Out-Law News 1 min. read

Connected cars should be subject to third-party cybersecurity evaluations says EU agency

Technology developed to enhance car user experience or vehicle safety should be the subject of independent third-party cybersecurity testing, an EU agency has said.

The European Union Agency for Network and Information Security (ENISA) said an "independent evaluation scheme" would help ensure technology developed for new 'connected cars', such as telematics, connected infotainment or intra-vehicular communication systems, is not vulnerable to hackers.

Existing car safety standards only "marginally address security", and "do not protect against attacks", ENISA said.

"In order to overcome this challenge, the industry should define security validation processes that explicitly address abuse cases and attacks, which requires a simulation of such attacks (in other words, penetration testing)," ENISA said in a new report. "This requires different skills, and a different mindset as validation testing based on compliance to specifications. For this reason, we recommend to build upon the existing skills and evaluations schemes already in use amongst security professionals."

ENISA said an industry consortium currently developing security protocols for car-to-car communications is one example of the type of scheme it envisages.

"The integration of the common criteria scheme ensures the security assessment by skilled third-party laboratories, supervised by national cybersecurity agencies, following a standard process," it said.

In its report, ENISA warned that a cyber attack on a 'smart car' "would threaten the safety and privacy of passengers and other citizens". It set out a number of good practices that could be deployed to safeguard connected cars against cyber risks.

The agency urged for businesses active in the connected cars market to "establish holistic secure development processes for their products", which include "design, development, testing, and security maintenance in the field".

ENISA also stressed that more information sharing is "essential" to address the cyber risks facing the industry.

Better information sharing could lead to new security standards being developed, more scrutiny of existing "security mechanisms", help the development of cybersecurity skills across the industry, and "support the detection and mediation of security issues", it said.

New legislation might also address the issue of who is liable for incidents stemming from cybersecurity failings, ENISA said.

"The question of where liability may fall lies between tier actors, car manufacturers, the vendors, aftermarket support operators and the end users," ENISA said. "The liability issues have to be addressed in the context of national legislation and case law. Where gaps are identified in national legislation, these should be addressed."

ENISA said that systems for autonomous vehicles were outside the scope of its report.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.