November 29, 2017
The digital world offers unprecedented opportunities, especially from an automotive perspective. Today’s vehicles are increasingly ‘connected’ – data is wirelessly exchanged between vehicles, the infrastructure surrounding them and service providers. Tomorrow’s vehicles will be automated and autonomous, capable of sensing their environment and navigating through cities without human input.
Undoubtedly, these advances will increase comfort and convenience for drivers, help improve vehicles and mobility services, and contribute towards achieving societal goals such as improving road safety, reducing fuel consumption and CO2 emissions, improving air quality, as well as facilitating better traffic management.
Road safety has always been at the forefront of the automobile industry’s priorities. Indeed, a large part our sector’s R&D investments, worth more than €50 billion annually, goes to safety-related innovation. Despite a three-fold increase in traffic over the last 30 years, Europe’s roads have become much safer. This sharp reduction, due in no small part to the introduction of passive and active safety technologies in our vehicles, represents a major success.
Vehicle manufacturers are increasingly making use of connectivity and information-sharing to further improve road and vehicle safety. Nevertheless, these new levels of connectivity also introduce completely new safety risks for vehicles. Opportunity comes with risks, and one of these is the threat of a direct cyberattack on your car or indeed a whole vehicle fleet.
If adequate cybersecurity mechanisms are not implemented and cybersecurity risks not dealt with appropriately, the interfaces of connected vehicles can be used for exploiting vulnerabilities. Attackers may for instance compromise the user’s personal data, threaten vehicle systems or endanger the safety of passengers. Keeping cybersecurity risks for connected vehicles in check is therefore of crucial importance to us.
Firstly, countering such risks requires limiting the number of data interfaces within a vehicle, since every new external interface increases the number of potential targets and entry points for hackers. That is also why ACEA believes that vehicle-generated data should only be shared with third parties if access is provided in a safe and secure way. Allowing direct access to car data, for example, poses serious security and safety risks to both the vehicle and its occupants. To make others aware of these risks, we recently launched an informative website about data sharing: www.CarDataFacts.eu.
Secondly, interfaces that are needed for connectivity purposes should be protected with very high cybersecurity measures. The European auto industry has therefore taken the lead in designing and producing safe and secure connected and automated vehicles, by following well-established safety and security principles.
This is in line with the Cybersecurity Package that was adopted by the European Commission in September. The package made clear that specific sectors, facing specific threats, should be encouraged to develop their own approach to cybersecurity in order to complement general cybersecurity strategies. Clearly, our members are committed to mitigating the risks of cyberattacks that come with the ever-increasing connectivity of motor vehicles.
In this spirit, ACEA and its 14 member companies have identified a set of six key principles of cybersecurity in the automobile industry – which are:
- Cultivating a cybersecurity culture
- Adopting a cybersecurity life cycle for vehicle development
- Assessing security functions through testing phases
- Managing a security update policy
- Providing incident response and recovery
- Improving information sharing amongst industry actors
All manufacturers united in ACEA endorse these principles, with the aim of enhancing the protection of connected and automated vehicles against cyber threats. For more details about each of these principles, I recommend our ACEA Principles of Automobile Cybersecurity paper – which provides an in-depth, yet concise, overview of all of them as well as the work accomplished by ACEA members in this field.
Effective defence against cyberattacks also requires a high degree of collaboration amongst industry players involved, making information sharing essential for many reasons. Therefore, Europe’s automobile manufacturers are committed to engaging with public authorities as well as other stakeholders, from every sector of the industry.
Likewise, ACEA members will continue sharing and discussing new cybersecurity threats with others in order to help the whole community find countermeasures. That’s also why ACEA continues to fully support ongoing regulatory and standardisation initiatives related to cybersecurity that are taking place in various international fora, such as the UN-ECE and SAE/ISO.
As you can tell, cybersecurity is of paramount importance to our industry. ACEA’s six key principles reflect the time and resources that our members have spent devising mechanisms, technology and organisations devoted to providing the highest possible level of cybersecurity for their vehicles. Auto manufacturers constantly fund research and development to that end, continually working on standardisation and introducing state-of-the-art security measures to further improve automobile cybersecurity.
Secretary General of ACEA