The connected vehicle, through the collection and analysis of data, aims to ease transportation in overcrowded cities while playing a key role in safety, eco-driving, fuel consumption reduction, and lowering carbon emissions. Since 2018, the European Commission has required car manufacturers to equip all new vehicles with an automatic emergency call system known as eCall (emergency call) or eCall112. This system is designed to reduce emergency response times by 50% in rural areas and up to 60% in urban areas. Thanks to these connected tools, more lives could be saved. The entire vehicle fleet is expected to be equipped with such systems by 2035.
Legitimate concerns
This interconnected transportation world must also tackle the new challenges of rapid digitization and address the cyber threat. With these digitized interfaces, numerous information systems and sensors, the hijacking of a vehicle or aircraft, paralyzing an airport, derailing a train, or causing a road accident by disrupting signaling data are all very real—and in some cases, already proven—possibilities.
And the stakes are high. In France, SNCF transports 9 million people daily on 17,000 trains, which, in the Île-de-France region alone, is equivalent to an A380 taking off every seven seconds. Globally, 11 billion tons of goods are transported by sea each year (source: McKinsey 2022).
In the automotive sector, McKinsey highlights that cars now contain over 150 million lines of code—a figure expected to triple by 2030. In comparison, a commercial aircraft contains around 25 million lines, and a standard PC operating system about 45 million.
Unsurprisingly, Gartner 2023 predicts that the global automotive cybersecurity market is growing rapidly and is expected to approach $8 billion by 2026.
Strong international standards
With a heightened awareness of these issues, the automotive industry is regulating its global ecosystem through dedicated assessments. Standards are emerging with a strong intent to regulate through constraint. The global automotive industry must protect its infrastructure from cybercriminals aiming to steal data and take control of automated systems for malicious purposes.
In the United States, as early as 2016, the Committee on Cybersecurity Engineering for Vehicle Systems published the Cybersecurity Guidebook for Cyber-Physical Vehicle Systems—a manual defining a framework covering the entire vehicle lifecycle. This enables each organization to integrate cybersecurity into connected vehicle systems, from design and production to use, maintenance, and decommissioning.
Since 2022, a regulation by UNECE (United Nations Economic Commission for Europe) requires car manufacturers to demonstrate they have implemented processes to assess cyber risks affecting their vehicles and to comply with all cybersecurity requirements before marketing them.
To go further, the international standard ISO/SAE 21434 allows organizations to define cybersecurity policies and processes, manage cybersecurity risks, and foster a culture of cybersecurity. To achieve the required level of quality assurance before vehicle production, manufacturers must adopt tools for simplified, integrated, dynamic, and continuous risk assessment, analysis, and management.
This standard thus outlines a framework for improving collaboration on cybersecurity within the automotive sector, leading to the development of technologies and solutions that better respond to constantly evolving cybersecurity challenges. Information sharing among manufacturers is essential. While this cooperation is already well underway in the United States—where automotive industry players share and analyze data on vehicle vulnerabilities and contribute to cybersecurity technology improvements—the approach must be expanded globally.
Promising outlook
The United Nations already considers this standard a reference document for implementing Cybersecurity Management Systems (CSMS)—a requirement of the recently adopted UN regulation on vehicle cybersecurity.
New work has also begun on a Publicly Available Specification, ISO/PAS 5112, which details guidelines for auditing organizations in the field of cybersecurity engineering.
The ultimate goal is to make the standard commonplace in the industry's engineering practices and increase awareness of the associated challenges. This will notably involve integrating the standard into the training programs of future engineers.
