & data storage); and electricity grids (e.g., utilities, building management systems, etc.).

Transparency and Accountability in Cybersecurity Disclosure Rules

The regulatory landscape is also addressing the need for transparency and accountability in cybersecurity incidents. The new SEC cybersecurity disclosure rules, effective since December 2023, require US public companies to disclose material cybersecurity incidents four business days after determining the incident is material, and provide annual information on their cybersecurity risk management, strategy, and governance.

Under the new rule, public companies traded under the SEC regulations must disclose the occurrence of a material cybersecurity incident and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations. This disclosure is focused on the material impacts of a material cybersecurity incident. The rules also allow the delayed reporting of cybersecurity incidents that pose a substantial risk to national security or public safety—contingent on written notification by the Attorney General.

This emphasis on transparency and accountability is crucial in fostering industry-wide resilience and maintaining consumer trust.

NHTSA’s Updated Cybersecurity Best Practices

Furthermore, the National Highway Traffic Safety Administration (NHTSA) has released updated cybersecurity best practices for new vehicles, reflecting evolving attack methods and the sense of urgency in mitigating cybersecurity risks across the entire ecosystem. These best practices recommend a layered cybersecurity approach based on the NIST Cybersecurity Framework’s five principal functions: ‘Identify, Protect, Detect, Respond, and Recover’, including: 

  • Risk-based prioritization of protection for safety-critical vehicle control systems and sensitive information 
  • Timely detection and rapid response to potential threats and incidents 
  • Rapid recovery when attacks do occur 
  • Methods for accelerating the adoption of lessons learned across the industry, including effective information sharing

 

A New Cybersecurity Culture Emerges Amid the Need to Navigate the Complex Regulatory Landscape

As the regulatory landscape continues to evolve, it is imperative for automotive stakeholders to stay informed and proactively adapt to these changes. Embracing a culture of cybersecurity and actively collaborating with industry partners and regulatory bodies will be crucial for navigating this complex environment successfully.

By fostering a proactive and collaborative approach, the automotive industry can enhance the resilience and security of connected vehicles, maintain consumer trust, and position itself as a leader in the evolving mobility ecosystem. 

Regulatory bodies, manufacturers, suppliers, and other stakeholders must work in tandem to address the multifaceted challenges posed by the expanding cybersecurity regulatory landscape, ensuring the safe and secure integration of cutting-edge technologies in the automotive sector.

Gain invaluable insights into the evolving landscape of automotive cybersecurity by exploring Upstream’s 2024 Global Automotive Cybersecurity Report.
This comprehensive resource delves into the latest regulations and guidelines governing cybersecurity in the automotive industry, offering a holistic understanding of the measures being implemented to safeguard vehicles from emerging cyber threats.

Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

7 Key Financial Implications of Automotive Cybersecurity Risks

In June 2023, a leading Taiwan-based semiconductor manufacturer disclosed a cybersecurity incident involving a ransomware group and one of its IT hardware suppliers, which led…

Read more

Newly Discovered IoT Vulnerabilities in ELDs Raise Risk for Fleet-Wide Attacks

In late March 2024, The Register published a unique coverage, describing multiple new vulnerabilities and elaborating on the cyber risks in ELDs (electronic logging devices)…

Read more

Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is also exposing mobility assets to a…

Read more

With Its Second Milestone Coming Soon, the Impact of UNECE R155 Continues to Expand

The UNECE WP.29 R155 regulation is rapidly evolving, reflecting the automotive industry’s commitment to addressing cybersecurity risks across an increasingly connected and technologically advanced mobility…

Read more