Cars and cybersecurity: the risk of a cyber crash on four wheels

A Microsoft platform failure has grounded hundreds of planes worldwide and halted operations at many airports. Given the use of increasingly connected cars, the question arises: could a cybersecurity problem or hacker attack bring traffic on four wheels to a standstill? Before finding out whether the cars we use on a daily basis are at risk, it is useful to remember the regulations that protect the industry;

What are the main regulations on automotive-related cybersecurity? UN Regulation No. 155 deals with the cybersecurity management system (Csms) that OEMs (stands for Original Equipment Manufacturers, i.e. component manufacturers and producers) must apply to the development and supply chain of vehicles. Regulation 156 deals with software updates and the software update management system (Sums) in the hands of the Oem. Since 7 July, manufacturers have had to prove, according to UNECE Regulation No. 155, that cybersecurity has been adequately considered during product development. The United Nations Economic Commission for Europe (UNECE) covers 58 countries and covers cars, vans, trucks, coaches, buses, agricultural vehicles and non-road mobile machinery. In Europe, the UNECE regulations are implemented through the General Vehicle Safety Regulation, which establishes the principles for driver assistance systems (now mandatory) and the legal framework.

In order to facilitate the implementation of Regulation No. 155 and 156, ISO in collaboration with Sae - Society of Automotive Engineers - has produced a set of standards to be met. The ISO 21434 standard, to comply with Regulation No. 155, in fact indicates the requirements for the cybersecurity management system (Csms), compliance with which is proof of the cybersecurity of newly type-approved vehicles. The ISO 24089 standard, linked to Regulation No. 156, is the guide for the software update process. The ISO 21434 (Road Vehicles Cybersecurity Engineering) standard specifies requirements for the cybersecurity management system (Csms), compliance with which is evidence of the cybersecurity of newly type-approved smart vehicles. The ISO 21434 standard applies to the electrical and electronic systems of series production road vehicles, including software and related components and interfaces. Without specifying any technical requirements or technology related to cybersecurity, it specifies requirements for cybersecurity risk management, addresses the product life cycle and defines a common language and aftermarket and spare parts. But which components are affected by ISO 21434? Infotainment systems, gateways, sensors, cameras, security and communication systems. Among the illustrious 'victims' of the new standard is the thermal Porsche Macan; the German SUV has been taken off the European market precisely because of the lack of cybersecurity requirements;

The Global Automotive Cybersecurity Report 2024 counted more than 1,468 cyber incidents related to connected vehicles since 2010. Since 2023, there has been an increase in incidents and cyber attacks against connected vehicles. In detail, half of the incidents caused damage to the vehicle and the driver. Another worrying side comes from the type of attack: 95 per cent were carried out remotely;

It was almost 10 years ago in 2015 when two computer scientists managed to hack into the Jeep Cherokee's Uconnect system and managed to operate the car's controls remotely. Fca decided to recall about 1.4 million vehicles from the US market after that happened. The company then decided to take additional security measures against the risk of hacking and manipulation from outside the cars equipped with the touchscreen radio system with which some models are equipped in the US.