The Ricardo and Roke partnership is launching a vehicle digital resilience assessment and benchmarking service designed to help automotive manufacturers and Tier 1 manufacturers assure the security of their products, and to ensure that they meet international cybersecurity regulations currently under development, as well as existing legislation affecting customer data security.
Increasingly sophisticated onboard electronics systems and external connectivity services are resulting in product complexity that can pose an increase of the ‘attack surface’ that hackers can exploit. This complexity can result in potential vulnerabilities that may provide a digital gateway into the vehicle and its data. In addition to the implications of such breaches for product and personal data security, they also represent a potential safety hazard for vehicle occupants as well as a reputational risk to the vehicle manufacturer’s brand.
Current regulations already in place require vehicle manufacturers to implement actions to prevent incidents and understand risks of potential customer data breaches. However, future cybersecurity regulations are already being prepared under the auspices of the United Nations Economic Commission for Europe (UNECE). These tighter regulations are expected to include both the mandatory audit of each vehicle manufacturer’s cybersecurity management system, as well as a verification process to demonstrate that each new vehicle has been appropriately engineered with relevant risks identified, analysed and mitigated.
The digital resilience vehicle assessment service being launched by the Ricardo and Roke partnership is aimed at helping vehicle manufacturers to protect their future products and to comply with these impending cybersecurity regulations. The service provides an independent, impartial and objective assessment, which draws on both the recommendations of the 5StarS vehicle assurance framework, and the Ricardo and Roke partnership’s unique methodology and facilities.
Of course not all vehicle manufacturers will require the same level of expert assistance, so the digital resilience vehicle assessment process is offered with three tiers of service. The baseline assessment tier identifies and categorises potential vulnerabilities that may be exploited by hackers and provides an indication of the end-effect of these for the driver’s safety and personal data protection. The digital resilience level of the vehicle is ranked with respect to competitor data, and the service aims to provide guidance as to how any such identified vulnerabilities can be addressed through immediate and cost-effective remedial actions.
The enhanced tier of assessment builds on the baseline service with a penetration test to exploit the identified vulnerabilities in order to assess the potential impact of a breach. The testing boundary is the same as the baseline but more physically intrusive and may include analysis of any vehicle OEM backend servers and applications. Finally, a bespoke tier of assessment is offered, with the level and detail of analysis tailored to the client’s precise requirements.
Neil Gladstone, commercial director at Roke stated, “We want to help consumers start choosing their cars on the basis of security, as well as long-established criteria like safety and fuel economy. To ensure tomorrow’s drivers can enjoy the benefits of digital services like navigation, collision avoidance, predictive parking and new applications, our digital resilience service provides a set of rigorous tests designed to maintain consumer confidence and peace of mind, by confirming that they are resilient to network attacks.”
