What are the greatest challenges of automotive cybersecurity and data privacy for connected cars?

March 16th, 2023

As connected cars become an increasingly common and complex part of our digital ecosystem, they also become so much more than a means of transportation. The connected car is a data center on wheels, processing growing quantities of data at an ever-higher pace. Data which is often personal, yet also essential to ensuring a safer, better driving experience. What are the implications of this, from an automotive cybersecurity perspective? How can OEMs overcome the challenges of automotive cybersecurity and data privacy, and offer cybersecure connected car services?

Identifying the greatest challenges of automotive cybersecurity and data privacy

The cybersecurity aspect of connected car services involves a great deal of granularity. It is difficult to make broad generalizations about an automotive landscape that involves so many different car brands, in different markets, with a wide range of different digital offerings and solutions. That said, there are overarching cybersecurity and data privacy factors that affect the automotive industry in its entirety, and those will be the focus of this article.

These factors can be divided into three main categories: legislation, supply chain, and risk management. What challenges do they pose in terms of automotive cybersecurity and data privacy, and what can OEMs do to tackle them?

Automotive cybersecurity and data privacy legislation is becoming stricter and more fragmented at the same time

Automotive cybersecurity and data privacy legislation is becoming stricter all around the world, both through national legislation and international resolutions such as UN R155 and UN R156. Even so, we should not expect a harmonization between countries and markets. Instead, connected cars – and by extension OEMs – will have to navigate an increasingly complex digital and legislative landscape.

Businesses operating on a global level will have to manage overlapping – at times conflicting – legal frameworks that affect how and where connected car services can be offered. Implementing these requirements demands a high level of coordination of many different stakeholders. Increasing data localization and access limitation requirements challenge established notions of globalized IT. As such, having a solid understanding of one’s digital environment, and being able to ensure oversight, has never been more important. OEMs will have to incorporate regulatory compliance into their strategic decision-making, and consider the implications of operating in different regions and jurisdictions.

Ensuring compliance is not a one-time-achievement, but a long-term commitment. Legislation around automotive cybersecurity and data privacy will continue to change, and become more rigorous and specified. And even though national legislation will end at a country’s border, millions of connected cars will cross it. OEMs need to find privacy-friendly and cybersecure solutions not just for separate markets, but for the millions of connected cars that will operate in more than one market.

a man looking at a computer screen

Automotive cybersecurity and data privacy must run through the entire connected car supply chain

The connected car is steadily moving towards becoming the software-defined car. The digital ecosystem that makes this possible involves a wide (and growing) variety of networks, apps, and service providers; not to mention a multitude of connected car services and continuous over-the-air (OTA) updates. In order for these cars to have long lives, and generate revenue for years – decades, even – their software needs to stay updated and relevant. Drivers expect the OEM to be responsible for the quality of its connected car services, and that their data privacy will be protected at all times.

Getting this entire supply chain to work will be a challenge to any OEM’s organization. Supplier vetting and auditing are essential in order to identify weak links in supply chains, and prevent security breaches from affecting the increasing amounts of sensitive driver data. As digital supply chains grow in complexity, so do the risks. Addressing these risks requires technical, organizational, and legal measures.

Finding the appropriate level of risk management for your connected car services

More digital features means greater complexity and additional potential attack vectors. We will see greater volumes of connected cars, that in turn will be more feature-driven and contain more electronic control units (ECUs), which will have more computing power.

So, how can OEMs find the appropriate level of risk management for their connected car services? In the past, creating a firewall for one’s digital products and solutions was the method of choice. Today, security by design and privacy by design are key concepts to consider in all service development. By ensuring that your products and solutions incorporate security and privacy design features, you will be better equipped to manage risks and threats.

That said, not every risk can be completely foreseen or prevented. Similarly, there cannot be innovation without at least a little bit of risk-taking. Security by design allows OEMs to navigate both complex legislation and complex connected car service delivery. That provides a good foundation from which they can develop and differentiate their digital offerings.

smartphone app UI for remote car control

The most important actions that OEMs need to take to ensure automotive cybersecurity and data privacy

  1. Always stay up-to-date with automotive legislation
    OEMs should closely monitor the development of cybersecurity and data privacy legislation. Their connected car services need to comply with legislation that will continue to change, and continue to differ between markets. The greater the awareness, the better the OEM will be able to navigate the mobility landscape.
  2. Collaborate with your connected car service providers and partners
    OEMs should work together with their knowledgeable service developers and suppliers, to ensure the continued quality of their connected car services. These services need to remain attractive and useful to drivers in many markets, for many years. Strong long-term partnerships allow OEMs to use their partners’ expertise in creating digital products that are broad and excellent, across markets and car models. Meanwhile, the OEM can focus its time and resources on the products and features that differentiate the brand from its main competitors.
  3. Implement security and privacy awareness throughout the company organization
    How can the OEM ensure the resilience of its digital ecosystem, and continuously reach better risk awareness and risk management? The short answer: curiosity and education. Risk management needs to be an integral part of the company’s culture, not just for hardware but for software too. It cannot be done overnight, and that is a good thing. Building up risk management capability over time will make any OEM’s organization better prepared for the cybersecurity challenges it will inevitably face.

How WirelessCar helps OEMs in their automotive cybersecurity and data privacy strategy

Just like no automaker manufactures all of its physical components, it will not benefit from making all of its digital products by itself. Instead, they should focus on the services that make them unique, and set them apart from their competitors.

At WirelessCar, we are proud to be both a knowledge hub and advisor on the one hand, and a reliable partner and service developer on the other. With over twenty years of experience, we know off-board, cloud services, and how to maintain and improve connected car services over time and across markets. Our products are secure by design, contributing to better risk management and greater digital resilience throughout the supply chain.

Perhaps most importantly, it is through our collaborations with different OEMs that we are able to learn and improve together. Automotive cybersecurity and data privacy are no longer about putting up that firewall, or finding the ultimate solution that allows us to never have to think about these things ever again. It is about awareness, collaboration, and risk management – and building on the knowledge and experience that you acquire over time. That way, we can create even better connected car services, and a digital ecosystem that is as smooth as it is secure.

 

If you have any questions on WirelessCar’s work with automotive cybersecurity and data privacy, feel free to ask me. You can learn more about our work with safety and security on our website, and read related articles on our Insights blog, including my article on automotive cybersecurity in a changing world – 4 key insights for OEMs.

Michael Shaffer
Head of Cybersecurity