Against the backdrop of the increasing discussion, and at times hype, surrounding connected and automated driving, the amount of concern regarding emerging issues is rising amongst all stakeholders in the automotive sector. Aside from issues such as those relating to liability, societal acceptance and safety, which are well noted, there remains an urgent need to address potential problems from a cyber security perspective.
The global automotive industry has been actively engaging with this issue over recent years. In Europe, ACEA, the European Automobile Manufacturers Association, published a set of principles of automobile cybersecurity in October 2017, seeking to outline present and future threats as well as suggesting necessary actions to mitigate against them. Akin to OEMs, policymakers too are considering the subject, but are largely posing more questions than they are providing answers. Undoubtedly, this reality is underpinned by one of the most challenging aspects of planning for the future mobility landscape, the vivid uncertainty of the known unknowns.
Presently, the most meaningful action remains at UN level where guidelines for the protection of vehicles versus cyberattacks have been developed via the World Forum for Harmonization of Vehicle Regulations (WP 29). On a regional basis, Japan and the USA are leading the way. In 2017, the USA brought in the Self Drive Act, requiring manufacturers to form cybersecurity plans and follow guidelines on best practices authored by SAE, in cooperation with the National Highway Traffic Safety Administration. While in Japan, the Cybersecurity Basic Act was introduced as far back as 2014. Furthermore, other Asian countries, such as the United Arab Emirates and Singapore are too taking sizable steps in the right direction.
In Europe, a sector specific approach does not exist presently and the continent is lagging behind comparatively. In recent year important steps have been taken at an EU level from a regulatory perspective to address this, of which the Amsterdam Declaration (2016) is a prime example. However, much like the aforementioned industry guidelines it is a declaration as opposed to a concrete roadmap. The Amsterdam Declaration does bear some significance from a standardisation perspective, including a statement that common trust models and certification policies should be developed to present risks and support cybersecurity. Furthermore, the European Standards Organisations are too making progress. In November, CEN-CENELEC will host an event on standardisation and autonomous land, sea and air mobility with particular consideration for safety and security.
Overall, the discussions are undoubtedly gaining momentum, visibility and importance among the relevant stakeholders on a global level. However, so too, arguably, is the uncertainty regarding the necessary proactive next steps. Crucially, the lack of coherent legislation may lead to a divergence in vehicle standards and a consequential further complication of matters in the long-term. Currently, what remains clear is that as connected and autonomous vehicles become closer and closer to attaining and maintaining a visible share amongst the global fleet, the window to address potential cybersecurity issues proactively is rapidly dwindling.