Privacy & Security Challenges in Connected Cars
Sai holds over 19 years of experience across various industries like Automotive, Energy, and Consumer Durable. He has a Bachelor’s degree in Electrical Engineering from the National Institute of Technology, Jaipur. Before his current position, he was the Business Head for India, Japan and ASEAN at OSRAM Continental. He has also worked with leading organizations such as Continental, Honeywell & Bosch in various functions like Sales, Program & Project Management, Strategic Marketing and New Product Initiatives/Introduction.
In this exclusive thought leadership piece in discussion with the siliconindia magazine Editorial team, Sai Sridhar, Associate Director, Elektrobit India Pvt. Ltd. sheds light on ‘Privacy & Security Challenges in Connected Cars’. Let’s read through!
In the rapidly advancing automotive industry, connected cars are poised to become universal, with projections indicating that by 2030, 100 percent of new vehicles will be fully integrated into the digital ecosystem. This connectivity is not merely a technological trend, but a transformative force poised to redefine the entire automotive landscape. This technology enhances digital experiences, enables over-the-air (OTA) updates, and supports software upgrades for future features, increasing vehicle value over time. This evolution strengthens advanced driver assistance systems (ADAS) driven by growing consumer expectations. Customers expect cars to offer phone and tablet-like features, including regular updates, intuitive controls, and easy app access. This shift also enables new business models for manufacturers, but it exposes vehicles to cyber threats, requiring a comprehensive approach to safeguard privacy and security.
Regulatory landscape
The UNECE Regulation UN R155 has emerged as a fundamental standard in automotive cybersecurity, applicable to all new vehicle type approvals. This regulation mandates that original equipment manufacturers (OEMs) implement an extensive suite of cybersecurity measures to shield vehicles from emerging threats over the entire life cycle of the vehicle.
As of July 1, 2024, adherence to UN R155 has no longer been a recommendation but a legal obligation for any vehicle entering the European market. The regulation’s scope extends beyond technical compliance; it requires OEMs to establish robust governance structures, risk management processes, and continuous monitoring frameworks to ensure ongoing cybersecurity throughout a vehicle's life cycle.
The criticality of compliance cannot be understated. Earlier this year, several manufacturers were compelled to withdraw some of their flagship models from the European market due to non-compliance with UN R155 requirements. This scenario underscores the regulation's importance and the necessity for OEMs to prioritize cybersecurity from the initial stages of vehicle design to post-production updates.
Building Robust Connectivity Protection
Building robust connectivity protection in automotive systems requires a layered defense approach, grouped into external interfaces, in-vehicle networks, and individual ECU layers.
External interface security: Robust mechanisms must be implemented to authenticate and authorize all external communications, ensuring that only trusted entities are engaged. Encrypting all data transmitted between the vehicle and external interfaces, such as cloud servers, mobile apps, or infrastructure systems, is essential. Firewalls need to be employed to establish barriers between the vehicle's internal systems and external networks, while intrusion detection and prevention systems (IDPS) must be used to detect attack patterns and take automatic actions, such as blocking malicious traffic or alerting system administrators.
In-vehicle network security: Network segmentation must be implemented to separate critical systems, such as braking and engine control units, from non-critical systems such as infotainment. This ensures that even if an attacker gains access to a non-essential system, they cannot easily infiltrate a critical one. Gateways have to be introduced to regulate the data flow between segments, allowing only authorized commands or data packets to move between them, thus preventing lateral movement within the network. Furthermore, message authentication, encryption, and in-vehicle IDPS must be employed to secure internal communications.
Component-level security: Electronic control units (ECUs) must be secured by ensuring a secure boot process that uses cryptographic techniques to verify software integrity and authenticity, preventing unauthorized software from running. Secure mechanisms must be implemented for updating ECU software or firmware, validating and applying the latest security patches. The update process itself has to be secure and capable of verifying the authenticity and integrity of the update. The ECU memory must be protected from unauthorized access, and hardware-based security features be leveraged to further enhance ECU protection. Moreover, integrating AI-driven threat detection at ECU level can provide early warnings and mitigate the impact of potential cyberattacks.
Software life cycle maintenance: The automotive industry is undoubtedly grappling with the challenge of managing the software life cycle of vehicles, especially the critical need for continuous cybersecurity updates over a vehicle's 10- to 15-year lifespan. It is undeniable that establishing a vehicle security operations center (VSOC) has become paramount for actively monitoring fleets, gathering crucial security and event data, and swiftly responding to any cybersecurity incidents. The VSOC confidently enables real-time monitoring of vehicle systems, allowing for the early detection of suspicious activities and a rapid response to potential threats. Furthermore, the VSOC assertively plays a pivotal role in coordinating incident response across multiple regions, ensuring the efficient containment and mitigation of any threats.
Privacy Challenges in the Automotive Industry
As vehicles become more connected, they generate vast amounts of valuable data, including location information, driving habits, and biometric data. This data is crucial for enhancing features such as navigation and predictive maintenance and plays a key role in the software life cycle. The connected nature of modern vehicles provides ongoing insights into software usage and reveals real-world errors that may not have been anticipated during initial testing. For example, these insights enable manufacturers to replicate errors in virtual environments, accelerating error diagnosis and resolution for faster and more automated certification processes for software updates. However, the wealth of data generated by connected vehicles also presents significant privacy challenges that OEMs must address with the utmost diligence.
Privacy in the automotive sector has become a paramount concern, especially with regulations such as the GDPR in Europe and the CCPA in the US imposing stringent guidelines on data collection, storage, and sharing. OEMs must adopt comprehensive strategies to manage these concerns effectively, including data minimization, obtaining explicit user consent, employing robust encryption techniques, and ensuring secure data storage. Additionally, OEMs should consider adopting privacy-enhancing technologies (PETs) to offer additional layers of protection for end user’s data, such as differential privacy or homomorphic encryption. Ultimately, OEMs bear a significant responsibility to protect end users’ privacy and meet the growing demands for privacy within the automotive industry.
Conclusion
As the automotive industry continues its rapid transformation toward a fully connected future, the interplay between cybersecurity and privacy will become even more critical. By adopting a holistic approach that integrates cybersecurity, data privacy, and continuous software development, the industry can build a foundation of trust and security that will support the next generation of connected vehicles.
In this exclusive thought leadership piece in discussion with the siliconindia magazine Editorial team, Sai Sridhar, Associate Director, Elektrobit India Pvt. Ltd. sheds light on ‘Privacy & Security Challenges in Connected Cars’. Let’s read through!
In the rapidly advancing automotive industry, connected cars are poised to become universal, with projections indicating that by 2030, 100 percent of new vehicles will be fully integrated into the digital ecosystem. This connectivity is not merely a technological trend, but a transformative force poised to redefine the entire automotive landscape. This technology enhances digital experiences, enables over-the-air (OTA) updates, and supports software upgrades for future features, increasing vehicle value over time. This evolution strengthens advanced driver assistance systems (ADAS) driven by growing consumer expectations. Customers expect cars to offer phone and tablet-like features, including regular updates, intuitive controls, and easy app access. This shift also enables new business models for manufacturers, but it exposes vehicles to cyber threats, requiring a comprehensive approach to safeguard privacy and security.
Regulatory landscape
The UNECE Regulation UN R155 has emerged as a fundamental standard in automotive cybersecurity, applicable to all new vehicle type approvals. This regulation mandates that original equipment manufacturers (OEMs) implement an extensive suite of cybersecurity measures to shield vehicles from emerging threats over the entire life cycle of the vehicle.
As of July 1, 2024, adherence to UN R155 has no longer been a recommendation but a legal obligation for any vehicle entering the European market. The regulation’s scope extends beyond technical compliance; it requires OEMs to establish robust governance structures, risk management processes, and continuous monitoring frameworks to ensure ongoing cybersecurity throughout a vehicle's life cycle.
The criticality of compliance cannot be understated. Earlier this year, several manufacturers were compelled to withdraw some of their flagship models from the European market due to non-compliance with UN R155 requirements. This scenario underscores the regulation's importance and the necessity for OEMs to prioritize cybersecurity from the initial stages of vehicle design to post-production updates.
Building Robust Connectivity Protection
Building robust connectivity protection in automotive systems requires a layered defense approach, grouped into external interfaces, in-vehicle networks, and individual ECU layers.
External interface security: Robust mechanisms must be implemented to authenticate and authorize all external communications, ensuring that only trusted entities are engaged. Encrypting all data transmitted between the vehicle and external interfaces, such as cloud servers, mobile apps, or infrastructure systems, is essential. Firewalls need to be employed to establish barriers between the vehicle's internal systems and external networks, while intrusion detection and prevention systems (IDPS) must be used to detect attack patterns and take automatic actions, such as blocking malicious traffic or alerting system administrators.
In-vehicle network security: Network segmentation must be implemented to separate critical systems, such as braking and engine control units, from non-critical systems such as infotainment. This ensures that even if an attacker gains access to a non-essential system, they cannot easily infiltrate a critical one. Gateways have to be introduced to regulate the data flow between segments, allowing only authorized commands or data packets to move between them, thus preventing lateral movement within the network. Furthermore, message authentication, encryption, and in-vehicle IDPS must be employed to secure internal communications.
Building robust connectivity protection in automotive systems requires a layered defense approach, grouped into external interfaces, in-vehicle networks, and individual ECU layers.
Component-level security: Electronic control units (ECUs) must be secured by ensuring a secure boot process that uses cryptographic techniques to verify software integrity and authenticity, preventing unauthorized software from running. Secure mechanisms must be implemented for updating ECU software or firmware, validating and applying the latest security patches. The update process itself has to be secure and capable of verifying the authenticity and integrity of the update. The ECU memory must be protected from unauthorized access, and hardware-based security features be leveraged to further enhance ECU protection. Moreover, integrating AI-driven threat detection at ECU level can provide early warnings and mitigate the impact of potential cyberattacks.
Software life cycle maintenance: The automotive industry is undoubtedly grappling with the challenge of managing the software life cycle of vehicles, especially the critical need for continuous cybersecurity updates over a vehicle's 10- to 15-year lifespan. It is undeniable that establishing a vehicle security operations center (VSOC) has become paramount for actively monitoring fleets, gathering crucial security and event data, and swiftly responding to any cybersecurity incidents. The VSOC confidently enables real-time monitoring of vehicle systems, allowing for the early detection of suspicious activities and a rapid response to potential threats. Furthermore, the VSOC assertively plays a pivotal role in coordinating incident response across multiple regions, ensuring the efficient containment and mitigation of any threats.
Privacy Challenges in the Automotive Industry
As vehicles become more connected, they generate vast amounts of valuable data, including location information, driving habits, and biometric data. This data is crucial for enhancing features such as navigation and predictive maintenance and plays a key role in the software life cycle. The connected nature of modern vehicles provides ongoing insights into software usage and reveals real-world errors that may not have been anticipated during initial testing. For example, these insights enable manufacturers to replicate errors in virtual environments, accelerating error diagnosis and resolution for faster and more automated certification processes for software updates. However, the wealth of data generated by connected vehicles also presents significant privacy challenges that OEMs must address with the utmost diligence.
Privacy in the automotive sector has become a paramount concern, especially with regulations such as the GDPR in Europe and the CCPA in the US imposing stringent guidelines on data collection, storage, and sharing. OEMs must adopt comprehensive strategies to manage these concerns effectively, including data minimization, obtaining explicit user consent, employing robust encryption techniques, and ensuring secure data storage. Additionally, OEMs should consider adopting privacy-enhancing technologies (PETs) to offer additional layers of protection for end user’s data, such as differential privacy or homomorphic encryption. Ultimately, OEMs bear a significant responsibility to protect end users’ privacy and meet the growing demands for privacy within the automotive industry.
Conclusion
As the automotive industry continues its rapid transformation toward a fully connected future, the interplay between cybersecurity and privacy will become even more critical. By adopting a holistic approach that integrates cybersecurity, data privacy, and continuous software development, the industry can build a foundation of trust and security that will support the next generation of connected vehicles.
