Skip to main content

Cyber-securing connected cars

There are more connected vehicles on the roads than ever before, providing a new, more dynamic and more comfortable driving experience for their users. Ensuring that these vehicles can run as they are supposed to requires permanent and robust connectivity, but that brings with it its own set of challenges, especially when it comes to keeping the vehicles and their occupants safe and secure.

Thales’s Christine Caviglioli, VP Automotive, and Jean-Marie Letort, VP Cybersecurity, Consulting & Operations, talk about how the company is already dealing with these challenges, and how it is gearing up to face those that lie ahead.

We hear a lot today about connected vehicles. For many people, that means accessing a favourite playlist in the cloud, or being able to use automatic payment lanes at the tollbooth. I presume there’s more to it than that?

Christine Caviglioli (CC): Those are just two everyday aspects of connectivity in and around the vehicle, but the scope goes far beyond simple driver comfort and infotainment, and it is set to get even broader with the increase in number of electric cars on the roads.

The stakes in this field – notably in urban environments – are high: beyond getting the driver and their passengers comfortably from A to B, vehicles also need to consume less energy, integrate seamlessly into new, smart cities, and keep both their drivers and pedestrians safe.

Safety initiatives include the Europe-wide deployment of the eCall system, which is designed to contact the emergency services automatically in the event of a road traffic accident. It’s estimated that eCall could cut emergency response times by some 40-50%.

The end-results seem very positive. So where do the issues lie?

CC: They’re very positive indeed. However, seamlessness and reliability require increased connectivity, and that comes at a price. The car today is a computer on wheels – luxury models incorporate up to 100 million lines of code – and is connected to a wide variety of systems and networks that enable it to run safely and efficiently. All these communications and connections are wireless, which creates increased exposure to the risk of cyberattacks, be they on the vehicle’s systems, the road infrastructure or drivers’ personal data. Recent years have seen a dramatic upturn in this type of attack – automotive cyber incidents increased seven-fold from 2016 to 20191.

This is where cybersecurity plays a crucial role, not just in terms of protection along the entire value chain, but in allowing the full potential of connectivity to be realised. It benefits both original equipment manufacturers (OEMs), for instance in the area of telematics (vehicle monitoring), and end-users, who will enjoy a seamless experience that includes, amongst other things, advanced in-car entertainment and access to real-time traffic information. It also greatly simplifies car-sharing, as vehicles can be shared and accessed by means of a key sent securely to the driver’s smartphone.

Security concerns across multiple countries and multiple providers means regulation… 

Jean-Marie Letort (JML): Guidelines and regulations are emerging to counter these cyber threats and ensure that users remain safe and secure. The UN Economic Commission for Europe’s WP29 regulation for vehicle approval, adopted in June 2020, covering the deployment of cybersecurity management systems, requires automotive OEMs to integrate cybersecurity activities along the entire value chain.

Thales has been following the development of these regulations, which will be binding for new vehicles in 2022, and applied to all vehicles by 2024. Whilst the WP29 regulation is clear about the “what” – the implementation of cybersecurity by OEMs – it is far less clear about the “how”, and this is where Thales comes in. We are committed to supporting our customers in their understanding of these regulations, and to designing and building innovative cybersecurity solutions that comply with the regulations and that protect all critical automotive assets against cyber threats. Our cross-market security experience enables us to deploy secure connected services to minimise the risks and protect end-users. 

It would seem that cybersecurity is now as important as actual safety on the road.

CC: Within the connected vehicle, cybersecurity is inseparable from the safety of the vehicle, the protection of the users and the ultimate key to the success of connected cars: the trust people have in them.

That trust is also key for automotive manufacturers and tier one suppliers. They need to know that Thales is capable of managing the challenges that increased connectivity is bringing, and to enable them to protect the car and its multiple interactions with the elements of the external ecosystem, such as other vehicles, the road infrastructure, or the broader context of a smart city.

How do you go about meeting such a complex challenge?

JML: What is needed is a robust cybersecurity architecture that covers the whole ecosystem. Users need to be sure that the information coming from both inside and outside the car can be trusted, and that they are protected at every step of the way, from the moment they access the vehicle using a trusted digital ID to the moment the vehicle navigation system delivers them safe and sound to their final destination.

Thales has been supporting vehicle manufacturers and tier 1 suppliers in this field since 2013, providing cybersecurity expertise from factory to road. I have already mentioned compliance with regulations, and in this context, we provide risk analysis, cybersecurity architecture design and – through our Thales Trusted Key Manager – the management of credentials throughout the lifecycle of the vehicle.

In addition – and this is one of the key components of Thales’s end-to-end cybersecurity architecture – we operate a number of Security Operations Centres (SOCs) around the world, designed to help carmakers monitor the global threat landscape and protect vehicles from emerging cyberthreats. 
Are these solutions something that are built on to vehicles?

CC: In the case of vehicles that are already on the road, they can be. However, cybersecurity solutions are far more effective if they can be built in to the vehicle. This is why we have been working with the major manufacturers and component suppliers on employing a “security by design” approach to architecture that takes into account the different interconnected functions and networks that a vehicle has to deal with. The further upstream we can anticipate potential issues – and the design phase is about as far upstream as you can get – the better protected the vehicle will be. 

You’ve talked about the challenges you’re meeting right now. What about the future?

JML: That’s a very good question. The automotive industry evolves at a rapid pace, so lifecycle management becomes a key factor. When developing our cybersecurity solutions and architecture, we build embedded components that are scalable and that can evolve over time to adapt to new, future environments and continue to provide end-to-end automotive cybersecurity.

Thales’s commitment to applying its expertise in these environments is reflected in our involvement in the Mobena initiative and the ´Software République´ open ecosystem for intelligent and sustainable mobility. The aim is to create an innovative and secure service based on the Plug&Charge system, which will greatly simplify the user experience in charging electric vehicles.

Our 2019 acquisition of Gemalto enabled us to provide the adaptability needed in these dynamic environments, giving Thales a comprehensive cybersecurity offer that includes protection of the vehicle and of the exchanges of data, lifecycle management of the car’s security features, with long-term updates, and high-level detection of, and response to, new cybersecurity threats and attacks. 
In short, an automotive experience that all parties can trust.


1 Source: Upstream Security 2020 Global Automotive Cybersecurity Report