The European Union's new Euro 7 emissions standard, effective from November 2024, introduces mandatory cybersecurity requirements for vehicles sold in the EU. These rules aim to prevent data tampering and protect sensitive information, particularly concerning emissions and battery data. This shift addresses past scandals like "Dieselgate" and the growing cyber threats from connected and electric vehicles. The requirements compel manufacturers to conduct risk assessments and demonstrate secure software development to ensure data integrity for regulatory compliance.
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
EU Auto Rules Shift Gears on Cybersecurity Standards
The European Union is taking new precautions as climate change and cybersecurity threats rise across the automotive industry.
If manufacturers want to sell new vehicles in Europe next year, they must not only adhere to updated emission standards, but for the first time, prioritize cybersecurity as well.
The European Union's (EU) latest emissions standard, dubbed Euro 7, sets new and updated regulations for all gasoline, diesel, and electric vehicles as part of the Union's work toward achieving zero pollution. Deadline dates are swiftly approaching following publication in 2024; the EU will enforce Euro 7 in phases beginning this November.
Among the array of emission and exhaust limit standards, air quality objectives, and environmental data requests sit a series of cybersecurity requirements. The measures focus on preventing tampering and protecting sensitive data as roads become saturated with electric-powered vehicles – some without a human behind the wheel.
The EU urged manufacturers to "ensure the secure transmission of data related to emissions and battery durability" by taking cybersecurity measures. That includes obtaining security certificates on risk assessment, threat mitigation, and secure software development throughout the lifecycle.
In Euro 7, regulators warned that the "tampering of vehicles to remove or deactivate parts of the pollution control systems is a well-known problem." Odometer tampering that can "lead to false mileage" and "hamper the proper in-service control of a vehicle" was another concern expressed in the 2024 document.
Experts agree that cybersecurity provisions are fairly new to the EU's vehicle emission directives and reflect a landscape riddled with change. Both from an emerging technology and threat perspective.
The Trouble with Tampering
Cybersecurity's addition to Euro 7 could be related to "Dieselgate," a 2015 scandal where Volkswagen was charged with installing software to fake the results of emissions and fuel-efficiency testing. However, and more importantly, it's a continuation of improvements for emission standards in Europe, says Dr. Liz James, managing security consultant at NCC Group.
Cybersecurity requirements were not explicit in past directives. Now, the objective of taking accurate measurements of emissions from a vehicle over a lifetime is itself under cyber threat, adds James. That begs the question, how can the regulators capture data and ensure it cannot be tampered with or modified?
The EU needs a way to track and manage emissions more efficiently to reduce pollution, and that means trustable data is essential. Euro 7 builds the framework on how to hold the industry accountable, explains James.
Data tampering was an ongoing concern, but now Euro7 ties it into UN Regulation No.555 around cybersecurity management systems, she adds. The regulation aims to set uniform provisions for vehicle approvals. Auto manufacturers must "demonstrate" that they conducted thorough risk and threat analyses to mitigate vulnerabilities and prevent unauthorized access to the vehicle or communication systems.
"Compliance with these emissions standards means you have to explicitly show those threats have been managed," James adds.
If regulators want to reduce emissions, one of their biggest potential opponents is the manufacturers themselves who are responsible for managing emissions, notes James. It all boils down to helping regulators ensure the accuracy of information despite so many car companies involved having incentives to manipulate and modify that data.
"If you have a huge deviation between different manufacturers, now you have the ability to question, is that because they're actually producing more efficient systems or is something suspicious going on?" James says.
What Happens if Threats Materialize?
These days, vehicle systems are increasingly interconnected, advanced, and driven by software which inevitably contain vulnerabilities. If manufacturers do not mitigate vulnerabilities, threat actors can hack the car’s systems, warns Nikhil Gupta, professor at the department of mechanical and aerospace engineering at New York University.
Hackers could breach the GPS to gain sensitive location information, and if financial information is saved in the system, data and financial theft could be a concern. Many of those services are running on subscriptions, Gupta warns. “Cybersecurity will be important there too," he says.
The auto manufacturing platform is integrated as well, and the integration piece poses the biggest concern for people, explains Gupta. The software on one car model can be sourced from different vendors and integration processes may not always go smoothly. Plus, one piece of vulnerable software could hurt the rest of the supply chain.
Automotive companies must also worry about car parts controlled by software. That means a hacker could manipulate brakes and make the hardware malfunction, warns Gupta.
"How do you develop a trusted system?" he says. "That is the crux."
Will the Industry Push Back?
While cybersecurity measures are newer to EU emission regulations, experts agree they will not be too difficult to implement. Especially since cybersecurity requirements for software already exist.
Companies will mainly be concerned about integration, reiterates Gupta. Different vendors will supply certain pieces and create cyber-secure systems for their own software, but now the car company must integrate all of those together, he adds. He notes integration is one area that may take additional time to implement.
"The only concern is: Can we meet the timelines?" Gupta says. "But cyber is a concern for everyone, so I don't think there's a resistance from the industry."
Manufacturers already face immense cyber threats on the factory floor, so cybersecurity is on their minds. Now, it's getting more formalized for the automation systems, adds Gupta.
James agrees that certain aspects of Euro 7 shouldn't be difficult for companies to comply with because regulations don't "say how you need to mitigate it," but rather urges them to "manage risk appropriately." However, security requirements could be challenging for certain manufacturers who were not doing it prior to the Euro 7 publication.
Implementation takes a level of maturity, says James. Manufacturers of heavy machinery and vehicles with large emissions may not be as prepared.
"They're doing some of it already, it's just figuring out what is truly new," James says. "The reality is, we don't want to stop people from making things, but it's around incentivizing the right behaviors and encouraging a maturity process."
Read more about:
CISO Corner
Meridiano
