CAM sector cybersecurity challenges and how to mitigate them

ENISA discloses an in-depth analysis of the cybersecurity challenges faced by the connected and automated mobility (CAM) sector and provides actionable recommendations to mitigate them.

The CAM sector in a nutshell

Today, connected vehicles, environments and infrastructures need to be designed with new capabilities and features. These capabilities and features should aim to provide:

• increased safety
• better vehicle performance
• competitive digital products and services
• improved comfort
• environmental friendliness
• user-friendly systems and equipment convenient for its customers.

The CAM sector is a whole ecosystem of services, operations and infrastructures formed by a wide variety of actors and stakeholders.

This ecosystem not only generates transformation in the industries but also considers how to meet the needs of the citizens. It is therefore intended to ensure transportation is made safer and easier. In addition, it also needs to align with the EU efforts towards cleaner, cheaper and healthier forms of private and public transport.

The recommendations aim to guide all CAM stakeholders in today’s context of growing cybersecurity threats and concerns.

The recommendations issued contribute to the improvement and harmonization of cybersecurity in the CAM ecosystem in the European Union.

New policy initiatives: What do we need to know?

Under a new regulation set by the United Nations, car manufacturers are required to secure vehicles against cyberattacks. With the upcoming transposition of the United Nations’ regulations into EU policy, the new regulation on cybersecurity will be mandatory in the European Union for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced, regardless of the type, from July 2024.

It is important to remember that the UNECE Regulations and related ISO standards do not apply to all CAM stakeholders. The types of vehicles the regulation applies to include passenger cars, vans, trucks and buses, light four-wheeler vehicles if equipped with automated driving functionalities from level 3 onwards.

Which CAM sector cybersecurity challenges does the report identify?

The report provides recommendations for each challenge identified, such as:

Governance and cybersecurity integration into corporate activity

Cybersecurity governance in the CAM ecosystem represents an organisational and technical challenge for all stakeholders concerned. Recommendations given include:

• Promote the integration of cybersecurity along with digital transformation at the board level in the organisation
• Promote procurement processes to integrate cybersecurity risk-oriented requirements.

Technical complexity in the CAM ecosystem

Dependencies, interactions and supply chain management in this sector are a well-known challenge acknowledged by the majority of the actors involved. Recommendations given include:

• Promote the use of suitable certification schemes
• Promote security assessment for both on-board and off-board solutions and standardise the discovery and remediation of vulnerabilities during the lifetime of the product.

Lack of expertise and skilled resources for CAM cybersecurity

The lack of human resources with expertise in cybersecurity on the market is a major obstacle that hinders the adoption of security measures specific to CAM products and solutions.

• Encourage cross-functional security and safety knowledge exchange between IT/OT and mobility experts respectively
• Introduce programmes at schools and universities to address the lack of security and safety knowledge across the industry.