Cybersecurity Q&A: Juha Hytönen, Senior Director, Electric Vehicles at Irdeto
Meeting cybersecurity standards is an increasingly significant challenge for OEMs, though intelligent tech integrations and working with expert partners can streamline the process. We spoke with our Plug and Charge partners, Irdeto, to continue the conversation around automotive cybersecurity, understand the impact and how this is only likely to increase over time as the complexity of cybersecurity rules increases. Automakers have to get ahead of the curve now to ensure cybersecurity compliance where required and prevent impacts on vehicle safety, production and sales.
We recently published a blog post outlining some of the cybersecurity challenges facing car manufacturers as new regulations including UNECE R155 and R156 come into force. Today, we speak to Juha Hytönen, Senior Director, Electric Vehicles at cybersecurity experts Irdeto, to understand more about some of the key cybersecurity issues facing automotive OEMs.
Cybersecurity in cars has already gone from being a niche area where solutions were retrofitted into vehicles, as and when needed, to a fundamental element of vehicles’ makeup, designed into them from the start. Parkopedia and Irdeto are working together to provide streamlined in-car solutions that offer the greatest functionality with the most seamless integrations possible, providing strong protections for drivers and the greatest simplicity for automakers.
What are your wider perspectives on today’s cybersecurity in AutoTech?
The first wave of cybersecurity has been implemented, with approaches now being optimised for new platforms. The maturity level has clearly risen across the industry and significant vehicle-related hacks have largely been avoided. Overall, the focus will likely now shift to OEM back-end services and manufacturing, where we see more hacker activity that needs to be prevented, thus additional value created in the services we provide.
How does R155/R156 legislation impact Plug&Charge?
UN R155/R156 rules affect Plug&Charge in the same way as they impact the design of any ECU. Overall, ISO 15118 and the related VDA guidance are aligned with, albeit only a subset of, the requirements of R155/R156.
How complex is it for OEMs and third-party providers to assess cybersecurity issues together and make sure suppliers are fully compliant?
Working together to ensure full cybersecurity compliance is a significant challenge for OEMs and third-party suppliers and will remain a utopia for the time being. This is especially true in software supply chains in modern vehicles as related systems are deeply embedded and sometimes involve cross-organisational borders that cannot be controlled by OEMs (as is the case with their cloud infrastructure providers). This becomes even more complex in a world where over-the-air software updates are the norm.
However, the practice of software composition analysis, for example, has been part of the automotive industry for a long time and the concept of the (S)BOM required for supply chain management is not an entirely new concept. Consequently, the cybersecurity capabilities of both OEMs and the Tier-1 suppliers of in-car systems are constantly improving. This is in part supported by the regulatory push in other industries to develop similar capabilities, which improves the coverage and availability of tools and information for everyone.
What are some of the measures Parkopedia and Irdeto are implementing to ensure our services are secure and compliant?
Irdeto implements an information security management system that follows the ISO 27001 standard. This includes the expected organisational, people, physical, and technological controls along with a few others. One key differentiator to many other companies is that Irdeto owns and controls the technology, people and facilities used to deliver our services end-to-end. Additionally, we carry out both internal and external tests to ensure that our cybersecurity posture remains robust.
Simultaneously, Parkopedia provides automotive-grade connected services and maintains the complete set of automotive and financial services certification and compliance standards. These cover security and privacy, payment processing standards, quality standards, automotive-specific standards, and environmental standards. Altogether, this approach to certification means that Parkopedia’s entire business processes are set up with compliance in mind.
China is not signed up to the UNECE rules - what are the potential risks of this for Chinese OEMs?
Chinese OEMs will face additional effort in meeting the UNECE requirements and an increased risk of being non-compliant. This is a more significant threat now that many Chinese OEMs are looking to global markets to increase sales and any hurdles or additional costs in gaining compliance could harm the expansion of their brands.
However, there should be greater awareness about the potential risks to European and US societies of non-compliant connected vehicles. It may be wise to consider how to ensure the privacy of our citizens and prevent foreign fleets from potentially being tampered with.
What benefits do back-end to back-end integrations offer to OEMs?
With the Parkopedia and Irdeto service offering, the key benefits are the simplicity - maximum value, experience and consumer choice with one integration, which is not subject to R155/R156 rules. At the same time, significant security hurdles for OEMs are outsourced to proven hands with Irdeto, for example, handling more than two billion encryption keys and certificates to date without incident.
Back-end to back-end integrations change the risk profile and avoid R155/R156 stipulations, but are still covered by legislation such as the EU Cybersecurity Act or Critical Entities Resilience Act. This means that it’s important to understand which rules apply. However, the IT security domain for back-ends is well established, so this is not typically problematic and enables the focus of the service to remain on value creation and convenience for drivers.
Latest Parkopedia News & Technology Articles