When Israel-based REE Automotive designed the chassis for its P7 electric vehicle, it worked from software. The flat vehicle chassis features four independent modules for steering, brakes, suspension and powertrain near each tire, each fully configurable to be driven by electronic controls. Control unit (ECU) customizable through software.
With drive-by-wire, steer-by-wire, brake-by-wire, and data collection as a service, the company can tailor its vehicles to customer applications, but the platform It could also belong to a hacker. dream.
Yaron Edan, a CISO at an automotive technology company, said ensuring the security of vehicle fleets is a critical initiative, requiring cybersecurity on design and development teams, on the factory floor, and in the connected cars themselves. Masu. Cybersecurity His team must not only monitor cyber threats, but also manage the security of the supply chain, factory operations technology (OT), and vehicle networks used to monitor and update platforms.
“My headaches and concerns basically fall into two parts: our network. [which supports the creation of the platform]But that’s not enough,” he says. “We need to know what the threats are and monitor them.” [for those] We respond to each vehicle throughout the day through our SOC. ”
But such security efforts present other challenges. The success of right-to-repair initiatives that open up the full range of consumer and business technology to allow customers to repair the devices they purchase. For example, the passage of a law in Massachusetts would allow automakers and auto technology manufacturers to share information and data generated from vehicles to allow consumers and third parties to maintain, repair, and even modify their vehicles. is required to do so.
Meanwhile, the National Highway Traffic Safety Administration (NHTSA) dominated first Arguing that existing federal safety regulations preempt the law, “[f]Federal law does not allow manufacturers to sell vehicles with known safety defects.'' The state and federal governments ultimately reached an agreement on implementation. Automakers will be required to provide third parties with local access to their data and systems. Even for vehicles they own, remote diagnostic and update networks can remain closed. the regulator has ruled.
EVs bring great flexibility and risk
It remains unclear whether the agreement will help companies with large fleets of vehicles, especially electric vehicles. software defined vehicle EVs have really caught on, and with Tesla's success story, the most important software-based features will likely remain in electric cars.
Alex Euler, director of North America at SBD Automotive, an automotive supply chain consulting firm, said EV manufacturers need to start with the initial design, update software to change the vehicle's configuration and performance, all the way through deployment and beyond. The company says it will be able to continue building the platform. .
The ability to respond effectively and quickly to cybersecurity events will likely remain with those manufacturers, not third parties, he says.
“If there are truly critical zero-days that need to be patched as quickly as possible, the cybersecurity teams for those products [at auto manufacturers] “They're running the show, coordinating stakeholders across the business, and accelerating timelines to resolve issues. It's certainly not an easy process today,” he says.
However, some manufacturers may outsource their cybersecurity functions.united nations Passed product safety amendments Requires member states of the United Nations Economic Commission for Europe to provide regulatory approval for cybersecurity management systems used in vehicles.
More connectivity
Vehicles have been connected for decades as part of in-vehicle maintenance systems and driver assistance. But software-defined vehicles are extending that connectivity, including remote start and limited consumer diagnostic tracking via smartphone apps, essentially turning the car into an Internet of Things (IoT) device. I'm changing it. As automakers provide more accessibility through APIs, they will come with more risks, said Shira Salid Hausilah, vice president at automotive cybersecurity and data management company Upstream.
“Opening up the ecosystem is probably what poses the greatest risk,” she said, pointing out that: Various cybersecurity hacks for Tesla cars. “What happens when OEMs start exposing their APIs to other third-party apps, and those apps can send commands to the vehicle? … Vehicles are becoming technology hubs.”
While it may be enough to provide a company with access to some of its data to enable fleet management, Massachusetts Right to Repair Act agreements allow some third parties to provide vehicle maintenance services. It is permitted to do so. probably cost a lot of money. SBD Automotive's Euler says it remains to be seen whether these limitations will improve in the future as the fast pace of SDV innovation slows.
“It's fair to some extent for both NHTSA and automakers to raise some kind of flag, but that being said, there are secure ways to share diagnostic information, and software-defined vehicles can actually do that through those secure channels. We give you a way to do it,” he says.
Cyberattacks are unlikely to be catastrophic, but in most cases
Automakers have recently focused on cybersecurity, and more secure platforms have been developed over the past decade. But in the future, Euler says the focus needs to be on providing that security and safety while providing more transparency to customers. As business customers and individual vehicle owners seek improved maintainability and reusability of their devices, automakers must follow suit.
A well-designed platform can also significantly reduce the risk of widespread cyberattacks, says Upstream's Salid Haussilah. The company is already responsible for threat intelligence and incident response for some manufacturers, and although most incidents are not safety-related, the company's2024 Automotive Cybersecurity Report. ”
“I would say that the majority of incidents that we see are not necessarily jeopardizing safety. You have to have a reason to jeopardize safety, but attackers don't have the ability to do that. They don't. They exist to make money,” she says. Instead, the company has seen numerous attacks on its availability. “They can manipulate the app to start the truck in the morning or prevent you from getting into the truck. It could be ransomware, it could be some other form, but it could be due to availability and vehicle We need to discuss the numbers.”
Other attacks have also taken advantage of ride-hailing apps. cause traffic jams in Moscow Hacking remote start apps. These availability issues have less to do with diagnostic systems, such as the information required for right-to-repair, and more to do with administrative systems, she says.
