ENISA Releases Report on Smart Car Cybersecurity

Subscribe To Download This Insight

By Michela Menting | 1Q 2017 | IN-4424

The European Network and Information Security Agency (ENISA) released a report in January (2017) on good practices and recommendations for the cybersecurity and resiliency of smart cars. The 80-page document provides a good overview of the attack vectors and vulnerabilities of smart cars today, analyzing the consequences of various potential attack campaigns. The report specifically targets car manufacturers, Tier One and Tier Two suppliers, as well as after-market service providers, and offers guidance on cybersecurity best practices that should be implemented by these players.

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Insight.

 

Cybersecurity and the Resilience of Smart Cars

NEWS


The European Network and Information Security Agency (ENISA) released a report in January (2017) on good practices and recommendations for the cybersecurity and resiliency of smart cars. The 80-page document provides a good overview of the attack vectors and vulnerabilities of smart cars today, analyzing the consequences of various potential attack campaigns. The report specifically targets car manufacturers, Tier One and Tier Two suppliers, as well as after-market service providers, and offers guidance on cybersecurity best practices that should be implemented by these players. 

Insecure Industry

IMPACT


The report clearly highlights the poor state of cybersecurity for smart cars, and the reasons behind the current state of affairs. Central to the issue is insecure design and development and a deficient security culture within the automotive industry. The report does a decent job of analyzing the gaps and challenges faced by industry players, and the potential impact that inaction will have on the future success of autonomous cars and the V2X infrastructure if such issues are not addressed. ENISA recognizes the limitation of existing initiatives and standards in the sector, as it offers substantial guidelines in terms of best practices for industry players. 

The latter part of the report lists almost 40 different practices that could be implemented to strengthen cybersecurity. These include policy and standards, organizational measures, and technical practices. However, the recommendations remain high-level, and do not go into extensive detail as to how industry players can implement such practices. For example, the report recommends the use of cryptography but does not mention which can be considered. Nonetheless, the report does recommend that players leverage national security agencies for help and make use of other ENISA cybersecurity guidance.

ENISA also brings to attention the current shortcomings in the sector that need to be resolved in order for cybersecurity to become a more integral part of the automotive industry. The agency rightly refers to the importance of drawing third parties into the discussion, including cybersecurity vendors and insurance providers, to share threat information and to clarify liability issues. In addition, sector players need to participate in industry groups and associations to start achieving consensus on technical standards and defining third-party evaluation schemes and build security analysis tools. The agency also highlights the potential impact of the GDPR and the upcoming NIS Directive for the industry, stating they will likely need to comply with some of the requirements. 

Are Public Sector Efforts Enough?

COMMENTARY


ENISA has been working on cybersecurity in the automotive sector for some time. It formed the ENISA Cars and Roads SECurity (CaRSEC) Expert Group in 2016 to study the domains of smart cars and intelligent road systems, bringing together experts to study cybersecurity threats, challenges, and solutions. The agency published the terms of reference for the group in early 2016.

The report comes a few months after the U.S. National Highway Traffic Safety Administration (NHTSA) published Cybersecurity Best Practices for Modern Vehicles. The report also offers voluntary guidance for automotive, proposing similar recommendations as the ENISA report, although in a more abridged fashion.  

Undeniably, cybersecurity is becoming critical for the automotive industry, and governments are keen to drive the private sector to implement appropriate mechanisms. While best practices such as these are welcome, universal application will not likely follow without more persuasive action by the public sector, notably in the form of regulation, or as a result of significant cost to human lives and a bottom line.  

Services

Companies Mentioned