Does cybersecurity feature on your checklist for buying a new car today? If it doesn’t, you can derive some satisfaction from the fact that it isn’t part of new cars today. However, all this is set to change in India in 2027 with regulatory bodies specifying that all vehicle manufacturers will have to include cybersecurity as a mandatory feature for all connected vehicles from that year onwards.
Fuelled by energy differentiators, e.g. fuses, software-based load shedding, reduced current utilisation, automatic adjustment of seatbelt force, better suspension on rough roads, and a shift to smart cockpits – traditional models of product development are being rapidly replaced. The conventional supply chain would have a tier-1 product comprising electronics and hardware, tool software, basic software, and pure Software to the original equipment manufacturer (OEM). The tier-1 would in turn depend on tier-2 vendors for either the software or middleware (OS + firmware) which would comply with standards such as AUTomotive Open System ARchitecture (AUTOSAR). With software-defined vehicles (SDVs) becoming the new normal, OEMs are directly adopting full stack architecture, which integrates AI into the architecture of computing chips and allows them to build functions which would have been previously build by tier-1 suppliers.
As vehicles continue to evolve with expected lifespans of 20 years ensured by hardware redundancy and over the air (OTA) updates, the auto industry faces an increasing challenge of cybersecurity. Even if customers accept that a new car may not be at its finest when it leaves the factory and may require an update or two to make it tick, they would still prefer to eliminate all ambiguity when it comes to the security of a car. As connected and electric vehicles present new paradigms for mobility and extensibility of locomotion, AI provides a new paradigm for edge intelligence and cloud-based computing, significantly enhancing the functions of conventional mobility. However, multiple designs and systems and the increasing role of software make vehicles vulnerable to cyberattacks. This increases the possibility of hackers and criminal forces exploiting weaknesses in either the code or increasing interfaces between devices, thus causing a lot of negative impact on individual mobility users and the general public.
Regulations in Europe such as the UNECE R155/R156 and AIS-189/190 in India aim to provide a framework for implementing cybersecurity for enterprises making smart vehicles. In addition, ISO/SAE 21434 standards provide the guiding standards to help contextualise security in terms of the vehicle, supply chain and concept to design and manufacturing ecosystems.
A cybersecurity management system (CSMS) is a central theme for the active cybersecurity requirements of connected vehicles.
PwC conducted a survey of OEMs, suppliers and market experts across 11 countries.1 The survey revealed many interesting insights.
From July 2024, 60+ signatories to the UNECE will need to have a CSMS in place to produce new vehicles. OEMs (vehicle makers) are ultimately responsible for verifying that their supply chain is compliant with regulations and standards. While most of the OEMs agree and have a design for a CSMS, the maturity of the system is low or moderate. This prevents its deployment. There is also a lack of transparency on CSMS implementation across the global automotive industry. There, however, seems to be a consensus on cybersecurity being the biggest threat in the automotive industry and that an effective CSMS would prove to be a competitive advantage.
In India, as in other countries, the OEM-supplier agreement on cybersecurity remains vague. Hence, while individual component risk ratings might be expected, an overall vehicle-level risk rating, which is key to approvals, homologation and ultimately ensuring passenger protection from cybercrime, does not exist as yet (in 2024).
Further, there is lack of agreement among suppliers, who remain core to the security programme, about which frameworks and standards will be helpful to establish an effective CSMS. OEMs, however, have a different view from suppliers.
Despite the industry recognising cybersecurity as a major challenge, systemic problems like shortage of skilled staff, lack of know-how and supply chain complexities slow down CSMS adoption and integration. A clear business strategy for digital transformation could drive a CSMS approach, rather than one based on mere compliance. This becomes more relevant as OEMs insource important parts of the value chain to create differentiators. Software becomes pivotal as the implementation of a CSMS takes centre stage. Modularity and scalability of software and computing become essential for effective long-term production and operation of vehicle programmes. Perceptions of CSMS and design thus vary for an OEM vis-à-vis a supplier based on their respective responsibility for security. Our experience indicates that an average 30-month cycle of preparation is required to adopt an effective CSMS. With October 2027 being set as the date of implementation for AIS-189/190 approval-related rules for cybersecurity, the clock is already ticking.