The Ricardo and Roke partnership is launching a comprehensive vehicle digital resilience assessment and benchmarking service to help automakers and tier 1 manufacturers assure the security of their products, and to ensure that they meet international cybersecurity regulations currently under development, as well as existing legislation affecting customer data security
With increasing sophistication of onboard electronics systems and external connectivity through navigation, infotainment, digital communications and dealer maintenance networks, modern cars provide a feature base and functionality mix that would have been impossible even a few years ago. However, with this unprecedented increase in product complexity comes a parallel increase of the attack surface that hackers can exploit—the potential vulnerabilities that may provide a digital gateway into the vehicle and its data.
In addition to the implications of such breaches for product and personal data security, they also represent both a potential safety hazard for the vehicle occupants as well as a reputational risk to the vehicle manufacturer’s brand.
Current regulations already place a requirement on vehicle manufacturers that they put in place actions to prevent incidents and understand risks of potential customer data breaches. However, future, much tighter, cybersecurity regulations are already being prepared under the auspices of the United Nations Economic Commission for Europe (UNECE). These are expected to include both the mandatory audit of each vehicle manufacturer’s cybersecurity management system, as well as a verification process to demonstrate that each new vehicle has been appropriately engineered with relevant risks identified, analyzed and mitigated.
The new digital resilience vehicle assessment service being launched by the Ricardo and Roke partnership is aimed at helping vehicle manufacturers to protect their future products and to comply with these impending cybersecurity regulations. The service provides a fully independent, impartial and objective assessment, which draws on both the recommendations of the 5StarS vehicle assurance framework, and the Ricardo and Roke partnership’s own unique methodology and facilities.
Recognizing that not all vehicle manufacturers will require the same level of expert assistance, the digital resilience vehicle assessment process is offered with three tiers of service.
The baseline assessment tier identifies and categorizes potential vulnerabilities that may be exploited by hackers—both now and in the future—and provides an indication of the end-effect of these for the driver’s safety and personal data protection. The digital resilience level of the vehicle is ranked with respect to competitor data and, crucially, the service aims to provide guidance as to how any such identified vulnerabilities can be addressed through immediate and cost-effective remedial actions.
The enhanced tier of assessment builds on the baseline service with a penetration test to exploit the identified vulnerabilities in order to the assess potential impact of a successful breach. The testing boundary is the same as the baseline but more physically intrusive and may include the analysis of any vehicle OEM backend servers and applications.
A fully bespoke tier of assessment is offered with the level and detail of analysis tailored to the client’s precise requirements.