Automotive Cybersecurity: risks and basic regulatory framework

Reading time: 3 minutes - Difficulty: Medium
The automotive sector is experiencing a sharp increase in the use of smart technologies, software, and vehicle connectivity, enabling us to evolve our understanding of mobility. But if the assurance of physical security and cybersecurity is now extensive and essential for most manufacturing and consumer sectors, the automotive sector is certainly no exception when it comes to cybersecurity.

What the statistics say about cyber attacks on cars

According to Upstream Security‘s observation, automotive cyber attack vectors are quite varied, but primarily related, in more than 50% of cases to the breach of remote access servers and applications.

Intrusions occur 15% of the time through infotainment systems and mobile apps; attacks on electric charging infrastructures are also on the rise, ranking among the top five causes of cyber damage affecting drivers, followed by smaller risks such as malicious intrusions spread through Bluetooth systems.


The attack on a vehicle can take place locally with special techniques – industry-specific – or via the Web through more classic methods, passing through data centers or online applications of OEMs.

The motive is soon given. The hacker may act locally to gain access to the vehicle and attempt, for example, to steal it; web-based intrusions, on the other hand, are usually aimed at blocking vehicle fleets or spreading viruses.

The point is that each of these cybersecurity threats affects the safety and functionality of vehicles, with potential damage to property or people, just as it does in many other contexts.

The United Nations Economic Commission for Europe (UNECE) has therefore issued, through WP.29 – World Forum for Harmonization of Vehicle Regulations, specific regulations for automotive cybersecurity.


Regulatory framework for Automotive Cybersecurity

The main regulations for Automotive Cybersecurity are:

  • Regulation No. 155, which covers the cybersecurity management system (CSMS) that OEMs must apply to the development and supply chain of vehicles
  • Regulation No. 156, which deals with software updates and the software update management system (SUMS) by the OEM


Do you want to contribute to our page?

Follow us on Linkedin

UNECE includes 58 States and covers cars, vans, trucks, coaches, buses, agricultural vehicles and non-road mobile machinery. Following the above regulations is mandatory for manufacturers in UNECE States.

In Europe, for example, UNECE regulations are implemented through the Vehicle General Safety Regulation, which establishes principles for advanced driver assistant systems (mandatory to improve road safety) and establishes the legal framework for the approval of automated and fully driverless vehicles.

Since these are newly introduced regulations, the deadline in Europe is July 7, 2024, by which the OEM will have to prove, under UNECE Regulation No. 155, that cybersecurity has been sufficiently considered during product development.

The same applies to software, as per Regulation No. 156.


ISO 21434: the Automotive Cybersecurity standard

To facilitate the implementation of Regulations No. 155 and No. 156, ISO, together with SAE – Society of Automobile Engineers – has issued a few standards.

  • ISO 21434 is the solution to comply with Regulation No. 155: in fact, it sets out the requirements for the cybersecurity management system (CSMS), the compliance of which is proof of cybersecurity of newly approved vehicles.
  • ISO 24089, on the other hand, is the guide for the software update process, related, as we recall, to Regulation No. 156.