When Israel-based REE Automotive designed the chassis of its P7 electric vehicle, it worked from software: The vehicle’s flat chassis is fully configurable with four independent modules near each tire for steering, braking, suspension and powertrain, each driven by an electronic motor. control unit (ECU) customizable via software.
It features drive-by-wire, steer-by-wire and brake-by-wire (and data collection as a service) giving the company the ability to customize the vehicle to the customer’s application, but also potentially making the platform a hacker. dream.
Securing a fleet of vehicles is a major endeavor, requiring cybersecurity for design and development teams, the factory floor, and the connected vehicles themselves, says Yaron Edan, CISO of the automotive technology company. Cybersecurity teams must not only monitor cyber threats, but also manage supply chain security, operational technology (OT) on the factory floor, and the vehicle network used to monitor and update the platform.
“My headache, my concern, is basically divided into two: our network [which supports the creation of the platform]but that’s not enough,” he says. “We need to understand what the threats are and monitor them [for those] around the clock for each vehicle through our SOC.”
Such security efforts, however, come with another challenge: the success of “right to repair” efforts to make all types of consumer and enterprise technology available to allow customers to repair the devices they purchase. The passage of a Massachusetts law, for example, requires automakers and automotive technology makers to share information and data produced by vehicles to allow consumers and third parties to maintain, repair and even modify their vehicles.
While the National Highway Traffic Safety Administration (NHTSA) initially governed that existing federal safety regulations trumped the laws, saying: “[f]Federal law does not permit a manufacturer to sell vehicles that it knows contain a safety defect” – the state and federal governments eventually came to an agreement on the implementation: automakers would be required to give third parties the ability to locally access the data and systems of the vehicles they own, but the remote diagnosis and update networks may remain closed, the regulators decided.
Electric vehicles involve great flexibility and risk
Whether the deal will help companies with large fleets of vehicles, especially electric ones, remains an open question. Software-defined vehicles really took off with electric vehicles – and the example of Tesla’s success – and the most significant software-based features will likely remain with electric vehicles.
Electric vehicle manufacturers can build their platforms from the initial design using software that can be updated to change the vehicles’ configuration and performance throughout the deployment journey and beyond, says Alex Oyler, director of North America at SBD Automotive, an automotive supply chain consultancy. .
The ability to respond effectively and quickly to cybersecurity events will likely remain in the hands of these manufacturers, not third parties, he says.
“If there is a really critical zero day, and that needs to be addressed as soon as possible, the product cybersecurity teams [at auto manufacturers] they’re running the show, coordinating stakeholders across the company, and accelerating the timeline to get things right,” he says. “It’s not an easy process today, that’s for sure.”
Some manufacturers, however, may outsource the cybersecurity function. The United Nations approved an amendment for product safety require countries that are part of the United Nations Economic Commission for Europe for regulatory approval of cybersecurity management systems used in vehicles.
Connectivity will only grow
Vehicles have been connected for decades, either as part of an on-board maintenance system or as part of a driver assistance system. However, software-defined vehicles have expanded that connectivity, such as remote start via a smartphone app and limited diagnostic monitoring for the consumer, essentially turning cars into Internet of Things (IoT) devices. As automakers offer greater accessibility via APIs, more risk will follow, says Shira Sarid-Hausirer, vice president of Upstream, an automotive cybersecurity and data management company.
“The openness to the ecosystem is what probably introduced the biggest risk,” he says, pointing various cyber attacks on the cybersecurity of Tesla vehicles. “What happens when OEMs start opening up their APIs to other third-party apps that can now send commands to your vehicle? … The vehicle is becoming a hub for technology.”
Giving companies access to some of this data to enable fleet management might be enough, while the provision in Massachusetts’ right to repair law allows some third parties to offer vehicle maintenance services, although, probably at a high price. It remains to be seen whether such restrictions will improve in the future as the rapid pace of SDV innovation slows, says SBD Automotive’s Oyler.
“It’s kind of fair for both the NHTSA and the automakers to raise some flags, but that being said, there is a secure way to share diagnostic information, and Software Defined Vehicle actually provides a way to do that through those secure channels.” , he claims.
Cyberattacks are unlikely to be catastrophic in most cases
Automakers’ recent focus on cybersecurity has led to the creation of much more secure platforms over the past decade. But the focus going forward must be on ensuring that security while offering greater transparency to customers, Oyler says. As enterprise customers and individual vehicle owners demand greater maintainability and reusability of their devices, automakers will need to follow suit.
Properly designed platforms can also dramatically reduce the risk of a widespread cyber attack, says Upstream’s Sarid-Hausirer. The company already manages threat intelligence and incident response for some manufacturers, and most incidents are not security-related, but the company classifies half of all incidents as mass or high severity, according to The “2024 Automotive Cybersecurity Report.”
“I can tell you that the vast majority of incidents that we see don’t necessarily jeopardize security, because there has to be a reason to jeopardize your security, and attackers don’t work that way: they’re out there to make money,” she says. Instead, the company has seen many availability attacks. “They manipulate the app so that you can’t start your trucks or get on your trucks in the morning. It could be ransomware, it could be other forms, but availability and fleets are something that needs to be discussed.”
Other attacks have used ride-hailing apps cause traffic jams in Moscow and hacks for remote launch apps. These availability issues have less to do with diagnostic systems, such as information needed for entitlement to repair, and more to do with management systems, he says.