Modern vehicle architecture is posing a massive challenge to security teams. Hardware is layered with complex software systems, resulting in sophisticated systems architecture that are far more vulnerable to attack than the vehicles of yesteryear. Adjacent to the evolution of connected and automated vehicles is a shift in how the industry views cybersecurity. No longer a tick-box exercise, cybersecurity is now viewed as a critical safety system for both drivers, passengers and pedestrians alike.
In response to this evolving landscape, C2A Security developed the State of the Industry Report: Cybersecurity Lifecycle Management for Modern Vehicles. It analyzes current approaches to cybersecurity lifecycle management processes, and makes recommendations as to how these can be improved. Its findings are just as true today as they were when the survey was conducted: the industry continues to struggle with lifecycle management, implement ISO 21434 standards and execute timely risk assessment processes.
Where the industry stands — assessing the current approach to cybersecurity lifecycle management
Without visibility, cyber resilience becomes near impossible. In spite of that — over half of OEMs and Tier 1s cite that they do not have traceability from software and hardware BOM to VIN.
To add further concern, 56% of organizations surveyed say that it takes more than three weeks to manage the threat and risk assessment (TARA) process. This is problematic: without a fast, efficient TARA process, organizations leave their vehicles vulnerable to cyber attack, putting the entire ecosystem at risk.
ISO 21434 implementation — what’s your challenge?
When asked their top concern during the implementation process, 62% cited coordination across the different teams and suppliers as their number one issue. Similarly, 36% say more concrete, clear implementation steps are required for thorough implementation, followed by 30% ranking visibility over different car models throughout the security lifecycle as their main challenge.
Diving into the detail: risk assessment today
Communication is the foundation of any timely risk assessment project, but 50% of survey respondents rank coordination between different entities as their number one impediment to speedy cybersecurity.
Similarly, as new factors come into play, industry must shed its siloed thinking. We all have a role to play: over 70% of OEMs and Tier 1s surveyed agree that the risk assessment process should be managed by each entity down the supply chain.