Introducing the 2024 PKI & Digital Trust Report     | Download the Report

Navigating the Path to Enhanced Cybersecurity in the Automotive Sector

Internet der Dinge (IoT)

The modern automobile is a complex, connected device. While it provides more possible services and functions, it also is exposed to numerous cybersecurity vulnerabilities. 

Regulatory framework and guidelines

SAE J3061: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems – a framework for designing and evaluating cybersecurity measures in the development process. It introduces concepts like the Cybersecurity Lifecycle (CSL) and recommends practices for risk assessment, threat analysis, and incident responses.

ISO/SAE 21434: Road vehicles – Cybersecurity engineering – specifies requirements for cybersecurity risk management. It includes design and development, production, operation, maintenance, and decommissioning of electrical and electronic systems in vehicles. This includes passing the cybersecurity requirements down the automotive supply chain to tier-1 and below suppliers.

NHTSA Cybersecurity Best Practices: The National Highway Traffic Safety Administration (NHTSA) issued best practices for improving motor vehicle cybersecurity. The recommendations address various aspects of cybersecurity, like security by design, threat detection and prevention, incident response, and industry collaboration.

UNECE WP.29: A primarily European standard, but compliance is required to sell vehicles into the European Union. The primary regulations of R155 and R156 deal with creating a Cybersecurity Management System (CSMS) and a Software Update Management System (SUMS) respectively.  

Decoding PKI in the automotive industry

The frameworks listed above do not specifically mention PKI. However, PKI is critical in documenting a company’s compliance with best practices.  

PKI involves the use of private and public keys to secure communications. In the automotive context, it facilitates secure exchanges of information across various domains:

Vehicle-to-Everything (V2X) Communication: This includes Vehicle-to-Vehicle (V2V), and Vehicle-to-Infrastructure (V2I), Vehicle-to-Pedestrian (V2P), Vehicle-to-Home (V2H), etc. V2X is essential for sharing vital information about vehicle operations and road conditions. By leveraging PKI, the devices can ensure the authenticity and trustworthiness of the data exchanged, enhancing safety.

Plug and Charge (PnC) Communication: PnC technology skips the credit card through seamless, automated payments. PKI plays a crucial role in this ecosystem, securing the communications and transactions between vehicles, charging stations, and backend systems (ISO 15118).

Vehicle-to-Cloud (V2C) Communication: V2C is used where data needs to be shared over time and space, such as in remote areas. PKI ensures that data exchanged between vehicles and backend systems is secure and maintains integrity and confidentiality.

Secure Over-the-Air (OTA) Updates: Critical for remote vehicle updates, OTA uses PKI to authenticate data sources and ensure the update is secure and tamper-proof.

Secure Boot: Critical to preventing power-on attacks, secure boot ensures that a vehicle’s software is the latest version and has not been compromised.

Post-Quantum Computing (PQC): Quantum-resistant algorithms are rapidly approaching. The automotive industry will have to update cryptography on existing vehicles, so crypto-agility is necessary for futureproofing. 

Challenges and solutions in PKI implementation

The integration of PKI into automotive systems has its challenges. Issues such as scalability, digital identity lifecycle management, and the diversity of the automotive ecosystem pose significant hurdles. However, the industry is making strides:

Collaborations and Partnerships: Automakers, technology providers, and cybersecurity experts are joining forces to create scalable, secure PKI solutions tailored for the automotive sector.

Open Standards and Protocols: These are crucial for consistent cybersecurity practices across different vehicle brands and models.

Lifecycle Management: Certificate lifecycle managers targeting IoT use cases facilitate remotely managing PKI certificates and trust chains. This ensures dynamic and robust vehicle security over the 10- to 20-year vehicle lifetime, which is critical for post-quantum agility. 

The road forward

As the lines between technology and automotive industries blur, the role of cybersecurity becomes more critical. PKI offers a robust framework to protect this new era of digital mobility. By understanding and addressing the complexities of PKI, the automotive industry can navigate the challenges of this digital transformation effectively.

The journey towards a secure automotive future is complex but achievable through continued innovation, standardization, and collaboration. For automakers and consumers alike, this paves the way for a future where connected driving is as secure as it is transformative. 

For more insights into issuing and managing secure digital identities for both IoT and Enterprise, contact us at [email protected]