麥肯錫汽車網(wǎng)絡(luò)安全：應(yīng)對挑戰(zhàn)

Mckunsey

&company

Cybersecurity

inautomotive

Masteringthechallenge

March2020

Cybersecurityinautomotive

Masteringthechallenge

Authors

OndrejBurkacky

JohannesDeichmannBenjaminKlein

KlausPototzkyGundbertScherf

Acknowledgements

ThisstudywasconductedbyMcKinsey&Company,Inc.WewishtoexpressourappreciationandgratitudetoGSAanditsmembersfortheircontinuedsupportandvaluablecontributions.

Cybersecurityinautomotive2

Contents

Introductionandkeyinsights 4

1.Cybersecurityisbecominganewdimensionofqualityforautomobiles 5

2.Automotiveindustryisrethinkingcybersecurityalongtheentirevaluechain 9

3.Managingcyberriskthroughoutthevehiclelifecyclewillrequirenewworkingpractices 17

4.Automotiveexecutivesshouldpreparetheircybersecuritystrategy 21

Outlook 28

Appendix 29

Keyaspectsofthemarketmodel 30

Listofabbreviations 31

Contactsandauthors 32

Importantnotice 33

Cybersecurityinautomotive3

Introduction

andkeyinsights

ThefourACESdisruptions–autonomousdriving,connectedcars,electricvehicles,andsharedmobil-ity–havedominatedtheagendaofautomotiveindus-tryleadersinrecentyears.Theseinnovations,builtonthedigitizationofin-carsystems,theextensionofcarITsystemsintothebackend,andthepropagationofsoftware,turnmoderncarsintoinformationclear-inghouses.Hackingofconnectedcarsbysecurityresearchershasmadeheadlinesoverthepastfew

years,andconcernsaboutthecybersecurityofmodernvehicleshavebecomereal.Lately,regu-latorshavealsostartedworkingondefiningtheminimumcybersecurityrequirementsfornewcars.TheUNECEWP.291regulationoncybersecurityandsoftwareupdatesisonthehorizonandwill

triggeraparadigmshiftintheautomotiveindustryintheUNECEmembercountries.OthercountriesliketheUSandChinahaveissuedbestpracticesandframeworksbutnoregulationsyet.GiventheinfluenceofUNECE,however,abroadadoptionofitsregulationacrosstheworldisexpected.

Withthesefirstregulatoryprogramsforcyber-securityandsoftwareupdatesintheautomotivesector,theregulatorwillrequireautomotive

OEMs–theresponsiblepartiesforvehiclehomo-logation–todemonstrateadequatecyber-riskmanagementpracticesthroughoutdevelopment,production,andpostproductionoftheirvehicles,includingtheabilitytofixsoftwaresecurityissuesafterthesaleofvehiclesandovertheair.

Inthiscontextandbasedonourextensiveresearchandanalyses,weofferaperspectiveonthreekeyquestionsfortheautomotiveindustry:

—Whatarethespecifictrendsanddriversofcyber-securityintheautomotiveindustryandwhyisthisaparadigmshiftfortheindustry?

—Howarethesedriversgoingtoaffecttheauto-motiveindustry’slong-establishedvaluechains?

—Howcanplayersinsideandoutsidetheindustry

prepareandpositionthemselvesfortheupcom-ingmarketdevelopmentsandanticipatedseg-mentgrowth?

Whilethefollowingparagraphsprovideasummaryofourresearch,theremainderofthereportwilladdressthesequestionsindetail.

Enginepower,fuelconsumption,drivingcomfort,andtheprecisionofacar’schassisandbodyarejustafewdimensionsthatdefinethequalityofacar.Withmoreandmorecorevehiclefunctionsenabledbysoftwarerunningonspecializedhardwarechips,thesecurityofthosecomponents–cybersecurity–willbecomeyetanotherdimensionofqualityintheautomotiveindustry,inmuchthesamewaythatphysicalsafetyisamajorconcernandqualityparametertoday.

Thismeasureofqualityisunderpinnedbyregulatoryactivitiesthatimposeminimumstandardsforman-agingcybersecurityrisksandrequireOEMstohavetheabilitytofixsecurityissuesviasoftwareupdates.Cybersecuritywillbecomenonnegotiablefortheindustry.

Inordertoexcelatcybersecurity,newprocesses,skills,andworkingpracticesalongtheautomotivevaluechainwillberequired.Thisincludesidentifyingcyberrisks,designingsecuresoftwareandhardwarearchitectures,anddevelopingandtestingsecurecodeandchips,ensuringthatissuescanbefixed–evenyearslater–viasoftwareupdates.

Therisingneedforcybersecuritywilltriggerinvest-mentsoverthenextfewyears.WeexpecttoseethemarketgrowfromUSD4.9billionin2020toUSD9.7billionin2030,withsoftwarebusinessrepresentinghalfofthemarketby2030.Thestronggrowthofthemarketwillcreatemanynewbusinessopportunitiesforsuppliers,establishedITfirms,specialistnichefirms,start-ups,andmanyothers,especiallyinthesoftwaredevelopmentandservicesmarket.Atthesametime,thedynamicsofthegrowingmarketwillalsochallengetoday’sleadersinthemarket.

1UNECE,ProposalforanewUNRegulationonuniformprovisionsconcerningtheapprovalofvehicleswithregardtocybersecurityandoftheircybersecuritymanagementsystems;UNECE,ProposalforanewUNRegulationonuniformprovisionsconcerningtheapprovalofvehicleswithregardtosoftwareupdateprocessesandofsoftwareupdatemanagementsystems.

Cybersecurityinautomotive4

1.Cybersecurityis

becominganew

dimensionofqualityforautomobiles

Cybersecurityinautomotive5

Softwareisoneofthekeyinnovationsinmodernvehicles

Softwareandelectrical/electronic(E/E)compo-nentsareandwillcontinuetobeamongthekeyinnovationsinmodernvehicles.ThemarketisexpectedtogrowfromUSD238billionin2020toUSD469billionin2030,correspondingtoanannualgrowthofover7percentperyear.2

Thisgrowthisdriventoalargeextentbysoftware,whichisbecomingakeydifferentiator.SoftwareisdrivinginnovationinthefourACEScategories:

—Autonomous.Autonomouscars,whichhavebeenthesubjectoffantasyforalongtime,arebecomingreality.Leadingcompanieshavealreadydrivenmillionsofmilesonpublicroadswiththem,butsofaralwaysunderthewatchfuleyeofahumanbehindthesteeringwheel.Thedisengagementrateinfieldtests,i.e.,howoftenthehumandriverneedstotakeovercontrol,israpidlydeclining,puttingfullyautonomouscarsinreachwithinmereyears.Whilethe

autonomouscaroffersgreatadvantages,itcomeswiththeriskofhackersinterferingwithsteeringorbreaking.Suchincidentswouldfosterfearofautonomouscarsandputthewholetechnologyatrisk.

—Connected.Carsarebecomingmoreandmoreconnected.Theservicesenabledbyconnectivitytodayrangefromsendingdestinationaddress-estothevehicle,toreceivingreal-timetrafficinformation,toparkingthevehicleremotelyviaasmartphoneapp.However,theconnectivityofcarsisapotentialattackvectorforhackerstocompromiseafullfleetofcars,whichistheworstnightmareofeveryOEM.

—Electric.Theriseofelectriccarsstartedseveralyearsagoandtheyaregainingmoreandmoretractionastheirrangeincreasesandtheirpricedecreases.Challengedbymanystart-ups,

almostallincumbentOEMshaveembarkedonthejourneytoincludingelectriccarsintheirproductportfolios.Theelectriccarperseisnotmoresusceptibletosabotagethanacon-ventionalcar,butattacksoncharginginfra-structurecanhavesevereeffects,frompoweroutagestofires.

—Shared.Enabledbyconnectivity,newbusi-nessmodelsfortransportationhavebecomeviable,suchascarsharingandridehailing.Thetrendinmobilityismovingawayfromcarownershipandtowardsshared-carsolutions,

whichissignificantlyincreasingvehicleutilization.Thistrendrequiresfullprotectionofuserdata–abreachofsensitivedatacouldfostermassivedistrustofthebusinessmodel.

Adeeperlookintotheconnectedcarshowsthreetypesofsoftwarethatwilldriveinnovationin

thisarea:

—In-vehicleservices:Allsoftwarewithinthe

vehiclethatrunsonelectroniccontrolunits(ECUs)ordomaincontrolunits(DCUs)withinthecar

—OEMback-endservices:Cloudservicesforboththevehicleanduser

—Infrastructureandthird-partyservices:

Softwarelinksbetweenthevehicleandinfra-structure,e.g.,gas/charging,parking,insurance.

Whiletheindustryisinvestingininnovationsacrossthesetypesofsoftwaretoenhancethecustomerexperienceandincreasethevalueofmoderncars,manufacturersmustalsobuildincybersecurityfromthebeginningtoavoidcreatingcyberattack-pronedigitalplatformsandvehicles.

Witheverylineofcode,thecyberrisktomodernvehiclesincreases,andsecurityresearchershave

demonstrateditsimpactandcost

Overthelastseveralyears,moderncarshavebecomedatacentersonwheels.ComparingthelinesofcodeinmodernconnectedcarswithaircraftsandPCsprovidesaglimpseintothechallengesofsecuringthesevehicles.Today’scarshaveupto150ECUsandabout100millionlinesofcode;

by2030,manyobserversexpectthemtohave

roughly300millionlinesofsoftwarecode.Toputthisintoperspective,apassengeraircrafthasanestimated15millionlinesofcode,amodernfighterjetabout25million,andamass-marketPCoperatingsystemcloseto40million.3Thisabundanceofcomplexsoftwarecodeisaresultofboththelegacyofdesigningelectronicsystemsinspecificwaysforthepast35yearsandthegrowingrequirementsandincreasingcomplexityofsystemsinconnectedandautonomouscars.Thisamountofcodecreatesampleopportunityforcyberattacks–notonlyonthecaritselfbutalsoonallcomponentsofitseco-system(e.g.,backend,infrastructure).

Thecyberriskofconnectedcarshasbecomeclearoverthepastfewyears,assecurityresearchershaverevealedvarioustechnicalvulnerabilities.Inthesescenarios,the“attackers”werenotexploitingthevulnerabilitieswithbadintentionsbutrather

2Source:McKinsey,“Mappingtheautomotivesoftware-and-electronicslandscapethrough2030,”July2019.

3Source:McKinsey,“Theraceforcybersecurity:Protectingtheconnectedcarintheeraofnewregulation,”O(jiān)ctober2019.

Cybersecurityinautomotive6

disclosinginformationtoOEMstohelpthemfixthoseissuesbeforemaliciousattackerscausedactualharm.Someoftherecentlyreportedvulnera-bilitiesarelistedinExhibit1.

Afterbecomingawareofthevulnerabilities,OEMsfixedtheissuesandprovidedsoftwareupdates.But,dependingontheaffectedcarmodel,itsE/Earchitecture,andtheOEM’sabilitytoprovidesoft-wareupdatesovertheair,somesoftwareupdatesrequiredvisitstodealerships,resultinginmuchhighercostsforcarmakers.

Cybersecuritywillbenonnegotiableforsecuringmarketaccessandtypeapprovalinthefuture

Unlikeinotherindustries,suchasfinancialser-vices,energy,andtelecommunications,cyber-securityhassofarremainedunregulatedintheautomotivesector–butthisischangingnow

withtheupcomingUNECEWP.29regulationson

cybersecurityandsoftwareupdates.4Underthisframework,OEMsinUNECEmembercountries(seeExhibit2)willneedtoshowevidenceofsufficientcyber-riskmanagementpracticesendtoend,i.e.,fromvehicledevelopmentthroughproductionallthewaytopostproduction.Thisincludesthedemon-stratedabilitytodeployover-the-airsoftware-securityfixesevenafterthesaleofthevehicle.

OthercountrieslikeChinaandtheUShavesofarnotissuedsimilarregulations,onlyguidelinesandbestpractices.WeexpectthenewUNECEregulationtobecomeadefactostandardevenbeyondits

members.

Lookingattoday’spassengercarmarketvolumesinonlythetenlargestcountriesregulatedunderUNECEWP.29,thenewregulationswilllikelyaffectover20millionvehiclessoldworldwide.Thisdoesnotevenincludecommercialvehicles,oranyothertypeofmotorvehicleregulatedunderUNECEWP.29.

Exhibit1

Softwarevulnerabilitieshavebeenobservedacrosstheentiredigitalcarecosystem

In-vehicleservices

2018:Researchersdemonstrated>10vulnerabilitiesinvariouscarmodels,gaininglocalandremoteaccesstoinfotainment,telematics,andCANbuses

2018:Researchersexploitedvulnerabilitiesofsomeinfotainmentsystemsandgainedcontrolofmicrophones,speakers,andnavigationsystems

2015:ResearchersremotelysentcommandstotheCANbusofaspecificcarthathadanOBD2dongleinstalledtocontrolthecar’swindshieldwipersandbreaks

OEMback-endservices

2019:Malwareinfectedthebackend,makinglaptopsinstalledinpolicecarsunusable

2019:Vehicledataexposedduringregistrationallowedforremotedenial-of-serviceattacksoncars

2015:Researchersdemonstratedvulnerabilitieswithinthebackend,gainingaccesstodoorcontrol

Infrastructure/third-partyservices

2018:EVhomechargerscouldbecontrolledbyaccessingthehomeWi-Finetwork

2018:Securityissuesdiscoveredin13car-sharingapps

2017:Rentalcarcompaniesexposedpersonaldata

Enterprisetechnology

2019:Memoryvulnerabilityatacloudproviderexposeddataincl.passwords,APIkeys,andtokens

2019:HackofanOEM’sautomotivecloudviathird-partyservicesandtier-1suppliernetwork

2018:Cloudservershackedandusedforcryptomining

Productionandmaintenancesystems

2019:Amalwareinfectioncausedsignificantproductiondisruptionatacarpartsmanufacturer

2018:Anex-employeebreachedthecompanynetworkanddownloadedlargevolumesofpersonalinformation

2017:Ransomwarecausedthestopofproductionacrossseveralplants

Source:Presssearch

4UNECE,ProposalforanewUNRegulationonuniformprovisionsconcerningtheapprovalofvehicleswithregardtocybersecurityandoftheircybersecuritymanagementsystems;UNECE,ProposalforanewUNRegulationonuniformprovisionsconcerningtheapprovalofvehicleswithregardtosoftwareupdateprocessesandofsoftwareupdatemanagementsystems.

Cybersecurityinautomotive7

WhatisUNECE’sroleinregulatingautomotive

cybersecurity?

TheWorldForumforHarmonizationofVehicleRegulations(WP.29)isaworldwideregulatoryforumwithintheinstitutionalframeworkoftheUNEconomicCommissionforEurope(UNECE).Itestablishesregulatoryinstrumentsconcern-ingmotorvehiclesandmotorvehicleequip-mentinover60marketsglobally,basedon

threeUNagreementsadoptedin1958,1997,and1998.

Atthetimeofwritingthisreport,UNECEisdraftingaproposalfortwonewUNregulations.Thefirstregulationisonuniformprovisions

concerningtheapprovalofvehicleswithregardtocybersecurityandcybersecuritymanage-

mentsystems.Thesecondregulationisonvehiclesoftwareupdateprocessesandsoft-wareupdatemanagementsystems.Foreaseofreadability,we’llrefertobothregulationsastheUNECEWP.29regulationsoncybersecurityandsoftwareupdatesthroughoutthisreport.

OncethisproposalisacceptedbyUNECEandtheregulationsareadoptedbyitsmember

countries,OEMswillberequiredtoimplementspecificcybersecurityandsoftware-updatepracticesandcapabilitiesforvehicletypeapprov-als–effectivelyrenderingcybersecurityanonnegotiablecomponentoffuturevehicles.

Exhibit2

Carsinover60countrieswillbeaffectedunderthenewWorldForumforHarmonizationofVehicleRegulationsframeworkoncybersecurityandsoftwareupdates

WorldForumforHarmonizationofVehicleRegulations(WP.29)undertheUNEconomicCommissionforEurope(UNECE)

Countriespartytothe1958agreement1(asofDecember2018)

1“AgreementconcerningtheAdoptionofHarmonizedTechnicalUnitedNationsRegulationsforWheeledVehicles,EquipmentandPartswhichcanbeFittedand/orbeusedonWheeledVehiclesandtheConditionsforReciprocalRecognitionofApprovalsGrantedontheBasisoftheseUnitedNationsRegulations”(originalversionadoptedinGenevaonMarch20,1958)

Source:UNECEECE/TRANS/WP.29/343/Rev.27–StatusoftheAgreement,oftheannexedRegulationsandoftheamendmentsthereto–Revision27

Cybersecurityinautomotive8

2.Theautomotive

industryisrethinkingcybersecurity

alongtheentirevaluechain

Cybersecurityinautomotive9

Gettingcybersecurityrightrequireseffortsfrommultiplepartiesalongthevaluechain,fortheentiredigitallifecycleofmodernvehicles

Ultimately,OEMsareresponsibleforthehomo-logationoftheirvehiclesanddemonstratingtheiradherencetoregulationsandmandatorylegal

requirements.However,sinceOEMssourcea

largeshareoftheirvehiclecomponentsfrom

suppliersandsemiconductormanufacturers,

theirupstreamvaluechainpartnerswillalsobe

requiredtofollowandimplementstate-of-the-

artpracticestomitigatecybersecurityrisksand

producevehiclesthataresecurebydesign.Thesepartnersmustprovideevidenceofadheringtothe

regulationstosupportthetype-approvalprocess,whichistheresponsibilityoftheOEM.LookingatthecurrentdraftsoftheUNECEWP.29regu-lationsoncybersecurityandsoftwareupdates,itbecomesevidentthatthevaluechainisaffected

acrossfourareas(seeExhibit3):

—Cyber-riskmanagement.Automotiveplayersmustensureend-to-endcyber-riskmanage-mentandidentifyrelevantcyberrisksintheirvehicletypes(andinadjacentecosystem

componentsthatmightimpactvehiclesafetyorsecurity)andensurethattheyimplementmeasurestomitigatesuchrisks.Thisincludesreactingtoevolvingthreats.

—Securitybydesign.OEMsmustdevelopsecurevehiclesfromsteponebyadoptingstate-of-the-artpracticesinhardwareandsoftwareengineering,andensuringthatvehicletypes(andadjacentecosystemcomponentsthatmightimpactvehiclesafetyorsecurity)aredesigned,built,andtestedforsecurityissuesandanycyberrisksaremitigatedproperly.AlthoughOEMsareultimatelyresponsibleforcybersecurity,allparticipantsinthevaluechainneedtocontribute.

—Detectionandresponse.Vehiclemanufacturersmustbeabletodetecttechnicalvulnerabilitiesandsecurityissues(e.g.,cyberattacks)intheirvehiclesandadjacentecosystemcomponents(e.g.,thebackendorthird-partyservices)thatmightimpactvehiclesafetyorsecurity.

—Safeandsecureupdates.Automotiveplayersmustbeabletorespondtoanydetectedsecurityeventandprovidesoftwareupdatestofixsecu-rityissues.Todoso,theymustsystematicallyidentifytargetvehiclesforupdatesandensurethatsoftwareupdateswillnotharmcertifiedsafety-relevantsystemsandarecompatiblewiththevehicles’configuration.

Cybersecurityinautomotive10

Exhibit3

TheUNECEregulationisbrokendowninto4concreteareasof

cybersecurityandspansacrosstheentirevehiclelifecycleSIMPLIFIED

Connected-carlifecycle

DevelopmentProductionPost-production

Cyber-securitylifecycle

Manage

vehicle

cyberrisks

Identifyandmanagecyberriskstocertainvehicletypesacrossthesupplychain

Ensuretestingofsecurityofsystems

Reacttonewandevolvingcyberthreatsandvulnerabilities

Secure

vehicles

bydesign

Ensuresecurityinthedetaildesignphase,testinformation,andcollectevidenceacrossthefullsupplychain

Analyzecyberthreatsandcreatearisktreatmentplan

Buildsecurityintosystemdesignandcontainknownvulnerabilitiesin(re)usedHW/SW1components

TestthesecurityofHW/SW1

components(e.g.,withvulnerabilityscans,pentesting,codeanalysis)

ProtecttheintegrityofHW/SW1componentsfromsuppliers(e.g.,withcontractualclauses)

Protectaccesstotheproductionenvironment

(e.g.,softwareserversandtheflashingprocess)andunitsreceivedfromsuppliers

Detectandrespondtosecurity

incidents

Monitorandrespondtocyberattacksonvehiclesandtheirecosystem

Provide

safeandsecure

softwareupdates

Ensurefulltraceabilityofsoftwareversionsandvehicleconfigurationalongthevehiclelifecycle(initialandupdatedsoftware/configuration)

Identifytargetvehiclesforupdatesandassessimpacttocertifiedsystemsandcompatibilitywithvehicleconfiguration

Providesoftwareupdateswithout

impactingsafetyandsecurityimpact

1Hardware/software

Source:UNECEWP.29,“DraftRecommendationonSoftwareUpdatesoftheTaskForceonCybersecurityandOver-the-airissues,”ISO/SAE21434:2018committeedraft;McKinsey

Cybersecurityinautomotive11

Whilecertainpracticesarealreadyinplacetoday,theupcomingregulations,higherlevelsofenforce-ment,andpotentialliabilityimplicationswillrequireamuchmoreexplicitagreementbetweenpartiesalongtheautomotivevaluechainonwhatexact-lyisexpectedofeachother.Toadheretothis

higherlevelofrigor,weareexpectingautomotiveplayersto:

—Defineclearrolesandresponsibilitiesforvehiclecybersecurity(notjustenterprisecybersecurity)andestablishinterfacesandpointsofcontactforvehiclecybersecuritybetweenplayers

—Agreeonaminimumsetofcyber-riskmanage-mentandcybersecuritypracticesincon-tractualagreementsandderivemeasurableservicelevelssimilartowhathasbeengoodpracticeinotherdimensionsofvehiclequality(e.g.,safety)

—Clarifyorganizational,technical,andlegal

(e.g.,IP)prerequisitesthatallowsecuritytestingandattestationofvehiclesoftwaresecurityoftheentireE/EvehiclearchitectureordowntotheindividualECU.

However,securitydoesnotstopattheproductionofvehicles–itisimportantthroughouttheentirevehiclelifecycle,assecurityvulnerabilitiescanbediscoveredatanygiventime.ItwillrequireOEMsandsupplierstocontinuallydetectandreactto

securityissuesuntilvehicleshavereachedtheirendoflife,justasweexpectaircraftorengineman-ufacturerstocontinuouslymonitortheiraircraftsandenginestodetectandfixanyoperational,

safety,orsecurityissuesforaslongasthatequip-mentisinusebyanyowner.

Cybersecurityinautomotive12

Newstandardswillraisethebarforvehiclecybersecurityandallowforindependentattestationofanauto-motivecompany’ssecuritypractices

Currently,onlynarrowstandardsandguidelinesexistforspecifictechnicalproceduresforsecuringhardwareandsoftwareinvehicles,e.g.,standardsforhardwareencryptionorsecurecommunicationofECUs(seeExhibit4).WhiletheUNECEWP.29regulationsoncybersecurityandsoftwareupdates

setanorganizationalframeworkandminimumrequirementsthatimpactallautomotiveplayersalongthevaluechain,theydonotprovideanydetailedguidanceonoperationalpractices.

However,thenewISO/SAE21434standard,

“Roadvehicles–cybersecurityengineering,”(stillaworkingdraft)isseenbyindustryexpertsasthefirststandardthatlaysoutclearorganiza-tional,procedural,andtechnicalrequirementsthroughoutthevehiclelifecycle,fromdevelopmenttoproductiontoafter-sales.Inparallel,theISO/

Exhibit4(1/2)

Unlikeinotherindustries,cybersecurityhasremainedunregulatedintheautomotiveindustrybeyondgeneralITregulations

Regulation/law

Standard

Bestpractice/framework

Draft/notpublished

Ecosystemcomponent

OperatingtechnologyInformationtechnology

OrganizationConnectedcar

OEMproductionOT

Vehicleinfrastructure

OEMback-endservices

AutomotiveplayerenterpriseIT

AUTOMOTIVEENGINEERING

UNECE

WP.29regulationoncy

bersecurityandsoftware

updates

NHTSA

CybersecurityBestPract

icesforModernVehicles

AutomatedDrivingSystems2.0

VDA

InformationSecurityAssessment

IPA

ApproachesforVehicleInformationSecurity

MIIT

NationalGuidelinesfor

DevelopingtheStandar

dsSystemoftheTelema

ticsIndustry

AutoSAR

SecureOnboardCommunications

ISO

ISO26262

ISO/SAE21434

ISO/AWI24089

ISO/AWI24089

SAE

SAEJ3061

SAEJ3101

AUTOSIG

AutomotiveSPICE

AutoAlliance

ConsumerPrivacyProt

ectionPrinciples(CPPP)

forVehicleTechnologies

andServices

Cybersecurityinautomotive13

AWI24089standard,“Roadvehicles–softwareupdateengineering,”isalsocurrentlyunderdevel-opment.Althoughitisnotdedicatedtocyber-security,weexpectittocontaincybersecurity-relatedcontent.Afirstdraftisexpectedbymid-2020andsomemoretimewillbeneededtofinalizeit.

Thesestandardswillallowtheindustrytoimplementcommoncybersecuritypracticesspecifictovehicledevelopmentandmanufacturing.Theywillalsoallowanassessmentofadh