Cybersecurity for cars: the responsibility of manufacturers and drivers

These days, modern cars are always-connected electronic devices that collect and process large quantities of data. That makes it increasingly important to protect cars in this regard. This is mainly the manufacturer’s responsibility, but users have to exercise caution as well.

28. 3. 2024 Škoda World

In recent years, car producers have had to assimilate another field of expertise: cybersecurity for their products and the IT ecosystem they exist in. After all, cars today generate, process and even transmit a lot of data. And this can be a source of vulnerability.

Škoda certainly takes cybersecurity seriously. It not only develops security systems for its infrastructure that go beyond the mandatory requirements, it implements secure systems in cars, trains employees, and above all it educates its products’ users, i.e. car drivers. “It’s a fact that, in the vast majority of cases, the weakest link in car security is the human factor,” explains František Vlasta, project manager in charge of implementing UNECE regulations at Škoda.

Even the most modern infotainment system needs regular updating to remain secure.

Secure passwords are crucial

The same security guidelines apply to cars and related digital services as to all other user electronic devices like mobile phones or computers. “The cornerstone of car cybersecurity, for example, is not to refuse software updates in the infotainment system,” advises František Vlasta, adding, “Wherever possible, use two-factor authentication for user accounts such as Škoda ID. Use secure passwords and don’t write them down on a piece of paper or save them as a text file on your computer, and don’t share your passwords with anyone. Use a trusted administrator to store your passwords.” It’s also important to ensure apps and devices that are connected to your car are kept up to date, otherwise these could be a gateway for vulnerabilities.

If, despite all these precautions, you suspect your car has started to behave unusually, stay calm. “Safely park the car and contact the helpline or service centre,” František Vlasta advises. Unusual car behaviour will usually be caused by other factors than cybersecurity issues. Even so, if you do suspect something, it’s never a bad idea to change the passwords to your accounts and services associated with the car.

Attacks on infrastructure

In fact, attacks on individual cars are rare, and usually occur in the controlled environment of demonstrations and workshops by cybersecurity experts seeking to highlight the importance of this issue. These demonstrations clearly show how important car cybersecurity is, however.

The overwhelming majority of cyber attacks involve attempts to hack into the IT infrastructure itself, which contains user data and handles the operation of various services and car systems. Having said that, the possibility of targeting individual cars does exist and we need to be prepared to defend ourselves in such an event. Like other manufacturers, Škoda has to follow the UNECE regulations, which set the basic rules for automotive cybersecurity.

If your car is behaving unusually, it’s a good idea to park it and call a service.

The regulations require car manufacturers to ensure that the car’s control units are protected against unauthorised external interventions, for example, and to ensure that software updates and car repairs are still available ten years after the production of a given model ends if users face any functional risk with regard to cybersecurity. As a result, the rules entail changes in the way cars are both developed and manufactured.

What is UNECE?

The acronym UNECE is often heard in connection with car cybersecurity. It refers to the United Nations Economic Commission for Europe. This body has a significant influence on international standards in transport security, and in recent years the UNECE has issued two regulations relating to automotive cybersecurity that all manufacturers have to comply with. The CSMS (Cyber Security Management System) regulation requires manufacturers to ensure that cars are protected from cyber attacks and software hacking. The SUMS (Software Update Management System) regulation focuses on software updates and makes it mandatory to ensure and document cars’ compliance with the homologation regulations even after software updates.