Cybersecurity Regulation in the Automotive Industry – Who is Responsible for Protecting the Connected Car?


VP Innovation

July 18, 2018

The integration of innovative IoT and connected car technologies enabling today’s advanced driving experience, as well as remote managing and servicing, has secured the connected car’s position as one of the fastest growing markets in the smart mobility ecosystem. In fact, according to Business Insider1, it is expected that 82% of all cars shipped in 2021 will be connected, while in Europe, major economies are expected to reach nearly a 100% penetration rate by 20202, with early adoption kick-in due to eCall mandate. By 2022, the connected car market forecast approximates a staggering $155 billion3.

Connectivity leads to automotive cybersecurity risks

This increase in connectivity also leads to greater exposure to cybersecurity risks.

Once the valuable data is gathered and stored within the backend telematics servers of OEMs, car fleets or telematics service providers, it can be accessed by a malicious party and used to either harm the vehicle, hurt the company, or steal sensitive information (whether personal customer data or corporate IP data). This is why regulators have long been concerned over data privacy and data protection with respect to the connected automotive industry.

The discussion over “who owns the data” has been a hot topic over the past decade, one that hasn’t skipped the connected automotive industry. The debate is not only about who owns the data, but is also a matter of who is responsible for protecting it in case of a breach, and who needs to be accountable. Whether the telematics data is collected by the car-fleet, the OEM, or a 3rd party TSP, someone needs to be responsible for protecting the service backend. However, due to the complexity of the relationships between the different stakeholders in the connected car ecosystem, this particular complexity seems to remain yet unsolved, and here’s why:

From personal data regulations such as the GDPR to Canada’s digital privacy law (PIPEDA4), or the European Parliament Transport Committee call for EU regulation on access to car data, it is clear that the consumer should own vehicle-generated data – not the car-fleet or OEM running the telematics servers. However, at the same time, car-fleets and OEMs are tasked with abiding to regulations and protecting the data. They are therefore the ones to experience any blowback from potential threats and hacks. This is true whether the car-fleet and OEMs secure their telematics data in-house, or use a third-party TSP to do so – either way, they are perceived as accountable for the protection of the telematics data both to regulators and to the public eye.

When it comes to data protection, connected car-fleets and OEMs have their reputations continuously on the line, regardless of who is actually securing their customers’ data. The bad publicity that follows a car hack and the loss of consumers, that tends to accompany such events, could have disastrous reputational damages for the company.

Telematics data is key in automotive cybersecurity

Car-fleets and OEMs are therefore incentivized to continuously enhance, strengthen, and secure their cars’ telematics data even if it is run by 3rd party TSPs.

It is up to them to ensure TSPs are optimally securing the data, in accordance with industry-established best practices and regulations. In light of this realization, OEMs, car-fleets, and trucking associations have become active proponents of greater, more stringent and comprehensive evaluations and optimizations of their connected vehicles. The Association of Global Automakers expressed its support5 for a proposed rule making requiring Vehicle-to-Vehicle (V2V) communications capability in all new connected cars, hailing it as “smart regulation that will make our roadways safer and create a competitive marketplace for further safety applications.”

The National Motor Freight Traffic Association (NMFTA) has called for these new vehicle systems to “undergo annual cybersecurity evaluations before being placed on public roads,” including design reviews, penetration, and other tests. The American Truck Dealers (ATD) has been quite vocal about the need for automated vehicle systems to be “continuously and periodically inspected for proper software and hardware component operation and to verify that they utilize the most current software updates.” American Trucking Associations (ATA) said employees of fleet providers must be adequately trained to “assure cybersecurity in company systems and equipment,” so that they would know how to respond to a known or suspected breach. And the Owner-Operator Independent Drivers Association (OOIDA) has called on FMCSA to regulate the implementation of cybersecurity protections.

Clearly, these associations have assumed accountability for the security of their connected cars, and have recognized that they need the aid of regulatory bodies to enhance their security capabilities and services.

Automotive cybersecurity regulation is here, though not sufficient

In just a few years, there have been exceptional developments in the field of connected car cybersecurity regulation.

Government bodies have identified the urgent need for such regulations to be established. The 2015 SPY Car Act6 proposed that standard security measures be implemented by OEMs – initiating the regulation of every relevant field process, from supply chains to data privacy and protection. Since 2016, NHTSA and FWHA have been releasing initial guidelines and best practices7 for building and utilizing secure connected cars in the US. And, as mentioned above, the EU has been working hard to secure any business’ personal data use, through its new GDPR and other stringent privacy laws.

Yet, despite great regulatory progress, security standards have yet to be fully mandated for the connected car industry. There is an urgent need for more robust security controls that prevent data breaches across the entire connected car ecosystem, in real-time, to identify and thwart threats. Regulations that are industry-specific will oblige car-fleets and OEMs to demonstrate the accountability their consumers already expect from them, and though such regulations will likely be established in the coming years, there is no way of knowing ahead of time when exactly that will be, or what exactly they will enforce.

Automotive cybersecurity for your connected car

In the meantime, whether you’re a car-fleet or an OEM, you need to ensure cybersecurity now.

Here’s how Upstream Security can help:

At the end of the day, it is up to car-fleets and OEMs to ensure their connected cars’ generated telematics data is secure. Regardless of who runs the telematics servers, car-fleets and OEMs are the only bodies accountable in the eyes of regulators and customers. If you fail to assume this great responsibility, not only do you risk high fines, but you also risk irreparable reputational damage and customer loss. Your customers care little about who manages their data, and a lot about its superior security. And so, every moment that you do not ensure robust protection of the telematics data is another moment you’re endangering the prosperity and future of your business.

Upstream Security can help you enhance your data security, today. Upstream’s solution for car-fleets, TSPs, and OEMs helps protect and maintain their consumers’ data from theft and cyber attacks by using Artificial Intelligence and Machine Learning technologies to analyze the data traffic across the entire connected-car ecosystem.












Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Mike Lexa Joins Upstream Security Advisory Board to Accelerate Cybersecurity Resilience in the Automotive & Mobility IoT Sector

The mobility ecosystem is experiencing a profound digital transformation. The increasing reliance on mobility services and Internet of Things (IoT) devices is not just reshaping…

Read more

7 Key Financial Implications of Automotive Cybersecurity Risks

In June 2023, a leading Taiwan-based semiconductor manufacturer disclosed a cybersecurity incident involving a ransomware group and one of its IT hardware suppliers, which led…

Read more

Newly Discovered IoT Vulnerabilities in ELDs Raise Risk for Fleet-Wide Attacks

In late March 2024, The Register published a unique coverage, describing multiple new vulnerabilities and elaborating on the cyber risks in ELDs (electronic logging devices)…

Read more

Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is also exposing mobility assets to a…

Read more