News Item

How to Secure the Connected & Automated Mobility (CAM) Ecosystem

The European Union Agency for Cybersecurity discloses an in-depth analysis of the cybersecurity challenges faced by the CAM sector and provides actionable recommendations to mitigate them.

Published on May 05, 2021

The Connected and Automated Mobility sector in a nutshell

Today, connected vehicles, environments and infrastructures need to be designed with new capabilities and features. These capabilities and features should aim to provide:

  • increased safety;
  • better vehicle performance;
  • competitive digital products and services;
  • improved comfort;
  • environmental friendliness;
  • user-friendly systems and equipment convenient for its customers.

The Connected and Automated Mobility (CAM) sector is a whole ecosystem of services, operations and infrastructures formed by a wide variety of actors and stakeholders.

This ecosystem not only generates transformation in the industries but also considers how to meet the needs of the citizens. It is therefore intended to ensure transportation is made safer and easier. In addition, it also needs to align with the EU efforts towards cleaner, cheaper and healthier forms of private and public transport.

The recommendations proposed by ENISA aim to guide all CAM stakeholders in today’s context of growing cybersecurity threats and concerns.

In order to aggregate the information presented in the new report released today, ENISA performed surveys, interviews and an extensive desktop research of official statistics. The subsequent findings were validated through discussions with key stakeholders from the CAM sector.

The recommendations issued contribute to the improvement and harmonisation of cybersecurity in the CAM ecosystem in the European Union. 

ENISA Report – Recommendations for the Security of Connected and Automated Mobility (CAM)

New policy initiatives: what do we need to know?

Under a new regulation set by the United Nations, car manufacturers are required to secure vehicles against cyberattacks. With the upcoming transposition of the United Nations' regulations into EU policy, the new regulation on cybersecurity will be mandatory in the European Union for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced, regardless of the type, from July 2024.

It is important to remember that the UNECE Regulations and related ISO standards do not apply to all CAM stakeholders. The types of vehicles the regulation applies to include passenger cars, vans, trucks and buses, light four-wheeler vehicles if equipped with automated driving functionalities from level 3 onwards.

Target audience

The report is intended to support the work of the European Commission and the EU Member States’ competent authorities in the transposition of the UN cybersecurity regulation into EU policy.

Decision-makers who are responsible for the protection of security and resilience of the CAM ecosystem at EU level will find in the report the relevant cybersecurity measures and key challenges they need to consider to draft their cybersecurity baseline.

The report is also expected to be of particular interest to Operators of Intelligent Transport Systems (OITS), Original Equipment Manufacturers (OEMs), Road Authorities (RA), Smart City Operators, system providers, mobility service providers and standardisation bodies among others.

Which challenges does the report identify?

The report published today provides recommendations for each challenge identified, such as:

Governance and cybersecurity integration into corporate activity

Cybersecurity governance in the CAM ecosystem represents an organisational and technical challenge for all stakeholders concerned. Recommendations given include:

  • promote the integration of cybersecurity along with digital transformation at the board level in the organisation;
  • promote procurement processes to integrate cybersecurity risk-oriented requirements.

Technical complexity in the CAM ecosystem

Dependencies, interactions and supply chain management in this sector are a well-known challenge acknowledged by the majority of the actors involved. Recommendations given include:

  • promote the use of suitable certification schemes;
  • promote security assessment for both on-board and off-board solutions and standardise the discovery and remediation of vulnerabilities during the lifetime of the product.

Lack of expertise and skilled resources for CAM cybersecurity

The lack of human resources with expertise in cybersecurity on the market is a major obstacle that hinders the adoption of security measures specific to CAM products and solutions.

  • encourage cross-functional security and safety knowledge exchange between IT/OT and mobility experts respectively;
  • introduce programmes at schools and universities to address the lack of security and safety knowledge across the industry.

Such challenges are only an example of the important challenges addressed in the ENISA Report – Recommendations for the Security of Connected and Automated Mobility (CAM).

Further information

ENISA is already engaged in the cybersecurity of smart cars and intelligent transport systems and issued publications of existing standardisation, legislative and policy initiatives, as well as good practices and security measures to ensure the security of smart cars against cyber threats.

ENISA Report - Cybersecurity Stocktaking in the CAM

ENISA Tool - Good practices for IoT and Smart Infrastructures - Smart Cars

ENISA Report - Good Pactices for Security of Smart Cars

ENISA Report - Cyber Security and Resilience of Smart Cars

Press Contact

For questions related to the press and interviews, please contact press (at) enisa.europa.eu.

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information