“Technology is changing mobility“ – this is a central theme of this year's IAA in Munich in September, and shows once again: the automotive sector is changing. Vehicles, which used to consist mainly of mechanical components and combustion engines, are increasingly becoming Software Defined Vehicles (SDVs).
Just how important software has become for cars can also be illustrated with figures: for example, the average software in a current car comprises around 120 million lines of code. The Lockhead Martin F-35 stealth fighter jet needs about 25 million lines, the Boeing 787 about 10 million. In comparison, the space shuttle was really modest. With only 400,000 lines of code, it carried people into space and back for decades.
"For drivers, the digitalisation of vehicles brings a number of benefits. Along with an improved driving experience and more comfort, in many cases it also includes additional (physical) safety: adaptive cruise control helps to avoid rear-end collisions, while the lane departure warning system intervenes, if the driver has a microsleep episode," explains Marcus Klische, cybersecurity expert at MHP. At the same time, however, digitalisation also gives rise to new risks. The highly connected vehicles are increasingly becoming targets for cyberattacks.
New regulations to increase security
Legislators have also long since recognised this - and are reacting appropriately with new regulatory requirements. These are often based on two guidelines issued by the United Nations Economic Commission for Europe (UNECE). UNECE R 155 obliges car manufacturers to integrate a Cyber Security Management System (CSMS) into their vehicle development process. UNECE R 156 also requires OEMs to implement and maintain a Software Update Management System (SUMS). These rules are also supplemented and substantiated by relevant ISO standards.
The cyber security management system & security by design
A rough description of a cyber security management system, a core component of the new security architectures, shows that it fulfils three tasks:
- Managing cyber risks to vehicles: This includes implementing measures for the identification, assessment and mitigation of all conceivable cyber risks.
- Monitoring cyber risks to vehicles: Automotive companies are obliged to actively search for new threat scenarios and to react to them promptly - for example by providing regular software updates.
- Obligatory certification: Every CSMS is to be certified by an accredited testing institute. One such institute In Germany, for example, would be the TÜV.
In summary, it is clear that manufacturers and suppliers must rethink the development of their vehicles, moving away from sequential working and towards a networked approach. Marcus Klische: "The starting point for this is the "security-by-design" concept. For this, the software engineers take all attack scenarios known at the time of development into account when designing the IT architectures. At the same time, regular software updates must be possible without affecting any other vehicle functionalities.”
The time for action is now!
The bottom line is that now is the time for change. Experience shows, however, that many manufacturers find this difficult, due to a lack of experience in setting up the necessary IT infrastructures, for example. "In times when hacker attacks are becoming more and more commonplace and automotive companies are offering new business concepts, such as subscription models, countless different risks can arise," emphasises Marcus Klische. "We can help to reduce these risks by contributing the experience we have in setting up the necessary infrastructure.”