Latest news: cybersecurity in the auto industry

Ferrari has announced that Ferrari S.p.A., its wholly-owned Italian subsidiary, was recently contacted by a threat actor with a ‘ransom demand related to certain client contact details’.

In a statement, the luxury sports brand said it “immediately started an investigation in collaboration with a leading global third-party cybersecurity firm. In addition, we informed the relevant authorities and are confident they will investigate to the full extent of the law.”

The statement also said that as a matter of policy, “Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.”

The statement added: “Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident.

“Ferrari takes the confidentiality of our clients very seriously and understands the significance of this incident. We have worked with third party experts to further reinforce our systems and are confident in their resilience. We can also confirm the breach has had no impact on the operational functions of our company.”

There is a clear growing demand for increased cybersecurity in the automotive industry. The United Nations Economic Commission for Europe (UNECE) responded by issuing a new regulation (UN Regulation No. 155) for vehicle Cyber Security Management System. This covers risk and security assessment, threat detection, and vulnerability monitoring over the entire vehicle lifecycle. In consequence, the automotive industry is implementing a mandated cybersecurity standard (ISO/SAE 21434) that applies not only to car manufacturers, but also to all vehicle cybersecurity suppliers such as Thales.

Thales says the ISO certification ensures it offers solutions with the highest level of security for car makers, integrators, and by extension users, and this starting from the vehicle’s development. It outlines the many procedures that should be followed to secure road vehicle cybersecurity. As a result, it is claimed this certification demonstrates that the complete process of developing Thales cyber solutions has been evaluated and certified. Identifying the vehicle's cybersecurity needs, designing and implementing cybersecurity measures, and continuously monitoring and updating the cybersecurity system are all part of the proven expertise, Thales says.

By default, Thales' 'security-by-design' approach is applied to all its onboard solutions and services designed, built, and implemented in cars. This comprises embedded secure elements, credentials management and storage, authentication systems, firmware update and much more. It establishes strict vulnerability monitoring and risk assessment for a secure future-proof maintenance.

Furthermore, this certification reinforces the trust that Thales provides in the data management throughout the connected vehicle's lifecycle. This is crucial because car makers must provide remote application and embedded device upgrading, patching, and improvement in connected vehicles. This data protection capability protects vehicles from cyberattacks while also increasing customer trust in the +300 million connected cars expected by 2027.

VicOne, an automotive cybersecurity specialist, has announced a collaboration with NXP Semiconductors and Inventec that it says has led to an integrated, real-time cybersecurity solution for emerging software-defined vehicles (SDVs).

Powered by NXP's S32G vehicle network processor, Inventec's vehicle Central Gateway (CGW) is integrated with VicOne's cybersecurity software solutions. The built-in security delivers a turnkey solution that improves overall system compatibility and performance for automotive original equipment manufacturers (OEMs) and their suppliers, to promote scalability and streamline go-to-market activities. Plus, the integration aligns strongly with the automotive industry’s emerging compliance requirements, such as the ISO/SAE 21434 standard for cybersecurity engineering.

By combining VicOne's automotive cybersecurity solutions with Inventec's Central Gateway based on NXP's S32G vehicle network processor, the end-to-end solution delivers crucial capabilities for combatting constantly evolving cyber threats:

• Real-time deep-packet inspection (DPI) and detection of malicious traffic in vehicle networks 
• Analysis with comprehensive visibility for identifying threats and proactively searching for potential risks 
• Response via unique “virtual patching” for protection without code changes or firmware updates 

“The automakers and suppliers who rapidly evolve software can claim decisive competitive advantages, but the complex and interconnected nature of today’s SDVs raises the importance of cybersecurity considerations,” said Edward Tsai, vice president of strategic partnership, VicOne. “The integrated solution resulting from our partnership with NXP and Inventec enables the automotive industry to more simply and seamlessly implement robust capabilities from respected, established solutions providers and future-proof for emerging risks.”

"Collaboration between companies to offer solutions leveraging complementary expertise and technologies is crucial to help accelerate the software-defined vehicle development,” said Brian Carlson, global marketing director for vehicle control and networking solutions at NXP. “The Inventec Central Gateway leveraging the NXP S32G processor’s powerful compute, networking and security capabilities, and integrated with VicOne’s dynamic security software, offers an attractive solution to address ever-evolving, vehicle cybersecurity threats.”