Your Car is Becoming a Cybersecurity Risk

Article By : Egil Juliussen

The good news is that there is a growing number of automotive cybersecurity activities to secure in-vehicle hardware and software, and cloud platforms.

The automotive industry started taking cybersecurity seriously about six years ago and started investing in designing and deploying cybersecurity solutions. The auto industry is now deploying cybersecurity hardware and software, but there is a long road ahead to get every ECU in the car protected against increasingly cyberattacks.

Cybersecurity in the auto industry is much more complex than smartphones and PCs for two main reasons:

  1. The dozens of ECUs in each vehicle connected via multiple electronic buses with different speeds and characteristics, and
  2. the multiple potential in-car and remote access points such as OBDII, USB and SD ports, keyless entry, Bluetooth and Wi-Fi, embedded modem, sensors, infotainment or smartphone apps and the multiple connections via telematics and other cloud systems that access car systems.

The good news is that there is a growing number of automotive cybersecurity activities to create in-vehicle hardware and software and cybersecurity cloud platforms. Several cybersecurity standard and regulation are emerging, which will further increase the momentum to deploy cybersecurity solutions in all connected vehicles.

The next table is a summary of this column’s cybersecurity coverage. Additional cybersecurity information will be included in another column.

(Click on the image for a larger view.)

Cybersecurity threat status

Upstream Security has published several yearly reports that analyze automotive cyberattacks. The latest report, released in early 2021 (it is available at:  includes data from 2010 to 2020 and covers over 200 automotive cyber incidents across the world.

The report includes information on the deep and dark web, which enable automotive cyber criminals to communicate with significant anonymity. There are forums with detailed discussions on how to attack connected vehicles, how to access sensitive data, and how to take over and steal a vehicle. Even on the surface web, cyber criminals can find online shops that sell hacking tools, services that disable immobilizers, code grabbers and tutorials on how to steal a car.

(Click on the image for a larger view.)

One interesting data point is where the attacks are directed — the so-called attack vectors. The table on the right clearly show that there are two popular targets. Cloud servers are the entry points for nearly 33% of total cyberattacks, as hackers try to gain access to valuable data that can be used to compromise automotive cybersecurity. Insecure keyless entry or key fobs are frequently exploited to gain access and to steal cars. Mobile apps are in third place with nearly 10% of the cyberattacks.

It is interesting that remote attacks add up to nearly 80% of total cyberattacks while the physical attacks are around 20%.

Upstream also tracks the cyberattack sources between so-called white-hat and black-hat attackers. White-hat hackers do not have malicious intent. They are mostly researchers that hack into systems for security validation or vulnerability assessments. White-hat researchers are often employed and/or rewarded by the hacked company for finding vulnerabilities. Black-hat hackers are attacking systems for personal gain or malicious reasons. In 2020 black-hat hackers accounted for 54.6% of total cyberattacks compared to 49.3% of all attacks from 2010 to 2020.

White-hat hackers are discovering new vulnerabilities independently or as part of a bug bounty programs. In bug bounty programs they are paid if they find vulnerabilities in vehicles and connected services. The list of auto OEMs running bug bounty programs is increasing. Many OEMs, including Tesla, GM, Ford, FCA, Daimler and others participate in bug bounty programs on platforms like BugCrowd, HackerOne, or their own websites.

The vulnerabilities in software components are published as Common Vulnerabilities and Exposures (CVEs) in a program launched by MITRE in 1999. There have been 110 automotive CVEs reported with 33 reported in 2020 compared to 24 in 2019.


Most industries have formed organizations for combating cybersecurity; these organizations are usually called Information Sharing & Analysis Centers (ISAC). The Auto-ISAC was formed in August 2015; it operates a central hub for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities and incidents related to connected vehicle. It is headquartered in Washington D.C., and the website is Auto-ISAC – Automotive Information Sharing & Analysis Center (

The Auto-ISAC members account for over 99% of light vehicles sold in North America; the organization also has over 45 global OEM and supplier members. The Auto-ISAC membership was expanded to include heavy truck OEMs and their suppliers, as well as the commercial vehicle sector— including fleets and carriers. The suppliers include Tier 1s, and companies such as Argo, Intel, Motional and Waymo.

There is also cooperation with other organizations. Auto-ISAC coordinates with 23 other ISACs covering critical infrastructure areas like healthcare, aviation, telecommunications and financial services.


The European Union Agency for Cybersecurity (ENISA) is the EU’s agency dedicated to achieving cybersecurity across Europe. ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification. ENISA is active in automotive cybersecurity and has released several relevant reports.

In February 2021, ENISA published: Cybersecurity Challenges in the Uptake of Artificial Intelligence in Autonomous Driving. The report provides insights on cybersecurity challenges of using AI technology in autonomous vehicles. It describes the policy context at both European and international levels.

In November 2019, ENISA published: Good Practices for Security of Smart Cars. The report defines good practices for security of connected cars and semi-autonomous vehicles. In 2017, ENISA published: Cybersecurity and Resilience of Smart Cars, which focuses on best practices for auto OEMs and suppliers in protecting embedded systems from cyber-attacks.

A primary requirement of the cybersecurity standards and regulations is to secure the vehicle throughout its entire lifecycle, from development, production, and customer use phases.

After two years of preparations and revisions, the United Nations adopted its UNECE WP.29 cybersecurity regulation on June 24, 2020. WP.29 applies to 54 countries including the EU, UK, Japan and South Korea. The 54 countries account for about 35% of the world’s vehicle production. Many other countries accept UN-compliant vehicles. U.S. is not included in the 54 countries. All manufacturers, including U.S. automakers, selling into these markets must follow WP.29 cybersecurity regulation for their products and processes.

UN regulations are legally enforceable. If a country or region adopts WP.29 regulations, proof of compliance is needed for an OEM to get type approval to sell into a market. In Europe, type approval provides mutual recognition of compliance at the whole vehicle level. If a manufacturer obtain certification for a vehicle type in one EU country, it can sell it across the EU without further tests.

The WP.29 regulation consists of two main directives on automotive cybersecurity. More details are included in the next section.

The ISO/SAE 21434 develops a new standard for cybersecurity for road vehicles with focus on adding cybersecurity in the engineering phase of the vehicle. The standard specifies requirements for cybersecurity risk management with emphasizes on cybersecurity process and a common language for communicating and managing cybersecurity risks. The standard does not contain specific technologies or proposal for cybersecurity solutions.

The standard is jointly developed by an ISO and SAE working group and will be released by both organizations. Over 25 automakers and 20 Tier-1 suppliers are developing the standard. The final draft of ISO/SAE 21434 was released in Mach 2021. It is probably 2022 until the standard is released.

The ISO/SAE 21434 standardization effort is linked and being developed in coordination with the EU and the UNECE WP.29 activities.

Another important standard is Uptane, which was developed for OTA software updates. Uptane was officially introduced in January 2017. The Uptane Alliance was formed in 2018. It is a nonprofit organized under the umbrella of IEEE’s International Standards and Technology Organization (ISTO). Uptane became IEEE/ISTO 6100 standard in July 2019 as Version 1.0 was introduced. The Uptane Alliance will oversee future Uptane standards and introduced Uptane Version 1.1 in January 2021. There are multiple companies offering Uptane-compliant software products.

UNECE WP.29 Cybersecurity

In June 2020, two new UN cybersecurity regulations were adopted—the WP.29 cybersecurity regulation. Both regulations are for all types of vehicles. The cybersecurity regulation was updated in March 2021. Deployment will start in a few countries in 2021 and 2022 with significant deployment in 2023 and 2024.

The first regulation focuses on cybersecurity and cybersecurity management systems (CSMS). The latest update of the CSMS document is available at: E/ECE/TRANS/505/Rev.3/Add.151 (

WP.29 CSMS definition: CSMS means a systematic risk-based approach defining organizational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyberattacks.

The CSMS document has excellent information on cybersecurity threats and lists a large number of vulnerabilities and attack methods. Annex 5 has 10 pages of descriptions of vulnerabilities in multiple categories. The first table below summarizes the threats and vulnerabilities. There are six threat types with multiple vulnerability types (29) with lots of examples (67) listed in the CSMS document.

The next table summarizes the mitigations to the cybersecurity threats that are described in the CSMS document. The B-table data is for threats inside the vehicle. The C-table data is for threats outside the vehicle.

If automotive cybersecurity is a topic of interest to you, it is worth examing the original document with all the data.

The second regulation is on software update processes and software update management systems (SUMS). The SUMS document is available at: E/ECE/TRANS/505/Rev.3/Add.151 (

WP.29 SUMS definition: Software Update Management System means a systematic approach defining organizational processes and procedures to comply with the requirements for delivery of software updates according to this Regulation.

The new UN regulation on uniform provisions on software update and software update management system applies to vehicles that permit software updates. The regulation applies to trailers and agricultural vehicles, in addition to passenger cars, vans, trucks and buses.

The WP.29 software update regulation requires auto OEM to:

  • Record software and hardware versions for each vehicle type.
  • Document the software update procedure.
  • Identify software relevant for type approval.
  • Verify that the software on a component is correct.
  • Identify software interdependencies for software updates.
  • Identify vehicle targets and verify they are compatibility with an update.
  • Determine if an update affects safety or safe driving.
  • Assess if a software update affects type approval.
  • Inform vehicle owners of updates.

Auto OEMs must fulfill the following requirements:

  • Develop a software update management system for all its vehicles on the road.
  • Protect the software update procedure with integrity and authenticity.
  • Protect software identification numbers.
  • Ensure the software identification number is readable from the vehicle.
  • Over-the-air software updates must:
    • Restore previous functionality if the update fails
    • Execute the update only if there is sufficient power for completion
    • Ensure safe execution.
    • Certify the vehicle is capable of conducting an update.
    • Inform users about each update and completion.
    • Inform users when a mechanic is needed.

I am preparing another column on cybersecurity that will include information on cybersecurity products, software companies and other players providing products and companies using cybersecurity.

This article was originally published on EE Times.

Subscribe to Newsletter

Leave a comment