In 2022, over 250 cyber security incidents in the automotive sector have been reported by Upstream’s AutoThreat® researchers. Despite the advent of the UNECE R155 regulation and the increasing budget dedicated to product cyber security, hackers still manage to breach vehicles. Does it mean that all these efforts are in vain, and attacks are inevitable? Not exactly. Concepts like security-by-design and zero trust are more and more taken into consideration during the product development phase. The processes now include risk analysis, security concepts and other security artefacts, as well as security controls that are implemented and tested. However, despite this approach and new mindset, the main objective may be missed: the vehicle must be protected against attacks in the field, so the risks must be mitigated in practice. This is the real challenge that should guide all car manufacturers’ actions. Current product security is a one-way street towards the finished car. They lack the integration of technologies and processes that allow for feedback and experiences from the field to be reflected during development. We will highlight the potential root causes to this mismatch between regulation side effects, human influence factor in processes and lack of indicators to measure the real risks in the field. Finally, we will offer an approach to tackle this issue and to close the gap between theory and practice in risk management, while reducing security costs.
Session: CYBER SECURITY | | 16:00 - 16:30