“Human life is involved, so cybersecurity is a top priority for us,” said Kevin Tierney, vice president of global cybersecurity for General Motors. The company, which has 90 full-time cybersecurity engineers, practices what it calls “defense in depth,” removing unnecessary software and creating rules that allow vehicle systems to only communicate with each other when needed.
This practice is also followed by Volkswagen, said Maj-Britt Peters, a spokeswoman for the company’s software and technology group. She found that Volkswagen’s sensitive vehicle control systems are kept in separate areas.
Continental, a major supplier of electronic parts to automakers, uses an intruder detection and prevention system to ward off attacks. “If the throttle sensor speaks to the airbag, that’s not planned,” said Smoly. “We can stop doing that, but we wouldn’t do it while the vehicle is moving.”
Even so, determined hackers will eventually find a way. To date, vehicle cybersecurity has been a patchwork quilt with no international standards or regulations. But that will change soon.
This year, a United Nations regulation on vehicle cybersecurity came into force, requiring manufacturers to conduct various risk assessments and report intrusion attempts to certify cybersecurity readiness. The regulation comes into force for all vehicles sold in Europe from July 2024 and in Japan and South Korea from 2022.
While the United States isn’t among the 54 signatories, vehicles sold in America likely aren’t built to meet different cybersecurity standards than vehicles sold elsewhere, and vice versa.
“The UN regulation is a global standard and we have to meet global standards,” said Tierney of GM.