A famous comedian often used an automobile as a prop for his most comedic stunts. However, he would not have been able to use this prop in the early 70s when diodes were used to operate alternators and starters. One didn’t have to kick the car to make it work by then. Soon after, the auto industry managed to make this core function smarter – even as theatre lost this element of fun to technology.
Similarly, the shift from vacuum tube-operated radios in the 50s to electronically controlled fuel injection systems in the 80s marked a significant change in the industry, from innovation to compulsions of the economy. Furthermore, the jet and space ages marked a profusion of electronic functions, making cars affordable for the common man. Due to heavy industrialisation, urbanisation and diminishing time zones, the need for speed seems to have accelerated the electronic makeover of automobiles. Faster engines, synchronisation between multiple components (such as actuators, oil and fuel flow), pressure sensing, and lubrication were incorporated, which would’ve been overwhelming for older mechanical systems.
With cinema playing an active role in pushing the desirability of vehicles, especially cars, the complexity and number of functions within a single car just accelerated with time, gradually leading up to the development of autonomous cars in recent times.
Any car that was built in the last decade or so has between 10 to 100 computers on board. These embedded controls, acting as the heart of vehicle intelligence, allow the computation of signals from various parts of the vehicle at extremely small intervals. A distributed intelligence system incorporates edge computation and facilitates a network of intelligent sub-systems – like the steering, brake, lighting – to work together as a holistic unit. A high-speed central information bus, similar to the human central nervous system, enables these specialised sub-systems made by different technologies and component vendors to synchronise their actions in real time.
Most core elements in a car – such as engines, gear boxes and lighting systems – have several layered functions, offering a wide range of monetisable features to users.
Mobility has leveraged this connected phenomenon to a massive scale, and is still expanding. Services for predicting early wear, braking patterns, recommending route-based solutions etc., are a part of such mobility-based services. Services offered by cab aggregators and cargo fleet management use functions like tracking the status and monitoring vehicle functions to make up their business model. This is done by connecting their business functions to cloud-based services on the internet.
Facilitated by sensor, cloud and telecommunication technologies, vehicular systems comprise a powerful internet of things (IoT) package. These systems are connected to the internet, and constantly fed information to make split-second decisions. Therefore, automobiles are now considered a part of the wide network of other systems such as traffic systems, fuel charging stations, shared mobility, cargo tracking and connected people.
However, this also makes such systems vulnerable to a variety of threat actors like cybercriminals, terrorists and malicious individuals/groups, who can leverage this connectedness to trigger serious damage on a local or global scale.
The risks of mobility, which were earlier random in nature and restricted to local driving errors, malfunctions and accidents, have now evolved to targeted attacks on an individual or group of vehicles, service providers, cloud services and electric charging units. The risks posed by such phenomena and their impact cannot be understated and are a possible threat to society, unless appropriate safety regulations are established while ensuring their strict implementation without exception.
The International Organization for Standardization (ISO), with a membership of 169 national standards bodies, is an independent and non-governmental body. The ISO 26262:2018 ‘Road vehicles and functional safety’ standards was a comprehensive effort to imbibe functional safety of electronic and electrical systems in vehicles. It enabled the evaluation of functional safety of electrical and electronics (E/E) in vehicles, and framed safety management principles as automotive-specific risk-based classification of safety goals (ASIL). However, these standards are only focused on the local evaluation of risks.
In due time, the evolution of vehicle connectivity transformed their overall vulnerability from issues having a local impact to a wider scope of attacks by cybercriminals.
Thus, vehicular cybersecurity standards aggregated, as ISO/SAE 21434 framed clear requirements to embed cyber risk management throughout the life cycle of a vehicle.1 This standard envisaged a change from a component-based point of failure to scenario-based possibilities of vulnerabilities and incidents from external sources which could be risky or fatal in nature, thus widening the scope of impact.
Furthermore, the United Nations Economic Commission for Europe (UNECE) has been actively working to evolve its guidelines for cybersecurity considering the risks posed by an increasingly connected world. It serves as a worldwide regulatory forum for the harmonisation of vehicular regulations (UNECE WP.29).2
The UNECE R155 agreement specifies guidelines for granting certificates of approval for cybersecurity and cybersecurity management systems for wheeled vehicles.3 This initiative aims at streamlining the approach towards cyber risk across the automotive industry and enables it to actively counter threats. Cybersecurity approvals as per the guidelines are expected to be mandatory in Europe from July 2024 onwards.4
The Automotive Industry Standards (AIS) in India – AIS 189 and AIS 190 – are currently under preparation. These standards (drafts on the ARAI websites) specify the framework for Indian manufacturers to include cybersecurity and related management systems in their vehicle programmes.5 The dates of implementation and mandatory compliance are still awaited.
However, once these standards are in place, the adoption of ISO 21434:2018 with AIS 189 and AIS 190 could make a paradigm shift in the cybersecurity safety standards in India and help it redefine its global competitiveness.