The automotive sector in Germany is experiencing a technological revolution with the increasing complexity of software in vehicles. In addition to powerful hardware, modern vehicles now incorporate extensive and intricate software systems. Individual functions are consolidated into central control units, and full-fledged operating systems are deployed within these vehicles. This advancement enables manufacturers to offer post-purchase software updates to customers through the infotainment system, providing additional features like colored interior lighting or pre-conditioning as paid upgrades. Payment functions, including biometric two-factor authentication, such as fingerprint verification, are being integrated into vehicles as part of this trend. Furthermore, additional apps can also be sourced from third-party developers.
As software becomes more integral to vehicles, the software supply chains have become increasingly complex. This complexity presents challenges in managing software vulnerabilities effectively. Many development projects in the transportation sector, including automotive and aerospace, utilize open-source code. However, these open-source components are often not continuously maintained or updated by their original developers. Users of such open-source components, including automotive manufacturers, are responsible for maintaining and updating the code. An analysis in 2023 revealed that 100% of examined codebases in the transportation sector contained open-source components, and in 63% of cases, “high-risk” vulnerabilities were discovered. This marked a significant increase in vulnerability numbers (over 200%) compared to a similar analysis conducted by the same service provider in 2018.
It’s essential to note that not every software vulnerability in a complex system like a vehicle is exploitable by attackers. The exploitability depends on the specific component where the vulnerable software is implemented and whether there is an attack vector through an external interface. Nevertheless, manufacturers bear the responsibility of continuously assessing vulnerabilities in the entire software ecosystem, including open-source components, and evaluating their impact on the overall cybersecurity of the vehicle. Regular security updates will likely become standard practice in the automotive industry, similar to the traditional IT sector.
One open question is the timeframe during which manufacturers will provide patches to address vulnerabilities after a vehicle’s purchase. Existing regulations do not specify concrete deadlines for this. However, a major automaker has announced its commitment to providing software support for up to 15 years after the end of production.
Future Regulations
In addition to existing regulations, standards, and norms related to cybersecurity in the automotive sector (as mentioned in Chapter 5), there are several forthcoming regulations that will affect the industry. These include the EU AI Act, EU Data Act, ENISA’s Cloud Service Scheme, and the Charging Infrastructure Regulation. Overall, cybersecurity is increasingly being regulated at the European level. As these application areas are not always easily distinguishable, ensuring proper application and practical implementation by the industry and oversight by authorities will be a challenge.
One significant example of upcoming regulation, likely to impact the transportation sector, is the EU Cyber Resilience Act (CRA).
The Cyber Resilience Act (CRA) is a proposed EU harmonization regulation introducing mandatory cybersecurity requirements for products with digital elements intended for sale in the European Single Market. The proposed regulation covers all “products with digital elements whose intended or foreseeable use includes a direct or indirect logical or physical data connection to a device or network.” This includes products used in the context of road traffic (as of May 2023). However, some product categories are explicitly excluded, as they are subject to other EU-wide regulations. This includes motor vehicles and vehicle parts falling under EU Regulation (EU) 2019/2144, including UN Regulation 155. On the other hand, products with digital elements used in road infrastructure, such as Road Side Units for vehicle-to-everything (V2X) communication, fall under the scope of the CRA.
The CRA defines categories of high-risk and critical products concerning product assessments. High-risk products require mandatory certification for conformity assessment according to a scheme under the Cyber Security Act (CSA) or, if such a scheme does not exist, according to national certification schemes. The classification of which products are considered high-risk has not been made yet and will be determined later through a delegated act by the Commission. Critical products generally require a conformity assessment according to CRA requirements by a notified body. Alternatively, certification according to a scheme under the Cyber Security Act can also be performed, with conformity presumption in this case.
Regarding product testing, the CRA specifies that Member States must designate a national market surveillance authority. This authority evaluates products on the market and can demand corrective actions from manufacturers or prohibit further placement on the market if a product does not comply with the regulation. Manufacturers must provide relevant technical data required for market surveillance activities upon request.
The points mentioned above reflect the current draft status. The EU Commission released a draft version of the Cyber Resilience Act in September 2022. It’s important to emphasize that the CRA may undergo significant changes during ongoing negotiations between the Commission, Parliament, and Council. The goal is for the CRA to come into effect in the first quarter of 2024.