CYBERSECURITY However, Regulation 155’s requirement for whole-lifecycle cybersecurity is a challenge no other sector is facing, he says. “Microsoft switched off Windows XP after eight years because it was no longer secure, but here we’re dealing with a regulation saying ‘until end of life’ – for a tractor, that could be 40 years. “Looking at such a long lifecycle, technically you have two things that will change over time. Hardware degrades – at some point, even with an over-the-air update capability, you will not be able to update the hardware because it will no longer support it. Software degrades as well, and that’s not always top of mind – think of wi-fi security standards, like WPA2, which was hacked. Maybe eight years down the road they will need to reevaluate whether certain functions and features need to be switched off because they’re so unsecure.” One certainty is that cyberattacks are increasingly frequent and severe. Upstream’s latest Global Automotive Cybersecurity Report reveals that high-and massive-scale incidents (affecting thousands and millions of assets) increased by 150% during 2023. One in 12 of these attacks targeted personally identifiable information (PII) such as location, use patterns and driver behavior. Attacks on infotainment systems effectively doubled, from 8% to 15%. OEMs’ back-office servers are under threat As more data is exchanged between phones and cars, the risk of unauthorized access to sensitive information escalates too, as these store PII for thousands or millions of users and there is no need to target the vehicle itself. “What the industry can learn is what’s true for everything digital and connected: secure by design, implement it well and be transparent with your customer about what type of data you have, what you are sharing and how you can delete it,” says Serio. “Compliance is one thing and being cybersafe and secure is obviously another thing. It’s not a matter of the brand, it’s a matter of the mindset. Dealing with the challenge of cybersecurity, privacy and safety reflects on everything that is produced by that company.” “It could be hard to really understand what these AI algorithms are doing” Tomas Bodeklint, research and business developer, vehicle and automation department, RISE Cause for concern OEMs are finding new uses for AI in vehicles but it’s impossible to tell how that data is being stored, shared and used Application programming interfaces (APIs) are an important foundation of an increasingly digital world, enabling different software to communicate with one another. In automotive, they’ve found uses in infotainment, mobility services, EV charging and OEMs’ smartphone apps – all of which could include sensitive information. They are also a significant attack vector, involved in 13% of attacks in 2023, according to Upstream Security. The company warns that artificial intelligence could extend that threat, studying leaked or publicly available API documentation for vulnerabilities faster than human hackers can. RISE’s Tomas Bodeklint believes machine learning tools could also identify anomalies faster than humans and improve threat detection, but adds that this could have other implications for OEMs. The European Union’s AI Act will ban or control the use of applications that could cause harm, and sets out guidelines for use and accountability. This could be influential, Bodeklint says. “There is a lot of discussion now on how to regulate AI. I think that might be something that hits the automotive industry as well, because they are already using AI functions in new vehicles,” he explains. “It could be hard to really understand what these AI algorithms are doing, storing and sharing, because they’re more or less working by themselves.” At RISE’s Cyber Test Lab for Automotive, vehicles can be assessed using the latest in cyber technology and the world’s most rigorous test methods 26 JUNE 2024 www.AutomotiveTestingTechnologyInternational.com