Last Updated on March 26, 2024

Remember when you were a child and drew a car with wheels and a body? At most, you added headlights? Imagine today’s drawing. Cars are not run by engines and gears anymore. What lets them onto the road are complex electronics and IT systems. Just to mention live tracking, remote start and stop, remote access, infotainment, temperature control, maintenance scheduling, and autonomous driving capabilities. Cars are now computers on wheels.

Every American vehicle manufactured from 1996 and European counterpart from 2001 onwards is required to feature a standardized connector (OBD/EOBD) linked to the local vehicle computer network (CAN bus). Moreover, starting in 2014, original equipment manufacturers (OEMs) have progressively integrated embedded LTE connectivity, facilitating the collection of performance data and the implementation of remote controls such as locking/unlocking and remote start capabilities.

Vehicles will also become more complex as we move closer to autonomous driving and full Internet of Things (IoT) connectivity. And together with this shift, the automotive cyber threats landscape will be on the rise. 

Software-Defined Vehicles (SDV) are driving the industry

This led us to the sector shift toward software-centric modern vehicles and smart mobility, where features and functions of cars are primarily enabled through automotive software. A typical modern car or truck currently contains over 150 million lines of software code, and this number is expected to reach around 300 million by 2030. For comparison, a passenger plane has up to 15 million lines. For the Boeing 787 Dreamliner, to be even more precise, it is around 7 million. Those lines are typically proportionate among hundreds of electronic control units (ECUs), telematic control units (TCU), internal gateways, camera systems, light detection, ranging devices, and more. 

Automotive cybersecurity in terms of cyber risks – quick review

The basic cyber attacks and cybersecurity risks of smart cars are already widely known, just to mention a few potential attacks like remote brake activation, sudden vehicle acceleration, and unauthorized access to navigation systems. Moreover, in this way, hackers can learn our habits, location, daily schedule, and, most importantly, steal our data, which may translate into further abuses.

Moshe Shlisel, the co-founder and CEO of Israeli cybersecurity startup GuardKnox, has drawn parallels between cybersecurity in contemporary automobiles and that of 1980s computers.

“Right now, there are millions around the world that are connected and are not secured, you have computers on wheels that are going around carrying people without the relevant safety measures,” he said.

He pointed out that fleets pose an even greater challenge since they typically consist of identical vehicles equipped with the same computer systems, all linked to the central operations headquarters. Let’s imagine a whole FedEx, DHL, or DB Schenker fleet is shut down by a hack, then we can speak about real risk to the economy, not just a logistic disruption. 

Moreover, automotive hacks can pose a national infrastructure risk. If electric-connected vehicles are plugged into the grid to charge and the connection is not secured, then a hacker could access the grid and cause all sorts of chaos.

But those risks are not just theory. 

In November 2020, university researchers hacked into and stole a Tesla Model X in… about two minutes. They needed a key fob, a Raspberry Pi, and a replacement engine control unit. The kit cost around $200.

At the time of writing this article, in media popped up news about Mercedes-Benz source code exposure due to a mishandled GitHub token and human error. This not only led to the disclosure and downloading of the source code, but there are further abuses at stake – data breach, intellectual property theft, vulnerability exploitation, legal penalties, service downtime, and more.

Shared Responsibility issues

Some software upgrades, i.e. vehicle infotainment systems, telematics, and diagnostic systems will require a trip to the dealer, however, most updates are received over-the-air (OTA), just to mention infotainment system updates, security patches, monitoring, and more. 

Most OEMs do not have any necessary software development capabilities. They are responsible for integrating cybersecurity solutions with hardware, and the rest is the responsibility of software and cybersecurity providers. In short: while the burden and expense of integrating strong cybersecurity into cars falls on the carmakers, they are leaning on their suppliers to develop the solutions.

The lack of robust capabilities from manufacturers and service centers leads to delays in identifying and patching vulnerabilities and makes the update delivery process quite complex and time-consuming. And again, it exposes consumers to additional risks.

Automotive Security Regulations and Standards 

No wonder that regulators and governments have worked to ensure that cybersecurity becomes an integral focus along every level of the automotive supply chain. 

Regulations allow for faster and more effective vehicle development and are introduced due to common industry interests. The demand for top-notch security is clear throughout the industry, governments, and road users. In a consumer study by IBM, 62% of customers said they would consider one brand over another if it had better security and privacy.

Since the 1950s, the United Nations has been actively engaged in enhancing vehicle safety by enacting regulations covering various aspects such as seat belts, headlights, steering wheels, and other safety features.

In 2018, it began looking at automotive cyber security standards. The United Nations Economic Commission for Europe (UNECE) created WP.29 regulations to ensure all car makers meet strict performance and audit requirements before their vehicles hit the road, which were finally approved in 2020. 

The framework of these requirements includes:

•    Identify and manage cyber risks in vehicle design

•    Threat analysis to verify that risks are managed

•    Make sure risk assessments are kept up-to-date and current

•    Monitor attacks and instantly respond to them

•    Analyse successful or attempted attacks

•    Review security measures in the light of new cyber threats

•    Ensure security lifecycle management (across the development, production, and post-production phases)

Since early 2021 they added regulations to clarify the requirements for the cybersecurity management system (CSMS), and new requirements for the security of over-the-air (OTA) software updates.

The European Union has already adopted the WP.29 rules. They are mandatory for all new vehicle types in the EU from July 2022. Japan and South Korea have also committed.

Please note that WP.29 represents the “World Forum for Harmonization of Vehicle Regulations” under the United Nations Economic Commission for Europe (UNECE). It’s the organization and platform for international collaboration on automotive regulation that develops and adopts international regulations, including UN R155 (United Nations’ regulation), that new types of approvals will be in effect for all new vehicles starting July 2024. 

Another regulation is ISO/SAE 21434 Road Vehicles—Cybersecurity Engineering standard which provides a guideline for ensuring the cybersecurity of road vehicle electronic systems. It was developed to ensure that OEMs and suppliers take cybersecurity into account at every step of the product lifecycle, from the concept phase to retirement – all the way. The standard requires a commitment from executive management to product development with a focus on cybersecurity engineering. It goes further by requiring the creation of a security policy that enforces cybersecurity rules and processes and it’s considered automotive best practices. 

The requirements outlined by UNECE WP.29 are generally broader compared to those of ISO/SAE 21434. Typically, if automotive manufacturers fulfills the criteria of ISO 21434, they also satisfy all WP.29 requirements. This presumption further solidifies the significance of ISO 21434 and encourages every vehicle manufacturer to adopt it, not solely for streamlined type approval, but for comprehensive cybersecurity measures.

Automotive-tailored solutions to the rescue 

Although conventional IT tools offer a solid basis for managing vulnerabilities, they frequently fall short of meeting the unique requirements of the automotive industry. Vehicles are not just complex software systems, they are more safety-critical ones and any software flaw or glitch can result in immediate, real-world, and life consequences to their drivers, other road users, pedestrians, or infrastructure.

The solution is cybersecurity and vehicle vulnerability management (VVM) solutions tailored to the automotive sector, the adoption of new technologies throughout the entire automotive production chain, and the integration of security within CI/CD pipelines by suppliers, vehicle software development companies, and automotive OEMs. 

Thus, the global revenue from the automotive security market is expected to hit $2,4 billion by 2025. 

The role of DevOps backup in vehicle cybersecurity 

To maintain each product’s cybersecurity assurance, OEMs and automotive suppliers, including Tier 1 suppliers (e.g. ECU manufacturers) typically form a dedicated cybersecurity assurance team that provides the technology and tools required for cybersecurity engineering and distributes them on all levels of the organization – from R&D to executive management. 

Starting from R&D it is indisputable to deliver security tools and specific criteria to ensure Secure Development Lifecycle and preferably include security into CI/CD pipelines. 

Tier 1 suppliers develop the code from scratch and are already implementing CI/CD to accelerate coding processes, others work with multiple lower-level suppliers. To ensure that the code they ship to the OEM is free of vulnerabilities, backed up, and recoverable, they need to implement many security measures – secure authentication and authorization, secret scanning, vulnerability management tools, and backup with Disaster Recovery technologies. They need to adapt to “shift left” practices to move security earlier in the design and development process, preferably tiring security measures in CI/CD. 

They need to ensure maximum uptime and prevent code from being deleted, lost, or corrupted. Here comes DevOps backup, which means backup and Disaster Recovery technologies for widely-used DevOps tools, such as GitHub, GitLab, Bitbucket, or Jira. It prevents suppliers and OEMs from daily data deletions and human mistakes, ransomware attacks spread on infrastructure, or any service downtime. Disaster Recovery technologies enable DevOps and Security teams to mitigate risks of productivity and data loss and avoid hefty penalties and financial setbacks.

If you think that losing data or access to your DevOps tools where all DevOps data, projects, and code remain, let us remind you that a year ago due to Atlassian’s Jira outage, around 800 users lost access to their accounts for over two weeks (!) Some years ago GitLab accidentally deleted customer data… What if it was your code and a new update that your company had been working on for months? Having DevOps backup in place could enable you to restore all (or chosen) data to your local machine, new account, or another version control system – and migrate all data between GitHub, GitLab, and Bitbucket to avoid productivity and reputation loss as well as ensure development and business continuity. 

Finally, DevOps backup is a key security tool to meet most security standards, such as ISO/SAE 21434 and hence, WP.29. Moreover, it ensures compliance with general security standards such as ISO27001 or SOC 2. 

Having a reliable DevOps Backup and Disaster Recovery enables automotive suppliers and OEMs to meet the Shared Responsibility Models according to which all SaaS vendors, including GitHub, GitLab, and Atlassian operate. Such models define the security duties for both SaaS providers and their users – in this case, automotive companies. In short, SaaS vendors are responsible for infrastructure-level security while having backup and security measures on the account level is the user’s duty.

That’s where GitProtect comes in. Our DevOps Backup and world-only Disaster Recovery technologies for GitHub, GitLab, Bitbucket, and Jira are designed with regulated industries such as automotive in mind. Ensuring OEMs, Tier 1, and more automotive suppliers with uninterrupted access to their services, code, metadata, and projects, meeting strict cybersecurity regulations, and eliminating data loss and downtime. 

Before you go 

🔎 Find out more about DevOps backup for regulated industries 

🔐 Learn how we helped companies meet security requirements and automate DevOps data protection – Case Studies 

📋 Discover our SOC 2, ISO 27001, and more security audit documents – check it out

📅 Schedule a custom demo to discuss your specific needs and requirements

📌 Or simply try our enterprise-grade software to eliminate DevOps data loss and ensure business continuity

Marta Przybylska, Content Writer at GitProtect.io
Marta is the CMO of GitProtect and Xopero. She has done all her career in the software industry - starting from gaming, through startups, ending with Developer Marketing and cybersecurity. In everyday duties, it quickly turned out that it was easier for her to understand and learn technology than to wait for developers' answers. And that's how the deep relationship with technology, DevOps and cybersecurity started.

Comments are closed.

You may also like