Aimed at improving vehicle safety, efficiency and travel experience – new cars are now equipped with sophisticated technologies. Mechanical systems have been digitized, sensors mounted on cars assist in lane preservation and emergency breaks; and onboard infotainment systems provide the driver with traffic data while entertaining back-seat passengers.
This digitization process comes at a price. As cars resemble computers, so do they incur similar vulnerabilities including the risk of crippling cyber-attacks. A hacker penetrating the vehicle CAN-BUS system, will gain effective control of the digital systems connected to it, resulting in various harms ranging from criminal data theft to massive vehicle hacks in a weaponized 9/11 style crash.
This study sought to discover what practitioners – cyber specialists, component makers, car manufacturers, financiers and regulators - think about this upcoming cyber-hazard and the regulatory challenges involved. 28 in-depth anonymous interviews were conducted on topics ranging from defining the market, cyber risks, measures already taken and predictions regarding the future.
The results of this study point towards three main characteristics of the smart car cyber security field.
The first commonality emanating from respondents is the relative of the nascency the smart-car cybersecurity field. On the one hand, the theoretical threat of vehicle cyber-hacking and the potential dangers are high. On the other hand, due to limited distribution of high-tech vehicle systems and connectivity technologies connected to core systems – the potential risks have not yet actualized. Companies have not entered into an advanced threat analysis process; insurance for this type of risks is not in demand, and regulations into the potential threat are only just being drafted.
The second conclusion of this study is the trend towards decentralized and international, rather than national regulation of vehicle cybersecurity. Respondents focused on either private expert-based standard institutions such as ISO or international organizations such as WP-29 of the UNECE. This trend can be explained by the international characteristics of both the vehicle and cybersecurity markets. Any unique aspect of national regulations will hinder international commerce and make the import of technologies to each country difficult due to the need to adapt.
The third conclusion of the study is the apparent lack of sufficient communication between Israeli regulators and the developed local cybersecurity industry. Although the Israeli government has decided to actively promote autonomous, shared and electric transportation - actions in this arena have yet to include the vehicle cybersecurity industry. Respondents from the private sector showed lack of knowledge regarding the relevant regulators and were not aware of any local restraints.
In line with said conclusions, this study recommends that as long as the risk remains relatively low, regulators should focus on data gathering and preparation to improve their future response. Another recommendation is that local regulations should not be unique and instead focus on fast and efficient adaptation of international standards. Finally, it is recommended that cooperation between with local manufactures and government be formalized for the benefit of all parties.