Connected transport is seen as the future of a redesigned system of travel. Planes, trains, buses and cars – all the aspects of multimodal travel are affected by evolutions in digital technology.

By reporting and analysing data, connected vehicles could ease transport in overcrowded cities while playing a key role in safety, eco-driving and reducing fuel consumption and the carbon footprint. In 2018, the European Commission required car manufacturers to equip all new vehicles with an automatic emergency calling system known as eCall or eCall112. This system aims to reduce emergency service response times by 50% in rural areas and up to 60% in cities. Connected tools like these could save more lives. All cars should be fitted with the system by 2035.

Legitimate fears

This world of interconnected transport also has to face the new challenges that come with rapid digitalisation and to confront the cyber threat. Thanks to these digital interfaces and the multiple information and sensor systems involved, taking control of a car or plane, paralysing an airport, derailing a train or creating a road accident by blocking the reporting of sensor data are all clear probabilities, and some have already been proven possible.

The stakes are high. In France, SNCF carries nine million people every day on 17,000 trains in Ile-de-France alone, the equivalent of an A380 aircraft taking off every seven seconds. Worldwide, 11 billion tonnes of freight are transported by sea every year (source: McKinsey 2020).

In the automotive market, McKinsey reports that cars now contain over 100 million lines of code! This figure is likely to triple by 2030. By comparison, a passenger plane contains some 15 million lines of code, and the operating system of a standard PC around 40 million.

So Gartner’s 2019 announcement of rapid growth in the global automotive cybersecurity market was hardly surprising: from $2.4 billion in 2019, it is likely to approach $6 billion by 2025. 

Powerful international standards

Building on an accelerated rise in awareness, the automotive market is regulating its international ecosystem through dedicated analyses. Standards are burgeoning due to a strong desire to regulate through constraint. The global car industry has to protect its infrastructure against cybercriminals aiming to steal data and take control of automated systems for malicious purposes.

In the USA in 2016, for example, the SAE’s Vehicle Cybersecurity Systems Engineering Committee published the Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, which defines a framework for all vehicle the life cycle processes. Any organisation can thus incorporate cybersecurity into connected vehicle systems, from the design phase through to production, use, servicing and dismantling.

Working group WP.29 at UNECE (United Nations Economic Commission for Europe) published a regulation in June 2020 that sets out rules and obligations for car manufacturers. The regulation is due to take force in July 2022 for all new vehicles in Europe. Car manufacturers need to demonstrate that they have introduced processes to evaluate the cyber risks threatening their vehicles and comply with all the cybersecurity requirements before they can bring their cars to market.

Going further still, a new international standard should emerge soon. Based on the American work, ISO and the SAE have combined their forces to produce the proposed ISO/SAE 21434 standard, Road Vehicles – Cybersecurity Engineering, to ensure the car industry can deliver vehicles equipped with highly secure systems and software. This standard will enable organisations to define cybersecurity policies and processes, manage cybersecurity risks and promote a culture of cybersecurity.

To achieve the level of quality assurance required before future vehicles enter production, manufacturers will have to acquire simplified, integrated, dynamic tools operating continuously to evaluate, analyse and manage risks. All EGERIE’s teams have been mobilising for a year in order to be able to support car manufacturers in the implementation of the new international ISO 21434 standard. Centralisation, communication and collaboration are the three pillars of our work with the car manufacturers we support through an active process of joint construction.

Finally, the standard describes a framework that will improve cybersecurity collaboration in the automotive sector and lead to the development of technologies and solutions that provide a better response to constantly changing cybersecurity problems. Information sharing between manufacturers is a necessity. While this cooperation seems to be well established in the United States, where automotive industry players share and analyse information about vehicle vulnerability and contribute to improving cybersecurity technologies, this approach must be adopted worldwide.

Promising prospects

The United Nations already considers this standard to be a reference document for the implementation of cybersecurity management systems (CSMS), a requirement of the regulation recently adopted by the organisation covering cybersecurity in vehicles. Further work has also begun on a publicly available specification, ISO/PAS 5112, describing guidelines for auditing organisations involved in cybersecurity engineering.

The ultimate aim is for the standard to be widely adopted in the sector’s everyday engineering practices, together with a better understanding of the challenges. This will involve incorporating the standard into training programmes for future engineers. Promoting a culture of cybersecurity has to begin at the beginning!


All articles

All articles